is your cloud exposed to WAN?


Uncledome

Recommended Posts

Hey guys, kinda question that maybe does not really fit here but I don't know where else to ask.

Did a little search but found nothing that could push me to either side (open services to wan or access them through vpn). :)

 

Basically: is your cloud exposed to WAN? if so, why and how "secure" is it to do that.

 

My current setup would look like this:

Three different subdomains handled by cloudflare to hide IP's and proxy them through cloudflare services ending on my ISP router on TCP 443 which is natted to my fortigate firewall on TCP 443.

That traffic is checked for source (only allowing cloudflare ips) and then natted on the fortigate to a VLAN in unraid where the letsencrypt docker and the three services reside.

So firewall side looks okay I guess but I still worry what will / could happen if someone cracks lets say the nextcloud instance through a security issue of nextcloud / proxy server.

Because of this anxiety I have of not knowing if this is secure enough, I've currently disabled the WAN facing side of my setup and access it through vpn.

But this kinda sucks because not accessible at work and cannot share files.

 

Thanks

Cherry

Link to comment
  • 3 weeks later...

I'm wondering what the best way to do this is... I would not just expose the whole machine - something about root logins and no password is just not right.

 

There is an app called "sftp" that might be good for you, you can port forward to that container.  I wanted to use this but he disabled regular SSH, and I'd much prefer SSH over SFTP.

Link to comment
3 hours ago, BoxOfSnoo said:

I would not just expose the whole machine - something about root logins and no password is just not right.

Absolutely correct. You should never expose the unRAID OS itself to directly to the internet (Web GUI, SSH, FTP, etc) It is simply not meant for that purpose. I do expose several docker containers though, taking care to secure them as much as is possible with the docker features that are available (never privileged, limited mount points, always behind a reverse proxy with lets encrypt and a separate authentication container). 

Link to comment
1 hour ago, primeval_god said:

Absolutely correct. You should never expose the unRAID OS itself to directly to the internet (Web GUI, SSH, FTP, etc) It is simply not meant for that purpose. I do expose several docker containers though, taking care to secure them as much as is possible with the docker features that are available (never privileged, limited mount points, always behind a reverse proxy with lets encrypt and a separate authentication container). 

Do you have a suggestion for how to set up a *safe* Internet-accessible SSH server?

Link to comment

I guess I worded myself wrongly because I was talking about a cloud-app like nextcloud or owncloud.

 

Basically everything I said up there is pointing in the end to a nextcloud docker on my unraid system.

I would never expose my unraid server itself.

But I'm still afraid that an attacker might get into my unraid server through the docker part of unraid or something like that.

 

Thanks

Cherry

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.