October 12, 201213 yr I've no doubt the answer(s) to this question are already to be found in the forum &/or Wiki but the trouble is I'm suffering from having read so much already that I'm now over-loaded, and another search will only confuse me further! Self-evidently the unRAID server must be connected to my LAN if it's to be able to act as a media server (to each of my two HTPCs). I plan to do this via a switch to which the HTPCs would also be connected. This switch will be connected to my router, which in turn connects to the internet via its WAN-side link. But whereas I will want my HTPCs (and any other PCs on my LAN) to go on having this connection to the internet, I shall want the unRAID server connecting only to my LAN not to the internet as well. How do I achieve this, seeing that the physical connections must be as described? The unRAID server's connection to the internet was made by following the steps in the Wiki's "Configuration tutorial", as a prerequisite to downloading Screen and unMenu so as to be able to follow the steps in the tutorial. Is there some way in which that internet connection within the server's configuration can be unmade, whilst maintaining the connection to the LAN intact? Alternatively, must I do it from the router end? I've assigned a fixed DNA address to the server and so could presumably block that specific address? Or is it a specific port that I should block (if so, how do I find out which port to block)? As will be obvious, this is all pretty unfamiliar territory to me...
October 12, 201213 yr You can set a static ip to your server as you would normally, without adding the DNS server. This will prevent the internet access while still leaving network availability.
October 12, 201213 yr Author why would you want to prevent your unraid to connect to the internet ? Hi Because I can see no useful purpose being served thereby. if I plan to use the server exclusively for storing media files and serving them over the LAN. Can you? At the same time I avoid any risk of intrusions (malware etc).
October 12, 201213 yr The firewall in your internet gateway router will prohibit incoming connections from reaching computers on the LAN including the server.
October 12, 201213 yr Author You can set a static ip to your server as you would normally, without adding the DNS server. This will prevent the internet access while still leaving network availability. Beire Many thanks for that. I didn't realise it was that elementary! I've now just deleted the entry I previously had in the 'Settings -> Network settings' panel of the unRAID web utility, against 'DNS server 1'. I take it that that was what you intended, and that it will do the trick?
October 12, 201213 yr why would you want to prevent your unraid to connect to the internet ? Hi Because I can see no useful purpose being served thereby. if I plan to use the server exclusively for storing media files and serving them over the LAN. Can you? At the same time I avoid any risk of intrusions (malware etc). Well... If you only use it for media storage there is not much reason no, if you start using plugins the connectivity is needed.. I was asking the question to make sure you are not thinking that the fact that your server can reach the internet also means that the outside world can access your server.... Unless you have placed unraid in DMZ (a REALLY bad idea) noone from the outside world will be able to access your system. Ofcourse everything can be hacked so if you really do not need the connectivity functionally I actually agree it is a good thing to make sure it is not connected at all.. You could look at router settings to see if you can block access but that does not really add any security.. You could run the unraid system on another subnect and with a fixed ip address that your router does not know.. Ultimately you could use two physical networks, one with unraid towards the in-house systems that need access to unraid and one for those systems that need internet connectivity. Any time you have one system that needs both internet AND unraid you run the risk that that system can be used as a steppingstone from one to the other (like what would be possible in a regular setup). Ergo: you can go a long way to go from 99.9% secure to 99.99% secure..
October 12, 201213 yr You can set a static ip to your server as you would normally, without adding the DNS server. This will prevent the internet access while still leaving network availability. Beire Many thanks for that. I didn't realise it was that elementary! I've now just deleted the entry I previously had in the 'Settings -> Network settings' panel of the unRAID web utility, against 'DNS server 1'. I take it that that was what you intended, and that it will do the trick? That would probably make that your unraid server cannot access the internet.. I am not convinced it does anything with respect further decreasing the risk of intrusion from the outside though...
October 12, 201213 yr Author The firewall in your internet gateway router will prohibit incoming connections from reaching computers on the LAN including the server. dgaschk 'Fraid I don't follow. Did you mean that it will do that without any action on my part? (Presumably not because then I wouldn't have any connections now). Or did you mean only that it has that capability? In which case I would need to activate that, I presume? In some way...?
