|
Seriously, don't do it. Even if the answer is "I need to be able to manage *arr from my phone anywhere" enabling a Wireguard VPN takes two taps, and Wireguard is absolutely going to be better secured than anything else you could possibly expose.
|
#
?
Dec 2, 2021 22:18
|
|
|
|
| # ? May 7, 2024 23:21 |
|
|
Matt Zerella posted:Just a note, I think I've said it before but do not expose anything of it doesn't support Single Sign On or 2FA. I edited this in to my post, but yes should absolutely implement fail2ban or other brute force protections like 2FA or SSO if you're exposing anything to the internet at large. This does increase the complexity of your implementation. Something like https://hub.docker.com/r/authelia/authelia#! would work for this. Though I don't know if it works for NGINX. It works for Traefik, which is another implementation of a reverse proxy, though one i'm not familiar with.
|
|
#
?
Dec 2, 2021 22:24
|
|
|
Nitrousoxide posted:I edited this in to my post, but yes should absolutely implement fail2ban or other brute force protections like 2FA or SSO if you're exposing anything to the internet at large. This does increase the complexity of your implementation. Something like https://hub.docker.com/r/authelia/authelia#! would work for this. Though I don't know if it works for NGINX. It works for Traefik, which is another implementation of a reverse proxy, though one i'm not familiar with. Iberocorp has a bunch of videos for Authelia on YouTube. It's UnRAID focus but will work fine for any docker based deployment. The big problem I have with it is it's fine as a gate keeping mechanism (kind of) but it doesn't pass the token through to your underlying service. Still better than nothing and not any knock against it. Honestly though I still wouldn't expose anything I don't have to. My only open services are Overseearr (only plex login), Nextcloud (2FA enforced), and Plex. Everything else is behind Wireguard.
|
|
#
?
Dec 3, 2021 00:01
|
|
|
Matt Zerella posted:Iberocorp has a bunch of videos for Authelia on YouTube. It's UnRAID focus but will work fine for any docker based deployment. Came here to say almost exactly this. Can definitely recommend both Ibracorp and Spaceinvader One's tutorials for all of this, from NGINX Reverse Proxy to DuckDNS to Cloudflare to Wireguard to Authelia. I can also say from personal experience that unRAID is pretty great if you're new to Linux/Docker, but like Matt said, you can still use the guides with regular docker deployments.
|
|
#
?
Dec 3, 2021 03:05
|
|
|
I know it's a bit offtopic for the thread but we're talking about it anyways already. I am still getting my head around most networking stuff and I'd like to be able to occasionally remotely access my Unraid NAS at home. So it seemed that setting up Wireguard (as mentioned above) on it would work but one of the 1st things for Wireguard to run is to enable UPnP. https://forums.unraid.net/topic/84226-wireguard-quickstart/ How is that different from opening up a port on the router? Am I just not understanding some basic thing or? From reading here and elsewhere I was all "Ok I don't need to set up a reverse proxy on the NAS and dont want to open up any ports so instead I should VPN to it, ok Wireguard... opens a port...  " Sorry if this is super naive.
|
|
|
#
?
Dec 5, 2021 17:14
|
|
|
That Works posted:I know it's a bit offtopic for the thread but we're talking about it anyways already. You still need to open a port for Wireguard. But since it's the only service listening on that port, and it will only respond to those that have the right secret encryption key (which your client will have) even if people try to use that port as an ingress point to your network, nothing will respond to them since they don't have the right key. Nitrousoxide fucked around with this message at 17:56 on Dec 5, 2021 |
|
#
?
Dec 5, 2021 17:50
|
|
|
Manually forwarding the port with upnp disabled is the more secure option. The functionality will be the same without giving malware on your lan an easy way to punch through your firewall.
CopperHound fucked around with this message at 17:56 on Dec 5, 2021 |
|
#
?
Dec 5, 2021 17:54
|
|
|
Opening up a port in general is only as "bad" as the application you are opening up that port to. Even the worst home routers are still good enough at their job that the act of opening a port does not expose any other part of your network to attack. All you're doing is saying that traffic from the internet to your router on a specific port gets allowed through your firewall to a specific port on a specific IP behind the firewall - and that's it. Enabling UPNP is worse than just opening a port because anything on your network that uses UPNP can ask to open a port. The problem here is that you don't know what on your network is going to do that, and you don't know how secure any of those devices are. You don't need to enable UPNP to use Wireguard, you'll just need to open/forward a port (probably UDP 51820) manually to your Unraid box with Wireguard enabled. The reason to expose Wireguard to the internet and not *arr or NZBget or whatever is that Wireguard is a purpose-built VPN solution. It receives frequent updates, and it has a developer community that treats security as the highest priority. If there is ever a security vulnerability in Wireguard, I would expect it to be discovered fairly quickly and patched even sooner. Compared to that, all the other applications that you run on your server are probably supported by smaller groups of developers, and those developers are going to be focused on lots of things other than just security. It's safe to assume that those applications are going to be more likely to have vulnerabilities, and more likely to have those vulnerabilities persist for long enough for it to become an issue. It's also minimizing the number of ways someone can attack your server. If you have ten different apps all running and forwarded directly to the internet, that's ten different ways someone could possibly exploit your server. If you only have Wireguard exposed, then that's the only way someone can attack your server. This eventually turns into a security-versus-usability scenario, where you have to pick and choose what you can live with accessing behind a VPN and what needs to be outside of the VPN. Something like Plex with paid developers and extremely large install base, that also depends on things like smart TVs being able to access it? Yeah, that's a necessary evil to expose outside of the VPN if you want to share it at all. Nextcloud is also fairly safe to expose, especially if you keep it up to date. But anything beyond that, I'd lock behind Wireguard.
|
|
#
?
