What's safe to open to the outside internet?


drumstyx

Recommended Posts

I've been using openvpn-as (as a docker container on both my unraid servers) for a while now as my primary entry point for when I'm doing remote admin stuff, but as I sit here on a zoom meeting call, I'd really like to ssh into my server. That got me thinking -- with the pretty new login setup in 6.8.0 rc's, what's safe to open up for outside access? I already have a few ports forwarded to openvpn-as access, and for some reason I assume openvpn to be secure enough to do so, but I'm hesitant to open port 22, for example. Time was, it was inadvisable to open ANY ports to unraid, so I'm curious what the status is these days.

 

I'd love to be able to open the web interface to direct access, but if that's not a good idea, could I at least do ssh?

Link to comment
1 hour ago, drumstyx said:

 

Is it really no good to open up things with a reverse proxy like spaceinvader one's tutorial?

Depends. Each port that you open is another thing that has to be evaluated. With a reverse proxy, there is a single application directly answering, either nginx or apache or traefik or whatever. That reduces the exposure somewhat, and each app that you pass through needs to be evaluated for risk and security as well.

 

As a network admin, it's on you to research and keep up with updates on all exposed services. It's going to be as safe as your due diligence.

Link to comment

I too was looking for something similar. I took a different route and set up Apache Guacamole. This allowed me to set up a 'web' instance for my SSH connections. All of my outside (except Plex) traverse the NGINX Proxy, with an additional layer of authentication - essentially multi factor (log in to NGINIX, then login to the application) authentication.

 

Seems to work well for me and the only ports I have to expose are 80/443, and 32400 (Plex).

Edited by mfwade
Link to comment
22 hours ago, mfwade said:

I too was looking for something similar. I took a different route and set up Apache Guacamole. This allowed me to set up a 'web' instance for my SSH connections. All of my outside (except Plex) traverse the NGINX Proxy, with an additional layer of authentication - essentially multi factor (log in to NGINIX, then login to the application) authentication.

 

Seems to work well for me and the only ports I have to expose are 80/443, and 32400 (Plex).

In that case, frankly, I might as well just set up a VM to remote into with any remote desktop protocol. Of course, the best part of guacamole (aside from avocados) is being accessible from ANY machine with a web browser, so still something to think about I suppose.

All that said, I've managed to get port-sharing working with openvpn-as, so I'm only exposing 443 right now for both openvpn-as and my reverse proxy. I'd REALLY love a secure way to ssh in without VPN too though, but that's less necessary. I guess ssh itself is ostensibly secure enough to simply be exposed, but with root being the main user for unraid, that's pretty risky.

Link to comment

Depends on how many points of entry you want to your network. Things like 32400 for Plex are just a way for traffic to flow directly between the servers. Since Plex isn't providing any general access to your server on that port (like a login) it's generally considered safe. Opening SSH to the world used to be considered generally safe because it's a secure encrypted protocol from start to finish. The generally accepted thinking these days is that there's no obscurity in that. If someone manages to obtain your login info, they know that with SSH they will generally land on a Linux box with at least user level credentials. VPN in a pure point to point aspect isn't any more secure than SSH, but it gives your network a level of obscurity, and a second level of credential protection. So if someone gets your VPN credentials they only land on your network. From there they still have to find your server (pretty easy with nmap), and obtain the credentials to login to your server. And since your VPN credentials are different than your ssh credentials :) it's harder to gain access to your data.

 

I suspect you can safely disable ssh root login in UnRAID. That way root is available locally just not over SSH.

Edited by Juise99
Link to comment
7 hours ago, Juise99 said:

I suspect you can safely disable ssh root login in UnRAID. That way root is available locally just not over SSH.

For a stock current as of late 2019 unraid install, that would not work well. At the moment, the only easy answer is not to allow SSH over a non-VPN connection.

 

If you open the SSH port to the internet, even if you never get a successful entry from a hacker your server will still be crippled when the log file fills with attempted logins. There are things that still need to be addressed in the way Unraid handles exposure to the internet. It's getting better, but it's still not there yet.

Link to comment
30 minutes ago, jonathanm said:

If you open the SSH port to the internet, even if you never get a successful entry from a hacker your server will still be crippled when the log file fills with attempted logins.

+1 on this. It's pretty easy to bring down an Unraid server DDoS-style by spamming SSH attempts. I accidentally discovered this when testing out some Putty scripts.

Link to comment
7 minutes ago, xman111 said:

so is it safe to port forward and use the reverse proxy?

Yes. No. Depends.

 

Each application that is responding to requests from the outside must be evaluated on its own merits.

 

Both of the applications you site are heavily scrutinized for security issues, so as long as you keep abreast of security issues in your reverse proxy and those applications, it's "safe".

 

There is no such thing as a blanket statement of safe or not for any internet exposure. There is only degree of risk, which increases greatly when a security hole is found in one of the applications you are exposing.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.