October 12, 201213 yr Author I've now just deleted the entry I previously had in the 'Settings -> Network settings' panel of the unRAID web utility, against 'DNS server 1'. I take it that that was what you intended, and that it will do the trick? That would probably make that your unraid server cannot access the internet.. I am not convinced it does anything with respect further decreasing the risk of intrusion from the outside though... Helmonder So, if you're right (and I'm not equipped to judge) all I've done is stop myself downloading any more addons whilst not achieving any greater protection against inward intrusions than I had already! Nothing gained, in exchange for something foregone which I might never use. Not a very productive trade-off! I might as well go on as before: who knows, maybe I will want to download an addon one day.
October 12, 201213 yr I've now just deleted the entry I previously had in the 'Settings -> Network settings' panel of the unRAID web utility, against 'DNS server 1'. I take it that that was what you intended, and that it will do the trick? That would probably make that your unraid server cannot access the internet.. I am not convinced it does anything with respect further decreasing the risk of intrusion from the outside though... Helmonder So, if you're right (and I'm not equipped to judge) all I've done is stop myself downloading any more addons whilst not achieving any greater protection against inward intrusions than I had already! Nothing gained, in exchange for something foregone which I might never use. Not a very productive trade-off! I might as well go on as before: who knows, maybe I will want to download an addon one day. Even if you do not use add-ons, unRAID uses the DNS server and Gateway fields(the ones you blanked) in two ways... -- 1st, to access the help files located on the lime-technology wiki server (in the 5.0series of unRAID) -- 2nd, to access the "NIST Internet Time Servers" to automatically set the unRAID server time. Keeping the server time accurately in sync with others on your LAN automatically make it much easier for backup programs to determine if a file has been updated and needs to be backed up again to the server. (many backup programs work that way) Additionally, as already described, the plugin system uses the connectivity, as does unMENU with its packages. Many of the add-ons specifically access the web and download content. Someday soon, unRAID5.0 will have its own plugin manager. It too will need to connectivity to the outside web. For those reasons, you should probably put the IP address of your router in both the Gateway and DNS server fields on unRAID. Your router is the first line of defense against the hackers. You must not open up ports or machines to the web. Once in your LAN, on ANY device, a hacker can, if determined enough, escalate privileges to where all is accessible. Unfortunately, the most likely breach of security will be from your PC. Unfortunately, all it takes is a visit to a infected web-site, or to click on a link in an e-mail to be infected. I know you are concerned, but by the time a hacker has access to your server, they've probably taken over your PC and entire LAN and have accessed it through it. If you wish access from the outside web, install a VPN (either on unRAID on in your router) and access it through a secure link. Joe L.
October 12, 201213 yr I've now just deleted the entry I previously had in the 'Settings -> Network settings' panel of the unRAID web utility, against 'DNS server 1'. I take it that that was what you intended, and that it will do the trick? That would probably make that your unraid server cannot access the internet.. I am not convinced it does anything with respect further decreasing the risk of intrusion from the outside though... Helmonder So, if you're right (and I'm not equipped to judge) all I've done is stop myself downloading any more addons whilst not achieving any greater protection against inward intrusions than I had already! Nothing gained, in exchange for something foregone which I might never use. Not a very productive trade-off! I might as well go on as before: who knows, maybe I will want to download an addon one day. That's what I meant in one line... Also take note of the limitations it brings (post Joe made).. I would advise against this kind of 'hardening', it does not bring much but is a hassle in a lot more ways... Basically everyone is running unraid with internet connection, MEANING that there is internet possible whenever initiated from the unraid box, NOT initiated from the net... If you want to access the box from the internet there are a lot of ways you can do that that expose you to hacking, dont open up ports, don't start running external webservers and such.. Those are things that increase your risk profile...
October 12, 201213 yr Author Many thanks to all concerned. I have (I think) learned something. (To me, networking is largely a Black Art).
October 12, 201213 yr The firewall in your internet gateway router will prohibit incoming connections from reaching computers on the LAN including the server. dgaschk 'Fraid I don't follow. Did you mean that it will do that without any action on my part? (Presumably not because then I wouldn't have any connections now). Or did you mean only that it has that capability? In which case I would need to activate that, I presume? In some way...? You don't need to do anything. This is the default firewall/NAT configuration.
Archived
This topic is now archived and is closed to further replies.