TedatTNT Posted December 28, 2012 Share Posted December 28, 2012 If I'm using NAT and port forwarding to point to an unRAID server, and the server is password protected (root and shares), is there something still inherently unsafe about it? Is the password system robust enough for this? Link to comment
BLKMGK Posted December 28, 2012 Share Posted December 28, 2012 IMO I'd be very wary of doing that. I'm not sure the unRAID interface was ever pen tested to a level where I'd be willing to expose it to the 'net and the potential results if someone got in aren't pretty. Is there any reason why you cannot place it behind a VPN? Link to comment
TedatTNT Posted December 28, 2012 Author Share Posted December 28, 2012 My challenge is simply this... On the unRAID are image/video files that I'm planning to sell (No, not porn - think royalty free content). My site and shopping cart will display the samples, handle the watermarks, coordinate the sale, etc. and then provide the user with a download link. This link only links to the same site and initializes a subroutine that, hidden from view, grabs the file from my file server located "somewhere" and delivers it to the user. The site is not on my local network - hosted by GoDaddy. The unRAID server IS on my local network to facilitate file management (as well as perform other duties). The user would never "see" the unRAID servers IP/file location, but I suppose if my WAN IP were 'sniffed', a port would be found(?). I don't have the access (AFAIK) to VPN between the GoDaddy site and the server. Link to comment
BLKMGK Posted December 28, 2012 Share Posted December 28, 2012 I think you can be pretty much assured that any IP exposed to the 'net will be scanned, it probably already has been. Any port that responds will garner interest and if it looks like SMB or HTTP it will be of great interest.... Link to comment
TedatTNT Posted December 28, 2012 Author Share Posted December 28, 2012 Is it really all that different from opening ports for remote desktop, viewing security cameras, access to a Windows Home Server, access to a Media Center, etc? I must be missing something fundamental because while all of these things are "risks" to a degree, they are also somewhat commonplace and just part of daily life for many people. Is a password protected unRAID server more susceptible for some reason? Link to comment
BLKMGK Posted December 28, 2012 Share Posted December 28, 2012 All of those apps get attacked regularly, unRAID's web interface hasn't had the same level of scrutiny that most of those apps have. Web cameras are a good example, depending upon manufacturer there's plenty of exploits against those! I'm surprised no one else has an opinion about this... Link to comment
Helmonder Posted December 29, 2012 Share Posted December 29, 2012 If I'm using NAT and port forwarding to point to an unRAID server, and the server is password protected (root and shares), is there something still inherently unsafe about it? Is the password system robust enough for this? Yes. That is very unsecure and you should not use it in that way... The password system is absolutely not designed to work in an internetfacing environment... Link to comment
PCRx Posted December 30, 2012 Share Posted December 30, 2012 If I read that right your website is making the request from your unRaid. In that case place a restriction on your local routers port forwarding to only allow connections from your website IP address. I do this (albeit with RDS on Amazons AWS) with great success, knocks out all the hack attempts. Before setting the rule the Chinese were attempting RDS access 3 times a second and it only took them and 1.5 hours to find the server after it was turned on. No, they didn't get in, but it was resource buster while responding to all the requests. Link to comment
MyKroFt Posted December 31, 2012 Share Posted December 31, 2012 if your router supports it - setup VPN or the hamanchi plugin - then your unraid is not directly exposed to the net Myk Link to comment
Helmonder Posted December 31, 2012 Share Posted December 31, 2012 IP Addresses can be faked... But a restriction on IP will take care of automated hacking attempts.. VPN is a better solution. Link to comment
TedatTNT Posted January 2, 2013 Author Share Posted January 2, 2013 Thanks for all the input. VPN is not an option - GoDaddy requires I have a dedicated server for that. I'm wondering if PogoPlug or some other similar solution would solve this, as UnRAID would not then have to be the portal. IP address will work if the sites IP does not change (and it shouldn't). Thanks again! Ted Link to comment
Simon Posted January 2, 2013 Share Posted January 2, 2013 ... links to the same site and initializes a subroutine that, hidden from view, grabs the file from my file server located "somewhere" and delivers it to the user... What does this actually mean? A script on your website reads the files from your Unraid server, pipes it through GoDaddy and then ultimately to the customer? Link to comment
Helmonder Posted January 2, 2013 Share Posted January 2, 2013 Thanks for all the input. VPN is not an option - GoDaddy requires I have a dedicated server for that. I'm wondering if PogoPlug or some other similar solution would solve this, as UnRAID would not then have to be the portal. IP address will work if the sites IP does not change (and it shouldn't). Thanks again! Ted If you have an old router lying somewhere consider running dd-wrt on it, it will give you vpn server.. Link to comment
TedatTNT Posted January 2, 2013 Author Share Posted January 2, 2013 ... links to the same site and initializes a subroutine that, hidden from view, grabs the file from my file server located "somewhere" and delivers it to the user... What does this actually mean? A script on your website reads the files from your Unraid server, pipes it through GoDaddy and then ultimately to the customer? Yes, that's it. Files are managed by the site running MySQL and Joomla, Joomla provides customer a "dummy" link that grabs the file from unRAID and serves it to customer. Link to comment
TedatTNT Posted January 2, 2013 Author Share Posted January 2, 2013 If you have an old router lying somewhere consider running dd-wrt on it, it will give you vpn server.. While that would enable a VPN on this end, the site resides on a shared server at GoDaddy and VPN is not available for that end. Link to comment
Simon Posted January 2, 2013 Share Posted January 2, 2013 Yes, that's it. Files are managed by the site running MySQL and Joomla, Joomla provides customer a "dummy" link that grabs the file from unRAID and serves it to customer. The simplest way would probably be to install a web server on Unraid, ensure it is hardened as much as possible and run it on some high port number which you port forward from your router. You can then use htaccess to lock down access to only your hosting server. This isn't perfect - anybody else on the shared server could potentially still access it and you'd have to reconfigure if the IP address changes. Link to comment
Helmonder Posted January 3, 2013 Share Posted January 3, 2013 In that case I would advice trying to run some kind of virtualisation on your hardware and running that webserver in a seperate instance.. unraid is not meant to be "hardened", and although it might be possible I do not believe there are examples lying around telling you how to do it... Link to comment
TedatTNT Posted January 3, 2013 Author Share Posted January 3, 2013 I've decided to build a 2nd box - one that handles the incoming web requests (using port forwarding and password protection) from WAN to LAN. This box will have access to a share on the unRAID. So, off to build a 2nd box... Any Windows recommendations for a simple web front end? Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.