StuMcBill Posted November 29, 2017 Share Posted November 29, 2017 I'm just looking for some tips on how to make sure that my unraid setup is secure from external sources? I have set a complicated password to my root account, and have setup a user account (I can't seem to login to the web interface using it though - is this normal), set all my shares to private, with access only to people I want to have access. Is there anything else I need to do, or can do to ensure its secure? I'm planning on storing some family photos on there - so want to ensure that its as secure as I possibly can. Thanks, Stewart Quote Link to comment
tdallen Posted November 29, 2017 Share Posted November 29, 2017 Just to make sure the basics are covered - you should have it behind a good router/firewall and make sure that you're not allowing any incoming traffic through. If you are forwarding ports, we'd need to know... Are you concerned with attacks from the internet, within your local network, or both? Quote Link to comment
StuMcBill Posted November 30, 2017 Author Share Posted November 30, 2017 I'm behind a Sky Q Hub, so possibly not the greatest router. Firewall seems to be activated on it, so hopefully that should be good. I don't have any ports forwarded. Attacks from the internet would be my concern. Quote Link to comment
tdallen Posted November 30, 2017 Share Posted November 30, 2017 49 minutes ago, StuMcBill said: Attacks from the internet would be my concern. Then the unRAID security measures you outlined above are prudent, but don't ignore your router/firewall. The first priority in keeping unRAID safe from internet attacks is stopping those attacks at your perimeter. I'm not familiar with the Sky Q Hub but I'd check on reviews and configuration suggestions. It looks like it is provided by your ISP, and maybe in the UK? The Sky Q Hub might be great, but I wasn't comfortable with the cable modem/router that my ISP provided so I had them set it in bridge mode and installed my own router. Quote Link to comment
Frank1940 Posted November 30, 2017 Share Posted November 30, 2017 (edited) You can only log onto your unRAID servers GUI as root. HOWEVER, unless you have secured the actual user (or disk) shares of your data, they are wide open to all kinds of attacks. Particularly via WiFI. (I have been told that WiFi security can usually be breached within a hour. Of course the perpetrator has to be within range.) I would also suggest that secure your shares by changing the security level from Public to either Secure or Private. You can get to these settings by clicking on Shares then on the share name and then on SMB Security Settings. Turn on Help (on tool bar of GUI) to get information on what level of protection each setting provides. Edited November 30, 2017 by Frank1940 Quote Link to comment
kizer Posted November 30, 2017 Share Posted November 30, 2017 I'd personally disable Telnet via the Common Problems Plugin and enable SSH. I'd also disable Root Login for SSH, Meaning you have to login via a "user" then switch to "su" via console. More or less forces two layers of login vs straight to ROOT. For the life of me I can't remember how I installed SSH, unless its standard now. Something to research before disabling Telnet thou. Quote Link to comment
Frank1940 Posted November 30, 2017 Share Posted November 30, 2017 9 minutes ago, kizer said: I'd personally disable Telnet via the Common Problems Plugin and enable SSH. I'd also disable Root Login for SSH, Meaning you have to login via a "user" then switch to "su" via console. More or less forces two layers of login vs straight to ROOT. For the life of me I can't remember how I installed SSH, unless its standard now. Something to research before disabling Telnet thou. Actually, Telnet can be disable via the 'Tips and Tweets' plugin. And SSH is now a standard component of unRAID. I can't recall any previous discussion about disabling login as root to SSH and using su after logging in as a user with root privileges. Could you explain how you do this? Quote Link to comment
kizer Posted November 30, 2017 Share Posted November 30, 2017 5 hours ago, Frank1940 said: Actually, Telnet can be disable via the 'Tips and Tweets' plugin. And SSH is now a standard component of unRAID. I can't recall any previous discussion about disabling login as root to SSH and using su after logging in as a user with root privileges. Could you explain how you do this? Hmmm, I installed a Plugin called ssh Plugin a while back from docgyver 2016.02.25.2 that no longer appears to be in the App section. It must of not been kept up or something. I think this should be looked at and made an option for those that don't want to allow root access via the default install or with a small plugin or maybe add to "Tips and Tweaks". I just put in a request with that plugin and I guess we will see where it goes. Quote Link to comment
StuMcBill Posted December 1, 2017 Author Share Posted December 1, 2017 I've made my shares private and turned off Telnet and SSH too. Hopefully should be set. Stewart Quote Link to comment
S80_UK Posted December 1, 2017 Share Posted December 1, 2017 Including the Disc shares? It's easy to overlook them when locking down the shares that you have created, but unRAID creates a share for each drive, including the flash drive and cache drive. I set the Export option for each of those to No unless I need access, and even then I restrict it as much as possible. Quote Link to comment
Frank1940 Posted December 2, 2017 Share Posted December 2, 2017 You have left one hole open. You require that someone log into into the server to have any access to the Shares. You have to make sure that you restrict them to read only access or you run the risk of Ramsomware infecting one of the clients and encrypting the entire share(s) connected to that client. Even then you will have to provide someone with read/write access which can be dangerous because you can't log out of a SMB share with rebooting the client. (In fact, you can't log out of an unRAID GUI session either but that is another story...) I did come with a scheme to get around most of these risks IF your data is primarily write once/read many. You can read about it here: https://forums.lime-technology.com/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532 Quote Link to comment
Greygoose Posted December 6, 2017 Share Posted December 6, 2017 On 01/12/2017 at 5:55 PM, StuMcBill said: I've made my shares private and turned off Telnet and SSH too. Hopefully should be set. Stewart I have disabled telnet via tips and tweaks plugin. I have restricted shares to private and only access via user when in windows/ Map network drives Is this the most i can do, accessing the webGUI via root but its not showing https? Quote Link to comment
primeval_god Posted December 7, 2017 Share Posted December 7, 2017 22 hours ago, Greygoose said: Is this the most i can do, accessing the webGUI via root but its not showing https? root is the only user that can access the Web GUI, (if i have my facts straight root is technically the only real linux user). I did see if/where you mention what version you are running but Https for the web gui is only available in the upcoming 6.4.0 release. Quote Link to comment
StuMcBill Posted December 7, 2017 Author Share Posted December 7, 2017 On 01/12/2017 at 11:50 PM, S80_UK said: Including the Disc shares? It's easy to overlook them when locking down the shares that you have created, but unRAID creates a share for each drive, including the flash drive and cache drive. I set the Export option for each of those to No unless I need access, and even then I restrict it as much as possible. How would I go about that? Quote Link to comment
BRiT Posted December 7, 2017 Share Posted December 7, 2017 If you don't want any changes to be done to your files you could set them all as immutable and take other steps too. See this topic for info: Quote Link to comment
Greygoose Posted December 14, 2017 Share Posted December 14, 2017 Is encryption of drives possible with Unraid, I read a few months back it was but not tried. Quote Link to comment
Squid Posted December 14, 2017 Share Posted December 14, 2017 2 hours ago, Greygoose said: Is encryption of drives possible with Unraid, I read a few months back it was but not tried. With 6.4 yes Quote Link to comment
S80_UK Posted December 15, 2017 Share Posted December 15, 2017 On 07/12/2017 at 7:46 PM, StuMcBill said: How would I go about that? Under the Shares tab in the UI, and beneath the user shares, you have a share for eaach disk in the system. Each has setting for exporting or not, user access, etc., the same as a user share. Also check flash and cahe drives under the Main tab - they have similar properties that should be configured. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.