Dec 5, 2021 17:56
|
|
|
Thanks very much all that really cleared things up for me.
|
|
|
#
?
Dec 5, 2021 18:51
|
|
|
If you want VPN built on WireGuard that doesn't need a hole punched in your firewall, look into Tailscale.
|
|
#
?
Dec 6, 2021 19:59
|
|
|
Matt Zerella posted:If you want VPN built on WireGuard that doesn't need a hole punched in your firewall, look into Tailscale. And while Tailscale is excellent, if you'd like to be self hosting instead of handing core network infrastructure control off to a company's servers there's the Headscale project.
|
|
#
?
Dec 6, 2021 20:22
|
|
|
tuyop posted:My Overseerr install is pretty slow. Like up to a full minute to load any of the movie posters even when I’m on my LAN. Followup on this, I was able to get it running perfectly by running the Docker container on my Synology 218+ instead of my Debian VM. Don't know why it didn't like the VPN so bad but vOv.
|
|
#
?
Dec 7, 2021 01:19
|
|
|
I've been spending the past week or two giving myself a crash course on self hosted kubernetes clusters. I just barely got the self contained ha control plane and load balancer figured out along with basic ingress with traefik. If I find it at all practical for home use I'll try posting a guide to get some basic stuff hosted. Holy hell this is a steep learning curve compared to unraid docker containers.
|
|
#
?
Dec 8, 2021 19:48
|
|
|
CopperHound posted:I've been spending the past week or two giving myself a crash course on self hosted kubernetes clusters. I just barely got the self contained ha control plane and load balancer figured out along with basic ingress with traefik. If I find it at all practical for home use I'll try posting a guide to get some basic stuff hosted. Are you doing this for learning or have you watched too much TechnoTim on YouTube?
|
|
#
?
Dec 8, 2021 19:54
|
|
|
Matt Zerella posted:Are you doing this for learning or have you watched too much TechnoTim on YouTube? I probably should just figure out how to do failover with pihole.
|
|
#
?
Dec 8, 2021 20:01
|
|
|
CopperHound posted:What got this started was me wanting to have a dhcp server integrated with local DNS so I could just type whateverhostname.local.mydomain and my current router doesn't support that. I also want some fault tolerance, so one computer going down doesn't break my whole network. If you want "easy mode" for kubernetes, look into Rancher.
|
|
#
?
Dec 8, 2021 20:02
|
|
|
Matt Zerella posted:If you want "easy mode" for kubernetes, look into Rancher.
|
|
#
?
Dec 8, 2021 20:09
|
|
|
CopperHound posted:I've been spending the past week or two giving myself a crash course on self hosted kubernetes clusters. I just barely got the self contained ha control plane and load balancer figured out along with basic ingress with traefik. If I find it at all practical for home use I'll try posting a guide to get some basic stuff hosted. I'd honestly be super interested in a write-up. I've been teaching myself a lot of stuff with docker/ansible and such, and the more accessible "this is what this is and how to set it up" the merrier. I find practical explanations and walkthroughs are much easier to grasp than the more dry "this is how roles work" without useful context.
|
|
#
?
Dec 8, 2021 21:33
|
|
|
CopperHound posted:I've been spending the past week or two giving myself a crash course on self hosted kubernetes clusters. I just barely got the self contained ha control plane and load balancer figured out along with basic ingress with traefik. If I find it at all practical for home use I'll try posting a guide to get some basic stuff hosted. nobody else should ever touch it, ever, on penalty of being tickled
|
|
#
?
Dec 9, 2021 00:46
|
|
|
BlankSystemDaemon posted:kubernetes is made for hyperscalers that need massive scale-out orchestration Whole lot of people use their homelabs to host things and learn. K3s is perfectly fine for an Arr/Plex/Dowloading setup.
|
|
#
?
Dec 9, 2021 01:26
|
|
|
Feels like this has a lot of crossover with our homelab thread https://forums.somethingawful.com/showthread.php?threadid=3945277
|
|
#
?
Dec 9, 2021 01:28
|
|
|
Matt Zerella posted:Whole lot of people use their homelabs to host things and learn. K3s is perfectly fine for an Arr/Plex/Dowloading setup. The point I was trying to make is that kubernetes was made to solve a very specific issue, which is orchestration of massive scale-out workloads that are only encountered by hyperscalers. Can you use kubernetes for your homelab to learn the basics? Sure, but you're not going to learn about the things make it make sense for the hyperscalers.
|
|
#
?
