drumstyx Posted November 19, 2019 Share Posted November 19, 2019 I've been using openvpn-as (as a docker container on both my unraid servers) for a while now as my primary entry point for when I'm doing remote admin stuff, but as I sit here on a zoom meeting call, I'd really like to ssh into my server. That got me thinking -- with the pretty new login setup in 6.8.0 rc's, what's safe to open up for outside access? I already have a few ports forwarded to openvpn-as access, and for some reason I assume openvpn to be secure enough to do so, but I'm hesitant to open port 22, for example. Time was, it was inadvisable to open ANY ports to unraid, so I'm curious what the status is these days. I'd love to be able to open the web interface to direct access, but if that's not a good idea, could I at least do ssh? Quote Link to comment
BRiT Posted November 19, 2019 Share Posted November 19, 2019 Nothing. If you must, setup your own VPN into your home network and use that to spring board to your other servers or directly to your server. The latest RCs include WireGuard support which is new and exciting and allegedly easy to setup. Quote Link to comment
Squid Posted November 20, 2019 Share Posted November 20, 2019 Ports required for Plex would be safe to open (ie: 32400) Quote Link to comment
drumstyx Posted November 20, 2019 Author Share Posted November 20, 2019 9 hours ago, Squid said: Ports required for Plex would be safe to open (ie: 32400) Ah right, I forgot to mention that I've already done that, naturally. Is it really no good to open up things with a reverse proxy like spaceinvader one's tutorial? Quote Link to comment
JonathanM Posted November 20, 2019 Share Posted November 20, 2019 1 hour ago, drumstyx said: Is it really no good to open up things with a reverse proxy like spaceinvader one's tutorial? Depends. Each port that you open is another thing that has to be evaluated. With a reverse proxy, there is a single application directly answering, either nginx or apache or traefik or whatever. That reduces the exposure somewhat, and each app that you pass through needs to be evaluated for risk and security as well. As a network admin, it's on you to research and keep up with updates on all exposed services. It's going to be as safe as your due diligence. Quote Link to comment
mfwade Posted November 20, 2019 Share Posted November 20, 2019 (edited) I too was looking for something similar. I took a different route and set up Apache Guacamole. This allowed me to set up a 'web' instance for my SSH connections. All of my outside (except Plex) traverse the NGINX Proxy, with an additional layer of authentication - essentially multi factor (log in to NGINIX, then login to the application) authentication. Seems to work well for me and the only ports I have to expose are 80/443, and 32400 (Plex). Edited November 20, 2019 by mfwade Quote Link to comment
drumstyx Posted November 21, 2019 Author Share Posted November 21, 2019 22 hours ago, mfwade said: I too was looking for something similar. I took a different route and set up Apache Guacamole. This allowed me to set up a 'web' instance for my SSH connections. All of my outside (except Plex) traverse the NGINX Proxy, with an additional layer of authentication - essentially multi factor (log in to NGINIX, then login to the application) authentication. Seems to work well for me and the only ports I have to expose are 80/443, and 32400 (Plex). In that case, frankly, I might as well just set up a VM to remote into with any remote desktop protocol. Of course, the best part of guacamole (aside from avocados) is being accessible from ANY machine with a web browser, so still something to think about I suppose. All that said, I've managed to get port-sharing working with openvpn-as, so I'm only exposing 443 right now for both openvpn-as and my reverse proxy. I'd REALLY love a secure way to ssh in without VPN too though, but that's less necessary. I guess ssh itself is ostensibly secure enough to simply be exposed, but with root being the main user for unraid, that's pretty risky. Quote Link to comment
mfwade Posted November 26, 2019 Share Posted November 26, 2019 I don't know that i would expose direct SSH to the world. VPN in and do your tasks or use Guacamole (or other) to remote in for SSH. I can send you screenshots of what I have done in both my PaloAlto and Unifi firewalls of you like. Quote Link to comment
Juise99 Posted November 27, 2019 Share Posted November 27, 2019 (edited) Depends on how many points of entry you want to your network. Things like 32400 for Plex are just a way for traffic to flow directly between the servers. Since Plex isn't providing any general access to your server on that port (like a login) it's generally considered safe. Opening SSH to the world used to be considered generally safe because it's a secure encrypted protocol from start to finish. The generally accepted thinking these days is that there's no obscurity in that. If someone manages to obtain your login info, they know that with SSH they will generally land on a Linux box with at least user level credentials. VPN in a pure point to point aspect isn't any more secure than SSH, but it gives your network a level of obscurity, and a second level of credential protection. So if someone gets your VPN credentials they only land on your network. From there they still have to find your server (pretty easy with nmap), and obtain the credentials to login to your server. And since your VPN credentials are different than your ssh credentials it's harder to gain access to your data. I suspect you can safely disable ssh root login in UnRAID. That way root is available locally just not over SSH. Edited November 27, 2019 by Juise99 Quote Link to comment
JonathanM Posted November 27, 2019 Share Posted November 27, 2019 7 hours ago, Juise99 said: I suspect you can safely disable ssh root login in UnRAID. That way root is available locally just not over SSH. For a stock current as of late 2019 unraid install, that would not work well. At the moment, the only easy answer is not to allow SSH over a non-VPN connection. If you open the SSH port to the internet, even if you never get a successful entry from a hacker your server will still be crippled when the log file fills with attempted logins. There are things that still need to be addressed in the way Unraid handles exposure to the internet. It's getting better, but it's still not there yet. Quote Link to comment
testdasi Posted November 27, 2019 Share Posted November 27, 2019 30 minutes ago, jonathanm said: If you open the SSH port to the internet, even if you never get a successful entry from a hacker your server will still be crippled when the log file fills with attempted logins. +1 on this. It's pretty easy to bring down an Unraid server DDoS-style by spamming SSH attempts. I accidentally discovered this when testing out some Putty scripts. Quote Link to comment
xman111 Posted November 27, 2019 Share Posted November 27, 2019 so is it safe to port forward and use the reverse proxy? i am hosting bitwarden and nextcloud on my unraid server. Quote Link to comment
JonathanM Posted November 27, 2019 Share Posted November 27, 2019 7 minutes ago, xman111 said: so is it safe to port forward and use the reverse proxy? Yes. No. Depends. Each application that is responding to requests from the outside must be evaluated on its own merits. Both of the applications you site are heavily scrutinized for security issues, so as long as you keep abreast of security issues in your reverse proxy and those applications, it's "safe". There is no such thing as a blanket statement of safe or not for any internet exposure. There is only degree of risk, which increases greatly when a security hole is found in one of the applications you are exposing. Quote Link to comment
xman111 Posted November 27, 2019 Share Posted November 27, 2019 thanks Jonathanm! are there log files to see if there are attempts on the machine to get in? i am also running pfsense so i should check those too. Quote Link to comment
JonathanM Posted November 27, 2019 Share Posted November 27, 2019 24 minutes ago, xman111 said: are there log files to see if there are attempts on the machine to get in? Each answering application will have their own set of logs. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.