How secure is unraid?


Automatic

Recommended Posts

Assuming I apply secure* passwords to all users on the system, used ssh (For extra 'security', prevent MMTM) and wasn't stupid by logging into insecure applications like sickbeard from public locations:-

 

How secure is it? Anything I should know? I'm mainly looking to port forward ports:-

22 (SSH)

80 (SimpleFeatures, although, not HTTPS so I have to be more 'careful')

8081 (Sabnzbd, same with not being HTTPs)

8082 (Sickbeard, same with not being HTTPs)

8083 (Couchpotato, same with not being HTTPs)

32400 (Plex, same with not being HTTPs)

 

I understand I could stunnel the above non-http ports, however, I'm not too sure how to do that in unraid (I'll either figure it out, or, use something like a raspberry pi to forward it. I'm pretty sure the raspberry pi is strong enough to decrypt a connection and forward it on?).

 

* http://xkcd.com/936/

Link to comment

I am using a raspberry pi to tunnel my way into the unraid. I dont use the openssh plugin. but if you have the openssh plugin you can just tunnel your way into the unraid itself.

 

if you are using a linux you can do this.

 

ssh -l username public-ip -L 8083:unraid-internal-ip:8083

 

then you can just put your browser to localhost:8083 then you'll browse your couchpotato.

 

 

if you are using windows with putty there's a lot of guide in google in how to do that

Link to comment

How secure is it?

Completely insecure
Anything I should know?
It was never designed to be visible from the world. Example: Passwords are sent in the clear. Web-server never been tested for attack vectors. 
I'm mainly looking to port forward ports:-

You WILL be hacked.  Use a VPN at the least to protect yourself.
Link to comment

yea, like Joe said.

 

It is completely insecure. Never meant to be accessed directly from outside.

I believe it was designed to be internal use only.

 

I have set up a VPN server using my router, and that's the only way I connect to my unraid from outside.

 

Even if it was 'secured' though, you should never make your file servers available directly from outside world in my opinion.

Link to comment

Out of curiosity,

 

if one is only forwarding ports for plex, sab, couch and sick, how is it different (if it is) than doing the same on a windows machine?

 

no forwarding of the webserver port

 

other than that the machine is behind router firewall

 

Thanks

Link to comment

Windows is (somewhat ) hardened against those situations, there are systems in place to protect against external attacks..

 

With unraid there simply are NONE. unraid is meant to be used in a closed and safe environment, there is a good reason for this also, it makes it a very easy system to use, adding protection would make more configuration on client side necesary.

 

It would not even be HACKING to get to your files, it would be just "accessing"" ..

Link to comment

Let's say I only expose one port for sabnzbd through the router firewall

 

How can someone access my shares? sab has a password (let's assume https)

 

I read somewhere that https was just as secure as vpn as far as a web service is concerned (don't quote me on that)

 

I know that the paranoid user will say that any port open is a security risk and that you WILL be hacked. Now, the first part of the statement is true, anything remotely accessible has a security risk, that's why many government contractors keep their entire network off the net, and dedicate separate machines for net access. But you have to consider the risk vs benefit. The second part of the statement is simply not true. It should be "you MIGHT get hacked". But how likely is it that a hacker will target sabnzbd running on my computer? If they are willing to target my sab port with https, aren't they likely to go after a vpn port as well??

 

It's not like I am giving them access to the unraid webgui, right?

 

Thanks

Link to comment

I assume anyone running a torrent client on unRAID (Transmission) must have a port open for that.

 

I don't? It seeds & downloads fine, I have the torrent broadcast port open (Not broadcast, but, the seeding port/etc) but not the webUI port.

He said "a port" not "the webui port" ... so you DO have "a port" open as you said, the broadcast port, and you are accepting inbound ports for seeding.  And this is always the crux of this discussion.  Unraid is not secure.  But it is rare to hear anyone admit that add-on X on Unraid is no less secure than app X on Ubuntu.  I'm intentionally avoiding comparing it to the Win/Mac versions of the app, but really it is the same statement. 

 

But part of the reason for the default "my god its full of haxors" response is because when you do start opening ports on your machine and then on your router, if you aren't careful and diligent, you risk opening something you shouldn't have and THEN ... then you have a problem because the underlying OS is NOT designed to be resilient to those kinds of errors unlike baseline Linux/Win/Mac.

Link to comment

I assume anyone running a torrent client on unRAID (Transmission) must have a port open for that.

 

I don't? It seeds & downloads fine, I have the torrent broadcast port open (Not broadcast, but, the seeding port/etc) but not the webUI port.

He said "a port" not "the webui port" ... so you DO have "a port" open as you said, the broadcast port, and you are accepting inbound ports for seeding.  And this is always the crux of this discussion.  Unraid is not secure.  But it is rare to hear anyone admit that add-on X on Unraid is no less secure than app X on Ubuntu.  I'm intentionally avoiding comparing it to the Win/Mac versions of the app, but really it is the same statement. 

