Is my server secured ?

Hello,

 

I don't know much about web security. My server sit behind a wireless router.

I have a simple question. is my server secure from outside access?.

 

Can some one access my server from outside my home ?

 

 

Thanks

 

 

 

Unraid is not/should not be considered secure and should never be exposed to the internet unless you take the additional needed steps to harden/secure the server yourself.

 

As for exposure to the internet, well that really depends on how your router is configured. Does it forward any ports to the unraid server?

 

HI,

 

I have to check to see if any portward.

is there any thing else that I should check too ?

 

Thanks

 

 

Not to hijack your thread obi_one but for sake of discussion, its known that allowing outside access to the web interface and unmenu shouldn't be done as they are not secured. But what about other plugins/docker containers/VM's? Can having ports open to access them cause a security risk? If so what steps should be taken to harden/secure the server?

At the very minimum opening ports expose any security flaws in the daemon listening on that port i.e. if you expose sabnzb www server to the internet you expose any vulnerability it may have. Currently if someone compromises a docker service in this way they are silo'dwithin that docker container and to the volumes you exposed.

 

If you also exposed ports to that container e.g. mysql to sab then in theory they could continue to escalate from there.

 

There is nothing very unRAID specific here but it is a can of worms because watching, identifying attacks for and reacting to them is beyond most users (because essentially its a skill that comes from doing it for a living).

 

So is all hope lost? No. The problem that needs addressed is that most users want a very small list of people to see a service. i.e. themselves, family and friends. Opening up a port to the whole internet to allow just these friends in is akin to opening a door and hoping no one but your friends know to try it.

 

Firewalls with DynDNS rules can be used and VPNs are the ultimate solution

 

The reason i took time to write all this is that it really should be unRAIDs job now to help users deal with this since it allows users to create services on a whim using docker. We can no longer just say "dont do it" and expect users not to.

 

 

Not to hijack your thread obi_one but for sake of discussion, its known that allowing outside access to the web interface and unmenu shouldn't be done as they are not secured. But what about other plugins/docker containers/VM's? Can having ports open to access them cause a security risk? If so what steps should be taken to harden/secure the server?

Each port that is open is a security risk, and it changes day by day. The listening application at that port is what needs to be evaluated, for example, if you run an apache webserver, if it's up to date, chances are it's pretty secure. If you continue to use that same version for months on end, there may be a security issue found in that version that would be solved by updating. Each outward listening app has its own set of security risks that you need to be aware of. What I've done, and this is not speaking as a security expert, just as common sense, is set up a reverse proxy with SSL and password authentication to forward all my web portal pages through. That way I'm only exposing 1 port, and I can audit that connection easier than if I forwarded a bunch of ports for all the individual apps.

My server is for my family use only and are not  to share with any one outside home network

it is to use only within the confine of my home network.

I don't have anything thing fancy.

I do have

umenu installed.

UPS monitor and warning via sending email installed.

wake on lan.

 

I don't know what is a docker container or sabnz thinggy, apache server, mysql that people mention here a lot. I don't use them.

 

How do I NOT allow web interface and unmenu to access from internet.

 

Thanks for helping.

 

As long as you're behind a router and not forwarding any ports to unRAID you should be fine.

How do I NOT allow web interface and unmenu to access from internet.

Two questions. What is your unraid server's IP address? Have you changed any settings in your wireless router that reference open ports, port forwarding, servers, or DMZ?

How do I NOT allow web interface and unmenu to access from internet.

Two questions. What is your unraid server's IP address? Have you changed any settings in your wireless router that reference open ports, port forwarding, servers, or DMZ?

 

I hope i'm not hijacking this thread, but if I run the unRAID WebGUI behind an SSL Enabled Reverse Proxy with .htaccess enabled, would that be secure-enough to put to the outside world?

 

 

How do I NOT allow web interface and unmenu to access from internet.

Two questions. What is your unraid server's IP address? Have you changed any settings in your wireless router that reference open ports, port forwarding, servers, or DMZ?

 

I hope i'm not hijacking this thread, but if I run the unRAID WebGUI behind an SSL Enabled Reverse Proxy with .htaccess enabled, would that be secure-enough to put to the outside world?

 

Everything is subjective but in my opinion thats enough steps to have a high confidence level of being safe (assuming the password doesnt suck).

How do I NOT allow web interface and unmenu to access from internet.

Two questions. What is your unraid server's IP address? Have you changed any settings in your wireless router that reference open ports, port forwarding, servers, or DMZ?

