Server security help - any extra steps to take?

[CaliHeatx]

Hi all, 

Building an UnRAID server mainly for Plex was my first foray into networking. I just want to be sure I’m not leaving any easy access paths for my server to be ransomwared or infected. 

 

My server is connected to the internet in two ways: through Plex and OpenVPN. I use the OpenVPN docker and connect to it remotely with a few mobile devices using an OVPN configuration file.

 

For my home network, I make my important shares read only or private so they cannot be changed from another PC within my network.

 

Are there any other security steps I should be taking? Thanks.

[Frank1940]

Here are three threads from the past that you can read:

 

         https://forums.unraid.net/topic/58162-ransomware-got-into-my-unraid-server/

 

 

        https://forums.unraid.net/topic/57609-new-user-need-a-secure-strategy-for-write-access-avoiding-ransomware-exposure/#comment-565045

 

 

        https://forums.unraid.net/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532

 

 

To my knowledge, I have not heard of anyone getting malware via the Plex Docker for unRAID.  Your VPN should be safe as long as your can keep the clients on the other end free from Malware and/or malfeasance on the part of the user.  unRAID is not exactly a likely candidate for a attack by the Black Hats as the user base isn't that large.  (However, if you do something stupid like put your server into a DMZ, you will have made it a very easy target for anyone with a 'kiddie script'!)  Your greatest risk will be from one of your clients becoming inflected with Malware and that client doing damage via SMB shares that it has access to.  As I understand it, most of the Ransomware attackers are more interested in shared files than local files as the victims are more likely to pay to recover those.   

[CaliHeatx]

Thank you for your advice! Forgive my ignorance, what is a DMZ and how do I avoid accidentally putting my server in one?

[John_M]

Demilitarised Zone - a kind of no man's land between your router and your firewall. It's typically an IP address on your LAN to which incoming requests from the Internet to selected TCP ports are forwarded. If you haven't explicitly set one up you're very unlikely to have one. If you have set one up then you'll know which IP address to avoid.

[CaliHeatx]

@John_MOk I definitely haven’t done anything like that on my home network. 

 

After reading the stuff that @Frank1940 posted, it seems the biggest risk is leaving shares with write access for an infected windows (or Mac) client to target.

 

So my plan is to leave all but one share in read only/secure or private mode. That one share will be set as public, only to be used as a temporary storage before I move them into a secure share. I will edit/change most files from within UnRAID using Krusader.

 

[Frank1940]

3 hours ago, CaliHeatx said:

So my plan is to leave all but one share in read only/secure or private mode. That one share will be set as public, only to be used as a temporary storage before I move them into a secure share. I will edit/change most files from within UnRAID using Krusader.

 

For a plan which is more automatic than this one, read the first post in the third thread that I posted a link to above.  It uses a bit of 'trickery' and the cache drive to allow to to add files to a protected User Share without having actual write access to the User Share.  In fact, all of my Shares are 'Secure' and none of them even have a user assigned with permission to write to them.  Basically, you write files to the cache drive and unRAID's Mover puts them into the array.  Any file management beyond adding files to a User Share, I do with Krusader.