September 5, 20169 yr Hallo guys, I am new here. I think I have read all forum topics regarding internet access to unraid tower. However, now I am really confused what is secure and what is totally insecure. Based on this message enable ftp is alright :http://lime-technology.com/forum/index.php?topic=2112.msg15539#msg15539 however here they say no: https://lime-technology.com/forum/index.php?topic=37207.msg344228#msg344228 for this reason, I would like if somebody could clarify the security problems once for all. It is clear that the UNRAID was not made for internet access, however, I think for many people the main purposes will be Owncloud and plex,thus it is necessary to access server from everywhere. Currently, I am running owncloud and plex on ubuntu server, what runs very smoothly over internet, nevertheless I would like to use the virtualization possibility of unraid server. What I want to achieve: Running owncloud which I would be able to access through the internet without the necessity of using VPN (I use owncloud on PCs in university where I can not change the connection) -> as I have done it now: ddns,port forwarding port 443 to server, apache redirects the incoming request based on its name to owncloud with https (ssl). Is such an approach secure in case of unraid? acces user shares over the internet, possibly without vpn use virtual machines over the internet (just ssh is sufficient) where already I can use VPN My question on you guys is: what is secure and what not to use over the internet. I would be very sad if only the possibility to access the server over the internet is VPN (it is inconvenient on every pc I am working with to set up vpn). Is it still vulnerable against hackers if I use owncloud with https? Thank you for any kind of comment! Thank you!
September 5, 20169 yr 1st off plex used in a docker is probably the safest route. Plex uses security with the connection but if you want extra security they have a ssl https style port routing you can use. Docker will allow it to be contained except for what plex can touch. 2nd Cloud object stores are inherently more secure against ransomware but again lock your stuff down read only. What I do is I have hdhomerun DVR recoding only using one account with special creds with modify to scrub out commercials for plex in a win VM. Then dumps into a folder that plex docker is mapped to. Best way to isolate out your data without locking you out fully. Best policy is never leave your shares open over the Internet. VM access can be done using an obscure VNC port or using team viewer. Best practice to do this? No... Possible, yes but once you do this consider your stuff vulnerable and WALL it off as much as possible. --Note: If you run windows boxes don't leave them mapped up, these ransomware can even tree walk anything left with a net use connection is vulnerable UNLESS the share is read only. DO NOT map a drive in the vm manager directly to a share unless it's walked off. That how this crap spreads!
September 5, 20169 yr Author Thank you very much for your input! Yes, the plex combination as you described I am using right now, however, it is not the most important for me. The result of your input is that other than vpn I will not be able to securely access my shares, right? Is there any other possibility as hardware firewall? Just to be sure, everytime I want to connect to any share over the internet I am asked for password and user name, this layer of security is very little for most of malwares? For me definitely the most important is to have access to owncloud over the internet. I am currently using the method for 1 year I have described above and I did not have any problem. Is it just a matter of bad luck I will eventualy get hacked? Thus the owncloud login screen with https encryption is totaly not sufficient to protect agains such atacks? How these -wares can passthrough other files on a pc? Thank you very much again for your inputs!
September 5, 20169 yr If you aren't using a sftp connection any other type can be considered "plain-text" and is very insecure. VPN is the safest route that way it's a point to point connection and encrypted in-between. I don't allow anything outside my dockers, even then it is limited. I'd say if you need access outside to your shares plan ahead and drop stuff in your owncloud beforehand or vpn in and drop stuff in there as needed then when back inside your lan move stuff around off the owncloud.
September 5, 20169 yr Author Thank you very very much for your reply! If I understand you correctly, you are still talking about shares, aren't you? But as I said, the most important for me is the access to owncloud over internet. That means ddns ->https-> port forwarding 443 -> owncloud login. The question is how secure is this connection? I am sorry If I am asking a question on which you have answered already, sadly I do not see it there. Thanks for the patient!
September 5, 20169 yr I run TeamViewer on all of my VMs on unRAID (Windows's/Linux etc), this then gives access to my files on unRAID via any internet connection and TV has a built in file transfer so you can drag n drop between computers
September 5, 20169 yr Owncloud makes a security key automatically when it builds. The encryption is 4096 bit so you "should" be fine. Here's more answers to that question. https://owncloud.org/faq/#protocol
September 5, 20169 yr Author Thank you all for inputs! The teamViewer is a good idea, however, I had in mind to back up regularly my notebook when i am out of a home network to unraid. Do you know some other possibility to back up a computer which is outside of a home network to unraid? @phbigred That is exactly what I thought that owncloud has a decent security. But why then everybody is so afraid about forwarding ports to unraid, if the connection is secure? For example, ports as ssh,sftp,https? Thats what is not clear to me.
September 5, 20169 yr Use crashplan free. Use the unraid as a target. I have my family pcs backing up. Just route port 4241 an 4242 NAT to the Internet. It uses encryption that is sarbanes oxley compliant. Best route and free! There's a docker for it, put it to a share separate from the rest of your data and map the docker and shut off the share access for all users. It'll give you version retrieval. Great for recovery should you get a ransomware event and it is segregated. Also should you have a prob and have to rebuild you can adopt and restore. You can also retrieve data for another backup target. I've used it for seeding data to an external drive that I shipped to a family member across the country for an off-site backup solution for my critical data. On the question of port forwarding the OS level is always going to be the most attacked. Port forwarding is essentially popping holes in for an attacker from the outside. That's one of the main drivers why people are against it. If you pop open a hole someone will try to exploit it. It's the nature of the environment of the Internet. Wall yourself off as much as possible, if you make choices to do this understand the risks. If you can live with it, great, if not don't. It's a know your enemy sort of thing.
September 6, 20169 yr I have a one drive account so essentially the same method as phbigred described with crashplan, I then use my W10 VM to since that to a separate directory on the array and an external usb3 drive
Archived
This topic is now archived and is closed to further replies.