Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

What's safe to open to the outside internet?

Featured Replies

I've been using openvpn-as (as a docker container on both my unraid servers) for a while now as my primary entry point for when I'm doing remote admin stuff, but as I sit here on a zoom meeting call, I'd really like to ssh into my server. That got me thinking -- with the pretty new login setup in 6.8.0 rc's, what's safe to open up for outside access? I already have a few ports forwarded to openvpn-as access, and for some reason I assume openvpn to be secure enough to do so, but I'm hesitant to open port 22, for example. Time was, it was inadvisable to open ANY ports to unraid, so I'm curious what the status is these days.

 

I'd love to be able to open the web interface to direct access, but if that's not a good idea, could I at least do ssh?

Nothing.

 

If you must, setup your own VPN into your home network and use that to spring board to your other servers or directly to your server. The latest RCs include WireGuard support which is new and exciting and allegedly easy to setup.

Ports required for Plex would be safe to open (ie: 32400)  

  • Author
9 hours ago, Squid said:

Ports required for Plex would be safe to open (ie: 32400)  

Ah right, I forgot to mention that I've already done that, naturally.

 

Is it really no good to open up things with a reverse proxy like spaceinvader one's tutorial?

1 hour ago, drumstyx said:

 

Is it really no good to open up things with a reverse proxy like spaceinvader one's tutorial?

Depends. Each port that you open is another thing that has to be evaluated. With a reverse proxy, there is a single application directly answering, either nginx or apache or traefik or whatever. That reduces the exposure somewhat, and each app that you pass through needs to be evaluated for risk and security as well.

 

As a network admin, it's on you to research and keep up with updates on all exposed services. It's going to be as safe as your due diligence.

I too was looking for something similar. I took a different route and set up Apache Guacamole. This allowed me to set up a 'web' instance for my SSH connections. All of my outside (except Plex) traverse the NGINX Proxy, with an additional layer of authentication - essentially multi factor (log in to NGINIX, then login to the application) authentication.

 

Seems to work well for me and the only ports I have to expose are 80/443, and 32400 (Plex).

Edited by mfwade

  • Author
22 hours ago, mfwade said:

I too was looking for something similar. I took a different route and set up Apache Guacamole. This allowed me to set up a 'web' instance for my SSH connections. All of my outside (except Plex) traverse the NGINX Proxy, with an additional layer of authentication - essentially multi factor (log in to NGINIX, then login to the application) authentication.

 

Seems to work well for me and the only ports I have to expose are 80/443, and 32400 (Plex).

In that case, frankly, I might as well just set up a VM to remote into with any remote desktop protocol. Of course, the best part of guacamole (aside from avocados) is being accessible from ANY machine with a web browser, so still something to think about I suppose.

All that said, I've managed to get port-sharing working with openvpn-as, so I'm only exposing 443 right now for both openvpn-as and my reverse proxy. I'd REALLY love a secure way to ssh in without VPN too though, but that's less necessary. I guess ssh itself is ostensibly secure enough to simply be exposed, but with root being the main user for unraid, that's pretty risky.

I don't know that i would expose direct SSH to the world. VPN in and do your tasks or use Guacamole (or other) to remote in for SSH.

 

I can send you screenshots of what I have done in both my PaloAlto and Unifi firewalls of you like.

Depends on how many points of entry you want to your network. Things like 32400 for Plex are just a way for traffic to flow directly between the servers. Since Plex isn't providing any general access to your server on that port (like a login) it's generally considered safe. Opening SSH to the world used to be considered generally safe because it's a secure encrypted protocol from start to finish. The generally accepted thinking these days is that there's no obscurity in that. If someone manages to obtain your login info, they know that with SSH they will generally land on a Linux box with at least user level credentials. VPN in a pure point to point aspect isn't any more secure than SSH, but it gives your network a level of obscurity, and a second level of credential protection. So if someone gets your VPN credentials they only land on your network. From there they still have to find your server (pretty easy with nmap), and obtain the credentials to login to your server. And since your VPN credentials are different than your ssh credentials :) it's harder to gain access to your data.

 

I suspect you can safely disable ssh root login in UnRAID. That way root is available locally just not over SSH.

Edited by Juise99

7 hours ago, Juise99 said:

I suspect you can safely disable ssh root login in UnRAID. That way root is available locally just not over SSH.

For a stock current as of late 2019 unraid install, that would not work well. At the moment, the only easy answer is not to allow SSH over a non-VPN connection.

 

If you open the SSH port to the internet, even if you never get a successful entry from a hacker your server will still be crippled when the log file fills with attempted logins. There are things that still need to be addressed in the way Unraid handles exposure to the internet. It's getting better, but it's still not there yet.

30 minutes ago, jonathanm said:

If you open the SSH port to the internet, even if you never get a successful entry from a hacker your server will still be crippled when the log file fills with attempted logins.

+1 on this. It's pretty easy to bring down an Unraid server DDoS-style by spamming SSH attempts. I accidentally discovered this when testing out some Putty scripts.

so is it safe to port forward and use the reverse proxy?   i am hosting bitwarden and nextcloud on my unraid server.

7 minutes ago, xman111 said:

so is it safe to port forward and use the reverse proxy?

Yes. No. Depends.

 

Each application that is responding to requests from the outside must be evaluated on its own merits.

 

Both of the applications you site are heavily scrutinized for security issues, so as long as you keep abreast of security issues in your reverse proxy and those applications, it's "safe".

 

There is no such thing as a blanket statement of safe or not for any internet exposure. There is only degree of risk, which increases greatly when a security hole is found in one of the applications you are exposing.

thanks Jonathanm!

are there log files to see if there are attempts on the machine to get in?   i am also running pfsense so i should check those too.

24 minutes ago, xman111 said:

are there log files to see if there are attempts on the machine to get in?

Each answering application will have their own set of logs.

thanks!!!

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.