September 23, 201015 yr Hi, I have recently set up my router to open ports for my installations of sabnzbd (https), sickbeard and CouchPotato so I can remotely administer them. I have also opened up the port for unmenu. This all works beautifully allowing me to manage my server from my blackberry wherever I am, but I have been wondering if I have opened myself up to any security risks by doing this. Is there anything special I need to do to ensure my network is secure ? Thanks, Kent
September 23, 201015 yr Hi, I have recently set up my router to open ports for my installations of sabnzbd (https), sickbeard and CouchPotato so I can remotely administer them. I have also opened up the port for unmenu. This all works beautifully allowing me to manage my server from my blackberry wherever I am, but I have been wondering if I have opened myself up to any security risks by doing this. Is there anything special I need to do to ensure my network is secure ? Thanks, Kent Yes, (and I'm being serious) un-do what you've done. Unless you've set up a VPN, you have allowed every hacker in the world access to your server and your data. unRAID is not even close to being secure... it would be trivial to break into your server if all you did was open up the ports to allow remote access through your router. unMENU was never designed to be "secure" and probably cannot be made secure. For that matter, I'd probably say the same about the other applications you mentioned. You've been warned... it's your data, and your server. Joe L.
September 23, 201015 yr Joe, That being said, I am sure quite a number of users would like to be able to remotely administer sab or sickbeard etc. This seems to come up ever so often, but always with the warning that unRAID is unsecure etc. What would be some solutions? The ones I can think about off the top of my head is 1. Fix unRAID 2. Use another computer on your network to control sab/sickbeard remotely 3. ... Those who have gotten a solution to work, please consider explaining how you achieved such as I am sure it will help a multitude of persons who are not "secure savy"..
September 23, 201015 yr Joe, That being said, I am sure quite a number of users would like to be able to remotely administer sab or sickbeard etc. This seems to come up ever so often, but always with the warning that unRAID is unsecure etc. What would be some solutions? The ones I can think about off the top of my head is 1. Fix unRAID 2. Use another computer on your network to control sab/sickbeard remotely 3. ... Those who have gotten a solution to work, please consider explaining how you achieved such as I am sure it will help a multitude of persons who are not "secure savy".. I set up VPN on my DDWRT router and connect that way. From there I can control and view everything as if i was on my local network. The best thing about this solution is that it is not dependent on having another computer running all the time on your network.
September 23, 201015 yr You can use Hamachi for that, it's a secure way to access yor unRAID server remotelly: http://lime-technology.com/forum/index.php?topic=7248.0
September 23, 201015 yr I set up VPN on my DDWRT router and connect that way. From there I can control and view everything as if i was on my local network. The best thing about this solution is that it is not dependent on having another computer running all the time on your network. Mind if I ask what router you use and VPN method? I tried installing OpenVPN on my DDWRT setup (Linksys WRT54GSV7) but it seems that this router cannot support that because of the limited RAM on board (2M). You can use Hamachi for that, it's a secure way to access yor unRAID server remotelly: http://lime-technology.com/forum/index.php?topic=7248.0 I got this to work perfectly, but your server needs to be running 24/7 and also you can only browse shares, you cant execute commands on the server. With OpenVPN you can wake up the server from the router and then run commands on the server remotely.
September 23, 201015 yr I set up VPN on my DDWRT router and connect that way. From there I can control and view everything as if i was on my local network. The best thing about this solution is that it is not dependent on having another computer running all the time on your network. Mind if I ask what router you use and VPN method? I tried installing OpenVPN on my DDWRT setup (Linksys WRT54GSV7) but it seems that this router cannot support that because of the limited RAM on board (2M). You can use Hamachi for that, it's a secure way to access yor unRAID server remotelly: http://lime-technology.com/forum/index.php?topic=7248.0 I got this to work perfectly, but your server needs to be running 24/7 and also you can only browse shares, you cant execute commands on the server. With OpenVPN you can wake up the server from the router and then run commands on the server remotely. Here I can access all the services running on unRAID like SABnzbd, Transmission and Sickbeard, and also telnet to the server, all using the virtual ip address of the server. But I agree that OpenVPN running from a router is a better solution.
September 23, 201015 yr Personally I have to machines on my network that I utilize a lot. unRAID Download unRAID -Stores and protects my files. Download - My BitTorrent machine running windows and some basic apps that I need it to run. Why seperate? Well if my Download machine gets hacked or dies it has no ties to my unRAID machine other than I use some custom scripts that I copy files to my unRAID machine. Nothing is mapped in a read/write capacity. Remote access to my unRAID machine? Nope not going to happen. Remote access to my Download machine? Nope not going to happen. There is nothing that is that inportant that I can't do at home or do later. Yes it is very cool to pick up my phone or a laptop and get into my network and control things, but honestly I've learned years ago that you give them an inch and they will take the mile. I do have a pogoplug on my network with a USB stick plugged into it that is 8gig. If I really need data I can grab it off it or I can store some files on DropBox that I often grab/store. However just like the two machines up top. They both serve different roles and they do not mix/match. Sure I might be over the top with my thought process, but in my older days I could check my logs and I would see hourly attacks trying to gain access via SSH/www exploits. Give them a window and they will some how try to gain access. I was lucky and never had anybody successfully gain access because I was over the top with my methods at that time, but it was also some work to maintane.
September 23, 201015 yr Mind if I ask what router you use and VPN method? I tried installing OpenVPN on my DDWRT setup (Linksys WRT54GSV7) but it seems that this router cannot support that because of the limited RAM on board (2M). I have DDWRT running on a Linksys/Cisco WRT320N. I has been working great and I have it set up to use OpenVPN. Then on my Mac I have a client on my machine to start the VPN connection and send all traffic over that connection. It works great and is very useful.
September 23, 201015 yr ^^ How do you do this with hamachi for windows? Just copy the address from the Hamachi client, and paste it in your browser.
September 24, 201015 yr Author Joe, Thanks for the advice, I have reversed my changes and I am going to do a little more research on this. I just want to clarify a few things: - I may have used the wrong terminology when I said "opened" ports, what I meant was forwarded ports. Not sure if that makes a difference. - Is the real danger here that a hacker may be able to exploit something in the software listening on those ports? i.e. sabnzbd & sickbeard. - I only want to be able to administer my server and manage queues etc. I do not need file access. Not sure if I can do a vpn connection from my blackberry. - Don't many applications and or games require port forwarding? Aren't those more likely to be targets for hackers rather than a pretty obscure thing as a unraid file server? I appreciate any more advice you or other may have on this topic. Cheers, Kent
Archived
This topic is now archived and is closed to further replies.