Best way to keep unraid secure?

[StuMcBill]

I'm just looking for some tips on how to make sure that my unraid setup is secure from external sources?

 

I have set a complicated password to my root account, and have setup a user account (I can't seem to login to the web interface using it though - is this normal), set all my shares to private, with access only to people I want to have access.

 

Is there anything else I need to do, or can do to ensure its secure?  I'm planning on storing some family photos on there - so want to ensure that its as secure as I possibly can.

 

Thanks,

Stewart

[tdallen]

Just to make sure the basics are covered - you should have it behind a good router/firewall and make sure that you're not allowing any incoming traffic through.  If you are forwarding ports, we'd need to know...  Are you concerned with attacks from the internet, within your local network, or both?

[StuMcBill]

I'm behind a Sky Q Hub, so possibly not the greatest router.  Firewall seems to be activated on it, so hopefully that should be good.  I don't have any ports forwarded.

 

Attacks from the internet would be my concern.

[tdallen]

49 minutes ago, StuMcBill said:

Attacks from the internet would be my concern.

Then the unRAID security measures you outlined above are prudent, but don't ignore your router/firewall.  The first priority in keeping unRAID safe from internet attacks is stopping those attacks at your perimeter.  I'm not familiar with the Sky Q Hub but I'd check on reviews and configuration suggestions.  It looks like it is provided by your ISP, and maybe in the UK?  The Sky Q Hub might be great, but I wasn't comfortable with the cable modem/router that my ISP provided so I had them set it in bridge mode and installed my own router.

[Frank1940]

You  can only log onto your unRAID servers GUI as root.  HOWEVER, unless you have secured the actual user (or disk) shares of your data, they are wide open to all kinds of attacks.  Particularly  via WiFI.  (I have been told that WiFi security can usually be breached within a hour.  Of course the perpetrator has to be within range.)  I would also suggest that secure your shares by changing the security level from Public  to either Secure or Private.   You can get to these settings   by clicking on Shares   then on the share name and then  on SMB Security Settings.  Turn on Help (on tool bar of GUI)  to get information on what level of protection each setting provides.  

Edited November 30, 2017 by Frank1940

[kizer]

I'd personally disable Telnet via the Common Problems Plugin and enable SSH. I'd also disable Root Login for SSH, Meaning you have to login via a "user" then switch to "su" via console. More or less forces two layers of login vs straight to ROOT.

For the life of me I can't remember how I installed SSH, unless its standard now. Something to research before disabling Telnet thou. 

[Frank1940]

9 minutes ago, kizer said:

I'd personally disable Telnet via the Common Problems Plugin and enable SSH. I'd also disable Root Login for SSH, Meaning you have to login via a "user" then switch to "su" via console. More or less forces two layers of login vs straight to ROOT.

For the life of me I can't remember how I installed SSH, unless its standard now. Something to research before disabling Telnet thou. 

 

Actually, Telnet can be disable via the 'Tips and Tweets' plugin.  And SSH is now a standard component of unRAID.  

 

I can't recall any previous discussion about disabling login as root to SSH and using su after logging in as a user with root privileges.  Could you explain how you do this? 

[kizer]

5 hours ago, Frank1940 said:

 

Actually, Telnet can be disable via the 'Tips and Tweets' plugin.  And SSH is now a standard component of unRAID.  

 

I can't recall any previous discussion about disabling login as root to SSH and using su after logging in as a user with root privileges.  Could you explain how you do this? 

 

 

Hmmm, I installed a Plugin called ssh Plugin a while back from docgyver 2016.02.25.2 that no longer appears to be in the App section. It must of not been kept up or something. 

 

 

 

I think this should be looked at and made an option for those that don't want to allow root access via the default install or with a small plugin or maybe add to "Tips and Tweaks". 

 

I just put in a request with that plugin and I guess we will see where it goes. 

[StuMcBill]

I've made my shares private and turned off Telnet and SSH too.

 

Hopefully should be set.

 

Stewart

[S80_UK]

Including the Disc shares?  It's easy to overlook them when locking down the shares that you have created, but unRAID creates a share for each drive, including the flash drive and cache drive.  I set the Export option for each of those to No unless I need access, and even then I restrict it as much as possible. 

[Frank1940]

You have left one hole open.  You require that someone log into into the server to have any access to the Shares.  You have to make sure that you restrict them to read only access or you run the risk of Ramsomware infecting one of the clients and encrypting the entire share(s) connected to that client.  Even then you will have to provide someone with read/write access which can be dangerous because you can't log out of a SMB share with rebooting the client.  (In fact, you can't log out of an unRAID GUI session either but that is another story...) 

 

I did come with a scheme to get around most of these risks IF your data is primarily write once/read many.   You can read about it here:

 

         https://forums.lime-technology.com/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532

 

 

[Greygoose]

On 01/12/2017 at 5:55 PM, StuMcBill said:

I've made my shares private and turned off Telnet and SSH too.

 

Hopefully should be set.

 

Stewart

 

I have disabled telnet via tips and tweaks plugin.

 

I have restricted shares to private and only access via user when in windows/ Map network drives

 

Is this the most i can do, accessing the webGUI via root but its not showing https?

[primeval_god]

22 hours ago, Greygoose said:

Is this the most i can do, accessing the webGUI via root but its not showing https?

root is the only user that can access the Web GUI, (if i have my facts straight root is technically the only real linux user). I did see if/where you mention what version you are running but Https for the web gui is only available in the upcoming 6.4.0 release.

[StuMcBill]

On 01/12/2017 at 11:50 PM, S80_UK said:

Including the Disc shares?  It's easy to overlook them when locking down the shares that you have created, but unRAID creates a share for each drive, including the flash drive and cache drive.  I set the Export option for each of those to No unless I need access, and even then I restrict it as much as possible. 

 

How would I go about that?

[BRiT]

If you don't want any changes to be done to your files you could set them all as immutable and take other steps too.

 

See this topic for info: 

 

[Greygoose]

Is encryption of drives possible with Unraid, I read a few months back it was but not tried. 

[Squid]

2 hours ago, Greygoose said:

Is encryption of drives possible with Unraid, I read a few months back it was but not tried. 

With 6.4 yes

[S80_UK]

On 07/12/2017 at 7:46 PM, StuMcBill said:

 

How would I go about that?

Under the Shares tab in the UI, and beneath the user shares, you have a share for eaach disk in the system.  Each has setting for exporting or not, user access, etc., the same as a user share.  Also check flash and cahe drives under the Main tab - they have similar properties that should be configured.