Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

SSH autoban

Featured Replies

I recently (just a few hours ago) enabled SSH on my unriad for remote file access, it works great and I'm very happy with it. However, literally 90 minutes later I can see that a bot has found me and is attempting to bruteforce my (exceptionally long and complex) root password. My guess is that this will only get worse as more and more bots find port 22 on my public IP.

 

So my question is, can anyone guide me through setting up some form of autoban? I found this page which has a method using iptables, is that likely to work on unraid? Do I need to do anything more than described in the article?

 

http://www.nivindel.com/blog/49-block-brute-force-ssh-attempts.html

 

Note: I've changed from port 22 to something obscure for the time being, but I'm sure they'll soon find the new port.

Just dont do it unRAID isnt design to be secure :)

 

Use a VPN instead.

  • Author

I found Alex R. Berg's denyhosts plugin and it works perfectly.

 

I've no doubt that you have your reasons for not wanting to use SSH but can you articulate them so that I understand your reasoning "just dont do it" just doesn't do it for me :-)

 

From what I've read SSH is a mature and well regarded standard used all over the net, is it the implementation on unraid that makes it insecure? Give me some rationale here!

SSH can be secure but unRAID is not. It is not ever been designed to place any port ever on the internet. Probably you will be ok but your using the wrong tool for the job and risking something that has never been properly tested. For me probably be secure is not enough... like most people

 

Mainstream distros that are designed to go on the internet are tested thoroughly at all stages. unRAID isnt.

 

Use the right tool for the job install a VPN on you edge gateway and not allow the internet into you private network. If you router cant do it then get one that does.

 

Otherwise the risk is yours.

 

 

Not meaning to be rude but you are playing with fire because its convenient when the right way is only slightly harder these days.

  • Author

You make a good point, I agree with your logic.

 

But... whilst unraid isn't explicitly designed for it, isn't it build on a platform that is? I have a ESXi running so I guess I could install a dedicated linux distro to take care of VPN access (I prefer SSH).

 

Then there's the router option, most consumer grade routers don't have VPN access (if they did I would doubt that it had been audited), SME routers generally support PPTP (which is awful) and business grade routers CISCO, MIRAKI etc are expensive and predominantly use IPSEC, which is just awful on the client side ...not to mention all of those companies have been exploited by the NSA at the firmware level.

You make a good point, I agree with your logic.

 

But... whilst unraid isn't explicitly designed for it, isn't it build on a platform that is? I have a ESXi running so I guess I could install a dedicated linux distro to take care of VPN access (I prefer SSH).

 

Then there's the router option, most consumer grade routers don't have VPN access (if they did I would doubt that it had been audited), SME routers generally support PPTP (which is awful) and business grade routers CISCO, MIRAKI etc are expensive and predominantly use IPSEC, which is just awful on the client side ...not to mention all of those companies have been exploited by the NSA at the firmware level.

Buy router that supports DDWRT, install DDWRT on router, set up openvpn on said router, set up computer to connect to router openvpn.

  • Author

OK, I give in, I've ordered a gigabit router that's compatible with the full DD-WRT firmware, it arrives on the morrow :-)

You will not look back. You now have a means to encrypt all your traffic no matter where you go. For all intents and purposes you could sit on any insecure network and be virtually on your own.... even your printers could work lol

I run ssh open to the world on unraid. I have no concerns about it over and beyond any other linux system I'd do the same with.

 

I also don't really care about the brute force attempts. They're not (usually) clever and are just trying dictionary attacks rather than any targeted attack. They can knock themselves out.

 

I run ssh open to the world on unraid. I have no concerns about it over and beyond any other linux system I'd do the same with.

 

I also don't really care about the brute force attempts. They're not (usually) clever and are just trying dictionary attacks rather than any targeted attack. They can knock themselves out.

 

And you know what your doing. That is the fundamental difference.

 

We have to be careful here that we have a duty of care to recommend first the better and supported methods.

 

But we all know this :)

I run ssh open to the world on unraid. I have no concerns about it over and beyond any other linux system I'd do the same with.

 

I also don't really care about the brute force attempts. They're not (usually) clever and are just trying dictionary attacks rather than any targeted attack. They can knock themselves out.

 

And you know what your doing. That is the fundamental difference.

 

We have to be careful here that we have a duty of care to recommend first the better and supported methods.

 

But we all know this :)

 

correct.  We do not want someone setting a root password, of root or password, that is weak and then getting said dictionary attack.

 

I love my VPN setup.  When I go to my parents I can connect my VPN, mount my SMB shares and play like I am at home.  Obviously the faster the connection you have on both ends the better.

VPN is the way to go - I'm running SOPHOS UTM as my gateway firewall / router and it also works as a VPN appliance of virtually any protocol.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.