Uncledome Posted October 20, 2019 Share Posted October 20, 2019 Hey guys, kinda question that maybe does not really fit here but I don't know where else to ask. Did a little search but found nothing that could push me to either side (open services to wan or access them through vpn). Basically: is your cloud exposed to WAN? if so, why and how "secure" is it to do that. My current setup would look like this: Three different subdomains handled by cloudflare to hide IP's and proxy them through cloudflare services ending on my ISP router on TCP 443 which is natted to my fortigate firewall on TCP 443. That traffic is checked for source (only allowing cloudflare ips) and then natted on the fortigate to a VLAN in unraid where the letsencrypt docker and the three services reside. So firewall side looks okay I guess but I still worry what will / could happen if someone cracks lets say the nextcloud instance through a security issue of nextcloud / proxy server. Because of this anxiety I have of not knowing if this is secure enough, I've currently disabled the WAN facing side of my setup and access it through vpn. But this kinda sucks because not accessible at work and cannot share files. Thanks Cherry Quote Link to comment
BoxOfSnoo Posted November 11, 2019 Share Posted November 11, 2019 I'm wondering what the best way to do this is... I would not just expose the whole machine - something about root logins and no password is just not right. There is an app called "sftp" that might be good for you, you can port forward to that container. I wanted to use this but he disabled regular SSH, and I'd much prefer SSH over SFTP. Quote Link to comment
primeval_god Posted November 11, 2019 Share Posted November 11, 2019 3 hours ago, BoxOfSnoo said: I would not just expose the whole machine - something about root logins and no password is just not right. Absolutely correct. You should never expose the unRAID OS itself to directly to the internet (Web GUI, SSH, FTP, etc) It is simply not meant for that purpose. I do expose several docker containers though, taking care to secure them as much as is possible with the docker features that are available (never privileged, limited mount points, always behind a reverse proxy with lets encrypt and a separate authentication container). Quote Link to comment
BoxOfSnoo Posted November 11, 2019 Share Posted November 11, 2019 1 hour ago, primeval_god said: Absolutely correct. You should never expose the unRAID OS itself to directly to the internet (Web GUI, SSH, FTP, etc) It is simply not meant for that purpose. I do expose several docker containers though, taking care to secure them as much as is possible with the docker features that are available (never privileged, limited mount points, always behind a reverse proxy with lets encrypt and a separate authentication container). Do you have a suggestion for how to set up a *safe* Internet-accessible SSH server? Quote Link to comment
ashman70 Posted November 11, 2019 Share Posted November 11, 2019 I would setup a VPN server on unRAID and then client on your laptop or remote computer to establish a secure VPN connection between the remote computer and the unRAID server, then you can do whatever you want across the VPN tunnel. 1 Quote Link to comment
Uncledome Posted November 11, 2019 Author Share Posted November 11, 2019 I guess I worded myself wrongly because I was talking about a cloud-app like nextcloud or owncloud. Basically everything I said up there is pointing in the end to a nextcloud docker on my unraid system. I would never expose my unraid server itself. But I'm still afraid that an attacker might get into my unraid server through the docker part of unraid or something like that. Thanks Cherry Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.