25 March 2021

Unraid Security Best Practices

Please review your personal security practices and read and heed these best practices!

Security Best Practices 1

Unraid Servers Exposed to the Internet are Being Hacked

Please review your personal security practices and read and heed these best practices!

Root Password

The first thing you should do once you get your Unraid server up and running is set a strong root password. This will prevent unauthorized access to the webGUI.

Strong passwords are unique (not reused), have at least 8 characters (the more the better), are a combination of alphabetic, numeric, and special characters, and are not common dictionary words. Better yet, use a password manager.

To set your root password:

  1. In the Unraid webGUI navigate to Users.
  2. Select “root” and type in your preferred password in the fields.
  3. Click apply/done.

If you happen to forget your root password, the steps to reset it can be found here.

The 3.24.21 update of the Fix Common Problems plugin now checks for root passwords.

Password Manager

Unraid  6.8 and beyond offers a forms-based authentication login screen that is compatible with all major password managers.

Is your password strong enough? The Dynamix Password Validator is available in Community Apps to help you find out.

Pw 1

Do Not Expose Servers to the Internet/DMZ

We highly, highly recommend not exposing your server to the internet or placing it in the DMZ of your router unless you know what you are doing and are following strong security protocols.

No matter how locked down you think you have your server, it is never advisable to place it in the DMZ on your network. By doing so, you are essentially forwarding every port on your public IP address to your server directly, allowing all locally accessible services to be remotely accessible as well. Regardless of how "locked down" you think you actually have the server, placing it in the DMZ exposes it to unnecessary risks.

Review Router Port Mappings

Forwarding ports to your server is required for specific services that you want to be Internet-accessible such as Plex, FTP servers, game servers, VoIP servers, etc. However, forwarding the wrong ports can expose your server to significant security risks. Here are just a few ports you should be extra careful with when forwarding:

  • Port 80: Used to access the webGui without SSL. DO NOT forward port 80. Forwarding this port by default will allow you to access the webGui remotely, but without SSL securing the connection, devices in between your browser and the server could "sniff" the packets to see what you're doing. If you want to make the webGui remotely accessible, install the Unraid.net plugin to enable My Servers on your system. This provides a secure remote access solution that utilizes SSL to ensure your connection is fully encrypted.
  • Port 443: Used to access the webGui with SSL. This is only better than port 80 if you have a root password set. If no root password is set and you forward this port, unauthorized users can connect to your webGui and have full access to your server. In addition, if you forward this port without using the Unraid.net plugin and My Servers attempts to connect to the webGui through a browser, a security warning will be presented due to the lack of an SSL certificate.

NOTE: When setting up Remote Access in My Servers, we highly recommend you choose a random port over 1000 rather than using the default of 443.

Download My Servers

For simple, safe, and secure remote access to your Unraid system, download My Servers.

  • Port 445: Used for SMB (shares). If you forward this port to your server, any public shares can be connected to by any user over the internet. Generally speaking, it is never advisable to expose SMB shares directly over the internet. If you need the ability to access your shares remotely, we suggest utilizing a Wireguard VPN to create a secure tunnel between your device and the server. Also, if the flash device itself is exported using SMB and this port is forwarded, its contents can easily be deleted and your license key could easily be stolen. Please don't do this.
  • Port 111/2049: Used for NFS (shares). While NFS is disabled by default, if you are making use of this protocol, just make sure you aren't forwarding these ports through your router. Similar to SMB, just utilize Wireguard to create a secure tunnel from any remote devices that need to connect to the server over NFS.
  • Port 22/23: Used by Telnet and SSH for console access. Especially dangerous for users that don't have a root password set. Similar to SMB, we don't recommend forwarding these ports at all, but rather, suggest users leverage a Wireguard VPN connection to connect using either of these protocols.
  • Ports in the 57xx range: These ports are generally used by VMs for VNC access. While you can forward these ports to enable VNC access remotely for your VMs, the better and easier way to do this is through installing the Unraid.net plugin and enabling My Servers. This ensures that those connections are secure via SSL and does not require individual ports to be forwarded for each VM.

Disable USB Export, Telnet and FTP

After the initial Unraid server setup, on Main→ Flash adjust the USB Security Settings to Export: No or, at minimum, "Yes (hidden)".

Screen Shot 2021 03 24 at 11 50 54 AM

Unless TELNET or FTP is being used for a specific reason, disable them.

For TELNET go to Settings→Management Access and set "Use TELNET" to No and click Apply. SSH or the web terminal in the GUI are secure TELNET alternatives.

For disabling FTP, go to Settings→Network Services→FTP Server and Disable and click apply.

Restrict Share Access

Use Read-Only shares whenever possible! Create other Users on your Unraid server and set the appropriate share access for each user. If particular users don't need write access, make them read-only.

Users can be created under the 'Users' tab and Share and SMB security settings can be accessed by clicking on each user share under the 'Shares' tab.

Sharesecurityandaccess

Users in Unraid are used to define access credentials for Shares. In general, from Windows Network Explorer on PC or Finder on Mac, when you click on a particular share, your PC or Mac will prompt you for the username/password to access that share. For username, you must enter the name of a User you have created on the Unraid side, along with the corresponding password. Once that is done, you will be granted access to the share. Whether you are prompted for credentials or not depends on several settings:

Screen Shot 2021 03 24 at 11 41 41 AM

Generally, once you have entered the credentials once, you will not be prompted again unless something changes, e.g., password change on the Unraid side.

Finally, in the case of Windows, if you create a username on the Unraid side which exactly matches your Windows username, and the passwords also match, Windows will not prompt you to enter credentials.

Keep Your Server Up to Date

An unfortunate reality in this day and age is ever constant security vulnerabilities and corresponding security updates. We are vigilant in quickly releasing updates for any and all security vulnerabilities found and we routinely release bug fixes and new features to make Unraid more efficient, stable, and robust. With this in mind, we always recommend you keep your server up to date!

Along with keeping your OS up to date, keep all plugins, apps, containers, and all other computers on your network up to date with security patches!

Configuring Update Notifications can be done in Settings→Notification Settings.

Untitled 3

Other Best Practices

Note: This is not an exhaustive list. Let us know what we missed in the forums!

Keep your Server Safe

Please review your personal security practices and read and heed these best practices!