 

I hope i'm not hijacking this thread, but if I run the unRAID WebGUI behind an SSL Enabled Reverse Proxy with .htaccess enabled, would that be secure-enough to put to the outside world?

 

Everything is subjective but in my opinion thats enough steps to have a high confidence level of being safe (assuming the password doesnt suck).

 

Thanks NAS.  I only use dictionary words in my password, so I'm good

Are there any other Auth schemes I could use with a reverse proxy like nginx? I am kind of shying away from using htpasswd because of the fact that a logout cannot be implemented, at least easily, which has security implications if my wife or someone connects on an open network. Right now I have all traffic routed through https using ssl/TLS as soon as anyone hits my webserver. However I have not opened up any docker apps to the Internet until I can make sure I have a solid auth for access. Ideally it would play nice with other dockers that have their own logins such as owncloud etc.

I am shying away from recommending this approach now. Not because it is insecure per say but because it has a few major drawbacks for the general userbase (those that just want it to work and dont have any background in this kind of thing... aka most of them)

 

1. Its easy for a user to get the setup wrong

2. We are seeing users "set and forget it" considering it as the unbreakable uber solution

3. Patching containers is not automatic

4. We have no monitoring and alerting for it so in theory someone can sit for months trying to break in with little to no user feedback

 

from now on I recommend only VPN for remote access.

 

Ideally though for those users like yourself who are informed it is likely ok although ideally we would have two factor auth.

 

Allowing access to the outside via a Reverse Proxy is a good second to using a VPN.

 

Just make sure you're on SSL ONLY to the proxy and that it does some security checks for you. A good UTM often has this feature built in.

 

The proxy means you can stay on port 443 no matter what ports you need access to.

 

Security is all about managing risk, and the first step is understanding that risk.

 

 

Allowing access to the outside via a Reverse Proxy is a good second to using a VPN.

 

Just make sure you're on SSL ONLY to the proxy and that it does some security checks for you. A good UTM often has this feature built in.

 

The proxy means you can stay on port 443 no matter what ports you need access to.

 

Security is all about managing risk, and the first step is understanding that risk.

 

I use a reverse proxy and forward all traffic on port 80 to port 443 and it's all behind a .htaccess

I love the convenience of it and it helps sharing stuff with family & friends, I also use a VPN to access my Unraid webui.

 

A VPN would be the best, but if anyone wants to try and teach my Dad and my Father-In-Law how to connect with a VPN then let me know and I'll send you their addresses. 

A VPN would be the best, but if anyone wants to try and teach my Dad and my Father-In-Law how to connect with a VPN then let me know and I'll send you their addresses. 

Set it up PPTP and its basically the same thing as connecting to a wireless network.  OpenVPN isn't that much harder.

 

I'll let you know where to send the plane tickets to.

A VPN would be the best, but if anyone wants to try and teach my Dad and my Father-In-Law how to connect with a VPN then let me know and I'll send you their addresses. 

 

Do they live across the pond by you? If so I'd be more than happy to explain how to use a VPN! It will cost you two plan tickets though

Set it up PPTP and its basically the same thing as connecting to a wireless network.  OpenVPN isn't that much harder.

 

I'll let you know where to send the plane tickets to.

 

Do they live across the pond by you? If so I'd be more than happy to explain how to use a VPN! It will cost you two plan tickets though

 

I think you're both vastly underestimating the size of the task you're commiting too.  And don't forget the 24 hour technical support you have to provide.  My father in law rang my wife on her mobile, whilst she was at work, last week to ask if I was at home, she said I was but asleep as I was on nights, five minutes later the home phone rang, and he feigned complete ignorance of the fact I was asleep... 

 

To add insult to injury it was to ask for help with Windows 10 which he'd asked me if he should upgrade to 3 days before and I'd told him "No, it'll confuse you"  he agreed and said he'd leave it until we visited.  In the meantime, he decided to upgrade anyway and then has the cheek to ring me for advice.  But he's not a bad old man really.  And a lot of it can be attributed to him being in his mid 70s.

 

My folks live in Wolverhampton, and if you ask any of the Brits on here they wouldn't recommend travelling half way across the world to visit the place... 

 

It's not even the arse of the world, more like a festering boil on the arse of the world... 

 

My in-laws on the other hand live in Cornwall. Which is a nice place.. 

And I thought I had it bad with the 24/7 tech support... Well I think you have successfully convinced me to stay where I am!

I'm tempted to try for travel fare...couldn't be worse than the wife and my mom.