 

But part of the reason for the default "my god its full of haxors" response is because when you do start opening ports on your machine and then on your router, if you aren't careful and diligent, you risk opening something you shouldn't have and THEN ... then you have a problem because the underlying OS is NOT designed to be resilient to those kinds of errors unlike baseline Linux/Win/Mac.

 

I presumed he meant the webUI port, and, reading over it, I still thinks he means it.

Link to comment

I assume anyone running a torrent client on unRAID (Transmission) must have a port open for that.

 

I don't? It seeds & downloads fine, I have the torrent broadcast port open (Not broadcast, but, the seeding port/etc) but not the webUI port.

 

[shrug] to me he seems to be clearly talking about the torrent client and ports being open for it.  But the specifics aren't important, just the fact that yes indeed apps like torrent clients do in fact open ports, and your servers security is dependent on that app not being exploitable.  And more to the point, if you trust that app on one OS, why wouldn't you trust it on UnRaid ... again [shrug]

Link to comment

Exposing the unraid web interface is sn an absolute no-no. Exposing ports for other applications (like sab or sickbeard) is up to your discretion, personally I do not do it because I have no need for it, enabling vpn is free if you have a router that can do it and takes away this whole issue.

 

Before my vpn solution I used the dropbox plugin on unraid and created a blackhole dir in dropbox, that way I could also add torrents and nzb's for downloading. Completed downloads are reported thru twitter so also in that setup I did not have a need for open ports.

Link to comment

Exposing the unraid web interface is sn an absolute no-no. Exposing ports for other applications (like sab or sickbeard) is up to your discretion, personally I do not do it because I have no need for it, enabling vpn is free if you have a router that can do it and takes away this whole issue.

 

Before my vpn solution I used the dropbox plugin on unraid and created a blackhole dir in dropbox, that way I could also add torrents and nzb's for downloading. Completed downloads are reported thru twitter so also in that setup I did not have a need for open ports.

 

Other than, well, you know, switching to and fro a VPN is pretty darn annoying when you're dealing with two unraid servers and trying to update them constantly.

 

As for sabnzbd, sickbeard, couchpotato, plex, 'n transmission, I'm not too worried, it was mainly the unraid web-ui, which, I'll probably do anyway, I'll just host some sort of redirect that verifies it's me before issuing the page, I'm pretty sure my router has the option to do that in of itself, if not, I'm sure I'll manage to throw something together.

 

For downloading with sabnzbd you do not need to open up a port on the router, you only need to open up a port if you want to allow incomming traffic from the internet.

 

I don't believe anybody said that you do?

Link to comment

How secure is it?

Completely insecure
Anything I should know?
It was never designed to be visible from the world. Example: Passwords are sent in the clear. Web-server never been tested for attack vectors. 
I'm mainly looking to port forward ports:-

You WILL be hacked.  Use a VPN at the least to protect yourself.

 

interesting! to say the least... would like to hear your view on the subsonic plugin!!! ppl i have on it i trust. so thats not the issue. but using a account on it with subsonic dns 'forwarding', how secure would you rate that in general? the actual server sits behind a dd-wrt modified router but is not on vpn set up.

basically just the usual stuff, nat, port open for the particular server etc...

 

really would like you/ somebody else to chime in on the security issue!

 

generally it should make a sticky with info's concerning that! i think most ppl are not even aware of this! i was only 'halfway'. and i usually have my machines seriously over-secured. but being very new to unraid, i was happy to get it running without probs, installed subsonic (taking care of the friends and myself at work) and the apc ups up (have some more control about the batteries) and wasnt really thinking about unraid being potentially wide open over the wan.

 

so any information about wan/ internet security issues and solutions would be in my eyes extremely useful to everybody and (considering useful input by some of the 'pro's' here) worthy of a sticky.

 

L

Link to comment

Port forwarding to a particular add-on is only as safe as the add-on in combination with the underlying OS. If the add-on itself has no security flaws then you should be safe. If the add-on has a flaw but the OS prevents it's exploitation then the system is still safe. The add-on must be configured to leverage the underlying Linux security to prevent exploitation of any flaws.

Link to comment

Lars,

 

If you have à ddwrt router then setup VPN using pptp, it Will Cost you five minutes...

 

 

Sent from my iPad using Tapatalk HD

 

i see, on it at the moment. for some reason it never even crossed my mind for the unraid/ subsonic machine... guess i was just excited to have it all up and running. thx for your hint.

 

L

Link to comment

 

http://lime-technology.com/forum/index.php?topic=22128

 

Sent from my iPad using Tapatalk HD

helpful thread. thx helmonder. i was getting there researching all the steps (well most of them) myself over the last days and got nearly to the same point like you. my setup is very similar, several routers throughout the house, one connected to the internet. here it was just necessary to have within the house 4 (yes, that's rite, 4!) wifi access points, to cover the whole house. so i basically pulled all my old junkers out, put dd-wrt on them and placed them 'strategically' in the house (it's a old house and many of the walls are over 1ft thick, the later added parts have enough friggin steel in it that i have even cell reception probs). on the upside it gave me a nice choice of playing around with networks and sub-networks.

i think all in all i should be on a very secure end of it all.

 

greets, L

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.