New User / 1st Time Setup ... Security Precausions... am I on the right path? Sugestions, comments?


questionbot

Recommended Posts

So I am in the process of setting up my 1st unraid server. I am new to this kind of thing... but I've done a lot of youtubing and reading (well youtubing... I have basically been watching SpaceInvaders stuff) and this is what I am planning to do, and I would like your recommendations and comments and suggestions.

 

  • Setup Unraid WebUI to be HTTPS
  • Encrypt the entire array with passphrase
  • Add a Docker that I use with a commercial VPN (expressVPN) to route other dockers that access the web through it.
  • Add an OpenVPN / WireGuard to allow secure tunneling into my server from outside my local network to access files.
  • What about a good old fashioned firewall? I've always used firewalls, but not seen them mentioned at all in relation to unraid.

 

Setup Unraid WebUI to be HTTPS

  • I'm a little confused as to how to do this. I have been using SpaceInvaders tutoriuals and he does it on a much older version of Unraid and my version does not seem to have the same icons and buttons to click. So I am not sure how to do this.

 

Encrypt the entire array with passphrase

  • The downside of this is that I need to manually enter the password if the server reboots.... I assume I can use a keyfile, but would need a way to store it securely. Maybe copy it from a web server or something. I think for now entering the passphrase would be fine. I can look into keyfile options down the line.
  • SpaceInvader has a tutorial on this, but like the HTTPS thing, my version seems to different it is very hard to follow along.

 

Add a Docker that I use with a commercial VPN (expressVPN) to route other dockers that access the web through it.

  • SpaceInvader shows how to do this on his youtube chan... it seems strait forward. The plan is to make a single "vpn" docker using expressVPN and route through it most, if not all, of the applications that will use the internet. So I do not need a zillion expressvpn licenses.

 

Add an OpenVPN / WireGuard to allow secure tunnelling into my server from outside my local network to access files.

  • One of my goals for this project is to have a private "dropbox" type thing, were I can access my files and backup to my server when freelancing in other offices. As I understand it, this is how to do this, but making a secure tunnel. I do not know what the diffrence between OpenVPN and WireGaurd is, SpaceInvader uses OpenVPN in his tutorial.

 

What about a good old fashioned firewall?

  • When I did my test server I used Ubuntu Server and liked the experience so much I started to look at dedicated system like this and OpenMediaServer / FreeNAS... but when I used Ubuntu, the first thing I did was put a firewall on it... but I can not seem to see much info on that with unreal.. is a firewall something I do not need? Normally I just block all incoming of any kind apart from what I specifically allow.

 

Anyway... I'm new to all this and would like any thoughts about security with unraid. I know it says "do not expose to the internet" and that it is not "hardended" and all that, but I still think there must be some precautions I can take.

 

Is there anything I got completely wrong, anything I need to do in addition or anything I need to do differently. Plus I would appreciate any thoughts you have and particularly be happy if you could point to tutorials on how to actually do it!

 

Thanks

 

 

Link to comment

You look like you're in pretty good condition to get going.. nothing too crazy here.

 

WebUI to https, there is an option in the GUI to enable it, but I haven't done it.... so won't try to give you the wrong advice.  I believe you will need an SSL cert for it to work, but could be wrong.

 

Array encryption -- I use it now, and to be perfectly honest it's quite annoying.  Thankfully I don't restart the server all that often.  If you consider what the point of encryption is and then look at the implementation of the keyfile on Unraid, how it's typically used, it doesn't make any sense.  If someone had physical access to the server -- which encryption is supposed to protect your data from -- the keyfile is typically stored, unencrypted and accessible, on the boot usb to start the array and expose your data.  

 

Attempting to secure the key file brings it's own sets of problems but is able to be done (there are a few threads here already about this).  My implementation doesn't work too well right now, it works fine if I'm rebooting the server but if I'm only restarting the array from a stopped state then it's a hassle to get running.

 

Wireguard / OpenVPN is basically the same thing.  They are VPNs.  The only potential problem with your idea on using it is that you would have to install software on the computers you are using in offices in order to connect to the VPN.  So that brings up a couple potential problems.  1) The ability to install software might be restricted.  2) You just might not want to install software on the computers to begin with. 3) Are the office computers on a corporate network? The VPN software would take over control of the computer and take it "off" the company network.  Those are all things you might have to contend with.

 

 

Link to comment

Cache encryption works the same as the data disks... stop all your dockers and whatever else has data on the cache drive, move that data off them... encrypt drive... replace data.  There's some threads here talking about this... here's one I quickly looked at.  Funny thought.... I never encrypted my cache drives.... whoops!  Project for another day..  If you have SSDs as the cache, read the comments about TRIM support.. could potentially be an issue.

 

 

As for the parity drives..  you don't need to do anything with those.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.