Security of unRAID servers


Marcel

Recommended Posts

I have spent the last couple of weeks to set up and test a VM server and a storage server both based on unRAID.

They are both supposed to contain 'mission critical' data. (I keep my movie collection and stuff like that on a conventional NAS)

 

In the forum I have read lots of statements like 'unRAID is definitely not safe' and the like.

 

Network security not being my field of expertise I would appreciate feedback on whether what I did to provide the best possible security for my two unRAID servers makes sense and whether I have to do more.

 

Thanks a lot!

 

Here is what I did:

 

regarding internet

  • both servers live behind the router firewall
  • no ports are forwarded to them whatsover
  • specific rule in the router software for both servers to block
  •   all websites (http,TCP port 80,3128,8000,8001,8080)
  •   all secure websites (https,TCP port 443)
  •   news forums (NNTP, TCP port 119)
  •   file transfers (FTP, TCP port 21)
  •   telnet (TCP port 23)
  •   SNMP (UDP port 161,162)
  •   VPN-PPTP (TCP port 1723)
  •   VPN-L2TP (UDP port 1701)

 

So basically the only things I have allowed are

  • SMTP (TCP 25) for the servers to be able to send me e-mail notifications on the UPS status etc
  • DNS (UDP port 53) so the unRAID servers can receive a name from the DNS server on the router to be displayed on devices within the LAN
  • NTP (UDP port 123) for time synchronization

 

regarding the LAN (to be implemented after testing and setup are completed)

  • flash drives not exported
  • all exported user shares use 'private' mode
  • using Yubikeys for ultra strong root passwords

 

Both unRAID servers have static local IP addresses and do not use the DHCP server in the router.

Link to comment

I'm a little confused here by what you did.

 

Under where you have the title, regarding internet, are these things you have specifically blocked? If they are you don't need to specifically block them, they are blocked by default. Everything on your lan should be pointed to your routers IP address for DNS, unless you are running a DNS server, which I am sure you are not, you don't need to open port 53. For port 25, what SMTP server is your unRAID server using, its not going to be able to send out emails on its own, it needs an SMTP server to use in order to send emails, so what are you pointing it to? NTP is ok to allow out, but are you pointing your unRAID servers to any NTP servers?

Link to comment

As a general measure the router does not do any port forwarding, so as far as I understand the unRAID servers are not directly exposed to the internet.

 

The sublist of items are blocked via a rule in the router - not for the entire LAN, just specifically for the unRAID servers. This prevents for example opening websites within the local unRAID GUI.

 

No, I have not allowed/opened any port specifically. I just did not block SMTP, DNS and NTP since these will be used.

 

As for SMTP: within the notification setting in unRAID I have configured the SMTP server for the e-mail account I am using for the notifications.

As for NTP: I just left the default setting. So yes, it is pointing to a NTP server on the internet.

 

Link to comment

Sounds like you've got a pretty good handle on it. The "unraid isn't secure" mantra is based on people blindly allowing incoming ports forwarded to the server, or even worse, putting it in a DMZ or giving it an unfirewalled public IP. Also, since unraid isn't necessarily kept up to date with security patches, you should treat the server itself as compromised with respect to other members of your network, and only allow strictly necessary traffic out of the server.

 

This may sound overly paranoid to most people, but if you have major liability on the line if there is a compromise it's better to be overly paranoid.

 

I've seen some really cringeworthy posts on this forum, especially where VPN privacy is concerned. It seems some people don't understand the difference between hosting your own VPN so you control both endpoints, and installing a VPN client connected to a third party with no firewall between them and your unraid server.

Link to comment

As a general measure the router does not do any port forwarding, so as far as I understand the unRAID servers are not directly exposed to the internet.

 

The sublist of items are blocked via a rule in the router - not for the entire LAN, just specifically for the unRAID servers. This prevents for example opening websites within the local unRAID GUI.

 

No, I have not allowed/opened any port specifically. I just did not block SMTP, DNS and NTP since these will be used.

 

As for SMTP: within the notification setting in unRAID I have configured the SMTP server for the e-mail account I am using for the notifications.

As for NTP: I just left the default setting. So yes, it is pointing to a NTP server on the internet.

 

Not allowing HTTP will make plugin updates (including unRAID itself) non-functional. Furthermore lots of dockers are using either HTTP or HTTPS. Just letting you know :)

Link to comment

On a related point. At this time the only even vaguely secure version of unRAID is the RC line however it requires internet access to boot. I would assume HTTPS to a LT domain but I havent looked into it.

 

In my personal opinion only; requiring an internet based server operated by a 3rd party be both up and contactable before your local server will boot is not a viable option for any production system

 

So until the next stable is released you have no elegant solution.

Link to comment

Thanks for the feedback so far!

 

@bonienl: I am aware of that. It's just one checkbox within the router software to temporarily allow the necessary things to the unRAID servers.

 

@NAS: I am aware of that too. I am hoping for a stable version to be released soon ;-) BTW, do you know why LT requires the internet access for beta or RC versions?

Link to comment

For -beta and -rc releases, of all key types, the server must validate at boot time.  The reason is that this lets us "invalidate" a beta release.  That is, if a beta gets out there with a major snafu we can prevent it being run by new users who stumble upon the release zip file.  For example, if there is a bug in P+Q handling.  Remember the reiserfs snafu last year?  We want to minimize that.

 

For stable releases, Basic/Plus/Pro keys do not validate at boot time, that is, works the same as it always has.

 

Starting with 6.2, Trials will require validation with key server.  This is in preparation for making the Trial experience easier.

 

See the original announcement of v6.2.0-beta18

 

Link to comment

I have an inquiry about this.

 

I run a Debian VM on Unraid, which servers as my webserver. It is protected with a public/private key and good fail2ban set up.

Now, is there still a security risk trough Unraid hosting this VM?

 

Cheers,

Adr

 

Edit:

I'm also using PMS via Docker, I share this Plex online (plex.tv), any risks involved with that? (Same principle, I believe)

Link to comment

The reality is that if you protect the ports with an external firewall then the risk of being breached is close to identical that if you hosted them direct. This is because the VM/docker layer is not really visible to the outside worlld (not 100% true but lets not go down that rabbit hole).

 

That is the good news.

 

The bad news is what happens if someone exploits vulnerability in your applications and gets root. At that point you are relying 100% on unRAID to protect you from attack escalation. The chances are you dont have a DMZ in this setup as current unRAID does not lend itself to this. Also this is where unRAID patching is critical. Docker/VM et all need to be up to date to reduce the risk of a known exploit being abused to breakout into the host. Currently there is no know exploit however there could be tomorrow and this is why it is critical you apply security patches.

 

Currently the non beta unRAID is approximately 6 months behind with all security patches and over 1 year behind with Docker.

 

I would not recommend the current unRAID stable be internet facing at all as it is just too old. I cannot also recommend the current beta line as it requires a call home working to boot.

 

It is not all doom and gloom. It is just a matter of risk and the risk is low IF you keep your applicaitons and VMs bang up to date with security patches but currently uNRAID stable fails a security audit very very badly.

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.