CaliHeatx Posted September 2, 2018 Share Posted September 2, 2018 Hi all, Building an UnRAID server mainly for Plex was my first foray into networking. I just want to be sure I’m not leaving any easy access paths for my server to be ransomwared or infected. My server is connected to the internet in two ways: through Plex and OpenVPN. I use the OpenVPN docker and connect to it remotely with a few mobile devices using an OVPN configuration file. For my home network, I make my important shares read only or private so they cannot be changed from another PC within my network. Are there any other security steps I should be taking? Thanks. Link to comment
Frank1940 Posted September 2, 2018 Share Posted September 2, 2018 Here are three threads from the past that you can read: https://forums.unraid.net/topic/58162-ransomware-got-into-my-unraid-server/ https://forums.unraid.net/topic/57609-new-user-need-a-secure-strategy-for-write-access-avoiding-ransomware-exposure/#comment-565045 https://forums.unraid.net/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532 To my knowledge, I have not heard of anyone getting malware via the Plex Docker for unRAID. Your VPN should be safe as long as your can keep the clients on the other end free from Malware and/or malfeasance on the part of the user. unRAID is not exactly a likely candidate for a attack by the Black Hats as the user base isn't that large. (However, if you do something stupid like put your server into a DMZ, you will have made it a very easy target for anyone with a 'kiddie script'!) Your greatest risk will be from one of your clients becoming inflected with Malware and that client doing damage via SMB shares that it has access to. As I understand it, most of the Ransomware attackers are more interested in shared files than local files as the victims are more likely to pay to recover those. Link to comment
CaliHeatx Posted September 3, 2018 Author Share Posted September 3, 2018 Thank you for your advice! Forgive my ignorance, what is a DMZ and how do I avoid accidentally putting my server in one? Link to comment
John_M Posted September 3, 2018 Share Posted September 3, 2018 Demilitarised Zone - a kind of no man's land between your router and your firewall. It's typically an IP address on your LAN to which incoming requests from the Internet to selected TCP ports are forwarded. If you haven't explicitly set one up you're very unlikely to have one. If you have set one up then you'll know which IP address to avoid. Link to comment
CaliHeatx Posted September 3, 2018 Author Share Posted September 3, 2018 @John_MOk I definitely haven’t done anything like that on my home network. After reading the stuff that @Frank1940 posted, it seems the biggest risk is leaving shares with write access for an infected windows (or Mac) client to target. So my plan is to leave all but one share in read only/secure or private mode. That one share will be set as public, only to be used as a temporary storage before I move them into a secure share. I will edit/change most files from within UnRAID using Krusader. Link to comment
Frank1940 Posted September 3, 2018 Share Posted September 3, 2018 3 hours ago, CaliHeatx said: So my plan is to leave all but one share in read only/secure or private mode. That one share will be set as public, only to be used as a temporary storage before I move them into a secure share. I will edit/change most files from within UnRAID using Krusader. For a plan which is more automatic than this one, read the first post in the third thread that I posted a link to above. It uses a bit of 'trickery' and the cache drive to allow to to add files to a protected User Share without having actual write access to the User Share. In fact, all of my Shares are 'Secure' and none of them even have a user assigned with permission to write to them. Basically, you write files to the cache drive and unRAID's Mover puts them into the array. Any file management beyond adding files to a User Share, I do with Krusader. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.