October 20, 20196 yr Hey guys, kinda question that maybe does not really fit here but I don't know where else to ask. Did a little search but found nothing that could push me to either side (open services to wan or access them through vpn). Basically: is your cloud exposed to WAN? if so, why and how "secure" is it to do that. My current setup would look like this: Three different subdomains handled by cloudflare to hide IP's and proxy them through cloudflare services ending on my ISP router on TCP 443 which is natted to my fortigate firewall on TCP 443. That traffic is checked for source (only allowing cloudflare ips) and then natted on the fortigate to a VLAN in unraid where the letsencrypt docker and the three services reside. So firewall side looks okay I guess but I still worry what will / could happen if someone cracks lets say the nextcloud instance through a security issue of nextcloud / proxy server. Because of this anxiety I have of not knowing if this is secure enough, I've currently disabled the WAN facing side of my setup and access it through vpn. But this kinda sucks because not accessible at work and cannot share files. Thanks Cherry
November 11, 20196 yr I'm wondering what the best way to do this is... I would not just expose the whole machine - something about root logins and no password is just not right. There is an app called "sftp" that might be good for you, you can port forward to that container. I wanted to use this but he disabled regular SSH, and I'd much prefer SSH over SFTP.
November 11, 20196 yr 3 hours ago, BoxOfSnoo said: I would not just expose the whole machine - something about root logins and no password is just not right. Absolutely correct. You should never expose the unRAID OS itself to directly to the internet (Web GUI, SSH, FTP, etc) It is simply not meant for that purpose. I do expose several docker containers though, taking care to secure them as much as is possible with the docker features that are available (never privileged, limited mount points, always behind a reverse proxy with lets encrypt and a separate authentication container).
November 11, 20196 yr 1 hour ago, primeval_god said: Absolutely correct. You should never expose the unRAID OS itself to directly to the internet (Web GUI, SSH, FTP, etc) It is simply not meant for that purpose. I do expose several docker containers though, taking care to secure them as much as is possible with the docker features that are available (never privileged, limited mount points, always behind a reverse proxy with lets encrypt and a separate authentication container). Do you have a suggestion for how to set up a *safe* Internet-accessible SSH server?
November 11, 20196 yr I would setup a VPN server on unRAID and then client on your laptop or remote computer to establish a secure VPN connection between the remote computer and the unRAID server, then you can do whatever you want across the VPN tunnel.
November 11, 20196 yr Author I guess I worded myself wrongly because I was talking about a cloud-app like nextcloud or owncloud. Basically everything I said up there is pointing in the end to a nextcloud docker on my unraid system. I would never expose my unraid server itself. But I'm still afraid that an attacker might get into my unraid server through the docker part of unraid or something like that. Thanks Cherry
Archived
This topic is now archived and is closed to further replies.