There really aren't many video's out there that talks about how to secure your unRaid server. Thanks for making this video. I am planning to build an unRaid server, and was wondering how to harden the security. I have a few questions: 1) Since unRaid needs to be connected to the internet at all times, is it prone to brute force attacks? If the root is compromised, it's game over! 2) Is it possible to access our unRaid server outside our network? If so, can we disable it? 3) Any firewall plugin / container you would recommend, and how does it impact the performance (read / write speeds)? 4) While installing Plex on unraid server itself, we need to we need to specify the media directory, does it mean that the Plex server has read/write permissions by default? The method mentioned in the video of creating multiple users for readonly & readwrite is exactly what I had in mind, however if the pc is compromised, I believe this would only be delaying the inevitable as a keylogger is all it needs to gather the readwrite credentials.
While this would certainly address the front-end aspect of security, it should be said that the latest ransomware targeting NAS servers, do not make use of network connectivity, but rather, where these work off the NAS OS itself, and by exploiting processes at the server level.
While this methods does work. It's not the best practice as they require to much user attention! For example there is zero protection if someone leaves PC 24/7 open. Once you login to the share it will stay connected to it until you logout from the PC. Also each user has to do this. The proper solution is to protect the data on the server side. Sadly Unraid does not have any solid methods right now. Best thing to protect from ransomware is snapshots. Hopefully we will see ZFS support soon! My best way to protect data is BACKUPs!!
Security is an interesting topic because very rarely can you find a 1 size fits all solution to a problem, and often times you'll find that a "defense in depth" approach is the best course of action when trying to protect against cyber threats. I would hardly say having someone type in login information when they need to write data is burdensome, but you are correct that the drive would be mounted until a reboot occurs or the drive is manually unmounted. You could also do something with PowerShell to dismount the drive after so many minutes as a possible work around. Another option would be to do something with a syncing / versioning program such as syncthing that would sync and version files from a r/w share to a none mounted share. The versioning would then give you protection against encrypted files. This might not work for everyone though depending on the amount / size of files and how often they are updated. Also a ransomware that encrypts files multiple times could in theory have a better chance at defeating this strategy depending on number of versions setup. You could also setup different shares with different permissions and for different users so that way not all files are lost. You could then also use a mover script to move files off of less secure shares or backup of that share to protect that data. I briefly touched on this in the video. You could also write lock specific files on the unraid side so that they cannot be touched unless unlocked. There is a script that can be used to do this but to me feels too "hands on" and would ruin my workflow. And of course as I mentioned in the video if there is any data you really care about and don't want to lose you should be doing offsite verified backups regularly on top of other preventative measures. This includes when using snapshots as snapshots stored on the same box are not actually a backup. Side note - you can run ZFS on unraid with a plugin. I haven't tried it but its been around since 2015 and appears to be supported still by the developer: forums.unraid.net/topic/41333-zfs-plugin-for-unraid/
If you have other suggestions on how to protect Unraid from ransomware (or just secure Unraid in general), let me know below!
There really aren't many video's out there that talks about how to secure your unRaid server. Thanks for making this video.
I am planning to build an unRaid server, and was wondering how to harden the security. I have a few questions:
1) Since unRaid needs to be connected to the internet at all times, is it prone to brute force attacks? If the root is compromised, it's game over!
2) Is it possible to access our unRaid server outside our network? If so, can we disable it?
3) Any firewall plugin / container you would recommend, and how does it impact the performance (read / write speeds)?
4) While installing Plex on unraid server itself, we need to we need to specify the media directory, does it mean that the Plex server has read/write permissions by default?
The method mentioned in the video of creating multiple users for readonly & readwrite is exactly what I had in mind, however if the pc is compromised, I believe this would only be delaying the inevitable as a keylogger is all it needs to gather the readwrite credentials.
Exactly the Information i was searching for. Thank you!
I'm glad the video was helpful!
Another great video well done!
Thank you!!
While this would certainly address the front-end aspect of security, it should be said that the latest ransomware targeting NAS servers, do not make use of network connectivity, but rather, where these work off the NAS OS itself, and by exploiting processes at the server level.
Thanks for a good explanation on how to secure shares in UnRaid
I'm glad you found it helpful!
Good video.
Thank you!
While this methods does work. It's not the best practice as they require to much user attention!
For example there is zero protection if someone leaves PC 24/7 open. Once you login to the share it will stay connected to it until you logout from the PC.
Also each user has to do this. The proper solution is to protect the data on the server side.
Sadly Unraid does not have any solid methods right now.
Best thing to protect from ransomware is snapshots. Hopefully we will see ZFS support soon!
My best way to protect data is BACKUPs!!
Security is an interesting topic because very rarely can you find a 1 size fits all solution to a problem, and often times you'll find that a "defense in depth" approach is the best course of action when trying to protect against cyber threats.
I would hardly say having someone type in login information when they need to write data is burdensome, but you are correct that the drive would be mounted until a reboot occurs or the drive is manually unmounted. You could also do something with PowerShell to dismount the drive after so many minutes as a possible work around.
Another option would be to do something with a syncing / versioning program such as syncthing that would sync and version files from a r/w share to a none mounted share. The versioning would then give you protection against encrypted files. This might not work for everyone though depending on the amount / size of files and how often they are updated. Also a ransomware that encrypts files multiple times could in theory have a better chance at defeating this strategy depending on number of versions setup.
You could also setup different shares with different permissions and for different users so that way not all files are lost. You could then also use a mover script to move files off of less secure shares or backup of that share to protect that data. I briefly touched on this in the video.
You could also write lock specific files on the unraid side so that they cannot be touched unless unlocked. There is a script that can be used to do this but to me feels too "hands on" and would ruin my workflow.
And of course as I mentioned in the video if there is any data you really care about and don't want to lose you should be doing offsite verified backups regularly on top of other preventative measures. This includes when using snapshots as snapshots stored on the same box are not actually a backup.
Side note - you can run ZFS on unraid with a plugin. I haven't tried it but its been around since 2015 and appears to be supported still by the developer: forums.unraid.net/topic/41333-zfs-plugin-for-unraid/