Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

When you come across a wide open UNRAID server...

Featured Replies

What do people here do when they come across a wide open unraid server accessible on the internet?  Ideally I'd like to let the owner know just how exposed they are but other than renaming their server to something like "This server is open to the internet", I'm not sure of any other way.

 

In the last 24hours I've come across about 5 such servers without specifically going looking for them.  For now I've just left them alone and moved on, but I worry about them.

Turn them off?

Maybe use the builtin send notification functionality first? Would be nice way to have then generate the popup or email or log it in syslog.

I wonder if we can add a feature to the GUI that a user with root access can make obvious loud big alert on the GUI that lasts at least 24 hours.

It would be normally utterly useless but would provide a mean to alert the user in scenarios such as this.

12 hours ago, BRiT said:

Turn them off?

Every. Single. Time.

 

Eventually they will either figure out how to secure it, or they will post here or email Tom for help, or they will give up running unraid.

 

We don't need the bad publicity of somebodies hacked unraid server being used for some nefarious purpose, better to just shut it down so the bad guys can't use it.

 

One of the unintended consequences of leaving the server fully exposed is that somebody can easily steal your license. That's bad for limetech, in multiple ways.

Just wondering how do you discover such machines, by chance or by scanning the intranet/internet?
What are the most common mistakes here from the users here, other than being oblivious to public exposure, do they forget to change the default password?
 

  • Author

I stumbled across these when i was searching for what certain settings in the various config files were. 

 

These servers had no password and i could access their boot mnt. Then I was able to run the webgui as well. Everything was open. 

One option - if you can get to the command line, you could type something like this:

/usr/local/emhttp/webGui/scripts/notify -e "Your Unraid server is not secured" -s "I found your Unraid on the Internet without a password" -d "You need to secure this before someone hacks you" -i "alert"

That will give them a notification on the webgui and send them an email (if they have that configured)

 

Maybe change the banner also to a red one with a hint on it.

 

Edit:

Maybe don't change anything on the server for legal reasons.

Edited by bastl

there are a lot of Unraid servers exposed to the www, shodan shows a lot of them, they are mostly secured with password (the default login page)

i totally don't understand why people are expose the gui config to the www go use a VPN...

 

if i found an unprotected server i turn them off. is it legal? not sure, i'm not hacking them, there is no login required, so....

In the UK, I suspect any intervention may fall under the terms of the Computer Misuse Act. (I am not a lawyer, but I would prefer not to take my chances.)

This is an issue I have run into before:

 

Could it simply be someone who is trying to run some dockers online and fucked up their NAT settings? I don't view UNRaid as something a complete novice would get in to, but I don't understand how one can screw up this bad, either.

If someone runs into an exposed unraid system- they should contact limetech and give them the license # so they can contact them and advise them on what to do next.  Usually there is an email on file with them.

 

Maybe shut it down to prevent others from pwning it.

Edited by jordanmw

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.