26 January 2020

Unraid OS 6.8.2 and General Security Tips

Unraid Seguridad

Unraid 6.8.2 is Now Available!

This is a bug fix and security update release. All users are highly encouraged to update.

Unraid 6.8.2 updates include:

The Intel IGB ethernet driver was replaced with the latest out-of-tree driver.

  • A LibreELEC/Kodi issue where NFS shares could not be browsed was fixed. The fix was to rebuild the rpcbind program, including a new option: enable-rmtcalls.
  • Fixed an encryption issue: if you first tried the 'keyfile' method to specify an encryption key, and that fails, any attempt to enter a passphrase would also fail. Since a keyfile still exists, emhttpd used this as the encryption key. This is fixed in the webGUI by detecting presence of an encryption keyfile and offering only to re-download a new keyfile or delete the current one. Once deleted, you can then enter a passphrase.
  • Small change to properly support custom SSL wildcard certs. 
  • Updated kernel, wireguard, other base packages.
  • Numerous webGUI fixes and refinements.

Please see the full announcement post for full details.  

Along with this release, please read below for some general security tips and best practices to follow to keep your Unraid server safe and secure!

Unraid General Security Tips and Best Practices 

By default Unraid OS is not specifically hardened against unintended use. The reason for this is to make it as easy as possible to verify that Unraid OS initializes and integrates properly with your hardware and appears correctly on your network. For example, after initially booting your server, you should see the 'flash' share appear on your network. If it does not show up, you have a basic issue to solve. If it does, then you can proceed with further configuration. 

A word of warning before we begin: Only forward ports you need for external access and avoid putting your Unraid server in the DMZ.

Once your server is initially configured, which includes assigning devices, creating a cache pool, creating shares, etc., then we recommend following some basic guidelines to harden your server against unintended access.

Add a Strong Root Password

Like all online accounts, it is important to create a strong password for your Unraid server. So first thing's first, go to Users → Select ‘root’ in the webgui and click Add a Password. For Unraid version 6.8 and beyond, our new forms based authentication login screen is compatible with all major password managers.

Rootpass

Consider Using Device Encryption

We recommend using xfs encryption for array disks and btrfs encryption for the cache pool. It is highly recommended that you encrypt before writing data to your server because if you want to convert to encrypted later, you will have to remove all of your data off, reformat all of your drives and then move all of your data back on. Not fun. Use a strong encryption passphrase and make sure to not forget it. If forgotten, there is no way for anyone to be able to recover your encrypted data! Also, be sure to view your passphrase and check to make sure your phrase decrypts drives before transferring data over to your array initially.

Important Note on Passphrases: Enter a passphrase of up to 512 characters. It is highly advisable to only use the 95 printable characters from the first 128 characters of the ASCII table, as they will always have the same binary representation. Other characters may have different encoding depending on system configuration and your passphrase will not work with a different encoding. If you want a longer passphrase or to include binary data, upload a keyfile instead.

Restrict Share Access 

After ensuring your root password is strong, it is best to create other Users on your Unraid server and to set the appropriate shares access. If particular users don't need write access, make them read only. Users can be created under the 'Users' tab and Share and SMB security settings can be accessed by clicking on each individual user share under the 'Shares' tab.

Use Read Only shares whenever possible!

Users in Unraid are used to define access credentials for Shares. In general, from Windows Network Explorer on PC or Finder on Macs, when you click a server and see the shares and then click on a particular share, your PC or Mac will prompt you for the username/password to access that share. For username you must enter the name of a User you have created on the Unraid side, along with the password you created for that user. Once that is done, you will be granted access to the share.

Whether you are prompted for credentials or not depends on several settings:

  • If the share is marked Public (the default) then you won't have to enter any credentials and you will have full read/write access to the share.
  • If the share is marked Secure, you will be prompted for credentials, but whether you have read/write access to the share or just read-only is determined by whether your username is granted read/write access to the share in Unraid share settings.
  • If the share is marked Private, you will be prompted for credentials if and only if your username is granted read/write access to the share; otherwise, access to the share is denied.
  • Also, generally, once you have entered credentials once, you will not be prompted again unless something changes, e.g., password change on the Unraid side.
  • Finally, in the case of Windows, if you create a username on the Unraid side which exactly matches your Windows username, and the passwords also match, Windows will not prompt you to enter credentials.

Enable Email Notifications 

In order to truly stay in the know about your server, be sure to enable email notifications! When enabled, you'll be able to be notified about the general health of the system, plugin, container and server updates available to be downloaded, hard drives that are running poorly, system errors and so forth. You can find the notification settings under the Settings tab → Notification Settings. You may also enable notifications via Telegram, Slack, Pushover, Pushbullet, Prowl, Notify My Android, Join, Gotify, and Boxcar under the same Notification Settings menu.

Notsettings

Keep Your Server Up to Date

An unfortunate reality in this day and age is ever constant security vulnerabilities and corresponding security updates. We are ever vigilant in quickly releasing updates for any and all security vulnerabilities found and we routinely release bug fixes and new features to make this software more efficient, stable, and robust. With this in mind, we always recommend you keep your server up to date!  

Along with keeping your OS up to date, keep all plugins, apps, containers and all other computers on your network up to date with security patches!

Configuring notifications for system updates is a must. You can choose how often to check for OS, Plugins, containers, array status and more in the Notification Settings Menu of the Unraid webgui pictured above.

What security practices do you use on your Unraid server?