Dec 9, 2021 01:35
|
|
|
BlankSystemDaemon posted:Sure, but k3s isn't kubernetes. You'll still have the joy of not properly formatting your YML and debugging it for hours until you see the errant space.
|
|
#
?
Dec 9, 2021 01:51
|
|
|
Matt Zerella posted:You'll still have the joy of not properly formatting your YML and debugging it for hours until you see the errant space.
|
|
#
?
Dec 9, 2021 03:17
|
|
|
CopperHound posted:What got this started was me wanting to have a dhcp server integrated with local DNS so I could just type whateverhostname.local.mydomain and my current router doesn't support that. I also want some fault tolerance, so one computer going down doesn't break my whole network. I’ve been idly trying to figure that out for years. Like, especially over a vpn.
|
|
#
?
Dec 9, 2021 11:40
|
|
|
I use a pair of Raspberry Pis for DNS servers and a Wireguard VPN; the IOS client is set to always use a VPN for connections, and it then in turn uses internal DNS to my network so I can access local services with the proper hostnames, and so that the DNS goes through PiHole. For resiliency purposes I'm running BIND on both the Pis, and that is configured to forward requests to the PiHole container but only if it's responding. Works pretty well in practice, the only downside is that the Pihole reports won't break things down by the real client names but eh whatever.
|
|
#
?
Dec 9, 2021 17:47
|
|
|
So I posted my 'Self-Hoting' in the Homlab thread, but I'm on the opposite side of the spectrum: I run a Dell M1000e Bladecenter and two M915 bladeservers that host all my VMs, they are segmented off by virtual switches and firewalls for the Homelab, Production, and Lab environments. I'm running OpenVPN and WireGuard, the OpenVPN is for classes so I can manage connections for students to the Evil Corp lab environment. All this stuff lives on a TrueNAS instance that provides the storage via bargain SSDs and some spinning rust in ZFS arrays shared via iSCSI and NFS. The XCP-Ng Hypervisor that hosts the vms has auto failover between the two servers.
|
|
#
?
Dec 9, 2021 18:07
|
|
|
Hot new zero day exploit dropped. If you're running anything Java based, check out if you are vulnerable. https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/ Wouldn't want y'all to get pwned because you still like Minecraft.
|
|
#
?
Dec 12, 2021 16:05
|
|
|
CopperHound posted:Hot new zero day exploit dropped. If you're running anything Java based, check out if you are vulnerable. https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/ For minecraft the fix is simple: add '-dlog4j2.formatmsgnolookups=true' to your java runtime args.
|
|
#
?
Dec 12, 2021 21:56
|
|
|
CommieGIR posted:For minecraft the fix is simple: add '-dlog4j2.formatmsgnolookups=true' to your java runtime args. For the record, this is a mitigation not a fix.
|
|
#
?
Dec 12, 2021 22:26
|
|
|
Matt Zerella posted:For the record, this is a mitigation not a fix.
|
|
#
?
Dec 13, 2021 00:02
|
|
|
Matt Zerella posted:For the record, this is a mitigation not a fix. Its worth noting this is what log4j 2.15.0 is doing, it just makes it default. https://issues.apache.org/jira/browse/LOG4J2-3198
|
|
#
?
Dec 13, 2021 01:01
|
|
|
CommieGIR posted:Its worth noting this is what log4j 2.15.0 is doing, it just makes it default. It's still just mitigation. If you set that flag to false you're vulnerable again. Completely understandable as it's a humongous vulnerability but they still have to fix the actual problem. I'm sorry if I'm being pedantic here. Just realize there's a big patch coming that you're going to want to install to actually fix this.
|
|
#
?
Dec 13, 2021 04:59
|
|
|
Mitigations exist so that you can, quite literally, mitigate an issue on a running production system, until you can schedule a maintenance window to let you patch things properly.
|
|
#
?
Dec 13, 2021 08:02
|
|
|
BlankSystemDaemon posted:Mitigations exist so that you can, quite literally, mitigate an issue on a running production system, until you can schedule a maintenance window to let you patch things properly. The problem is: Not every system is going to be patched. We like to think that there's a patch of everything. There's not, especially for in house designed stuff that is likely legacy but still generating business value.
|
|
#
?
Dec 13, 2021 13:39
|
|
|
CommieGIR posted:The problem is: Not every system is going to be patched. We like to think that there's a patch of everything. There's not, especially for in house designed stuff that is likely legacy but still generating business value. Also, are you still subscribed to the NAS/Storage thread? Someone was asking for something you might be able to help with.
|
|
#
?
Dec 13, 2021 14:04
|
|
|
BlankSystemDaemon posted:Sure, you're absolutely right, there are cases where mitigations are the only option - but that's usually a sign that stuff is going to break not just sooner or later, but soon, period. Agreed. Part of that is setting deadlines for the business to retire legacy products or refactor them to keep them relevant.
|
|
#
?
Dec 13, 2021 14:17
|
|
|
If you self-host a UniFi controller, version 6.5.54 has the log4j mitigation. Update your machines! For self-hosting UniFi controller, one could use this script if you carefully audit it every time you want to execute it (see BSD's post below). However, one would be better served setting up the controller in Docker, for example, using linuxserver's script. Note that if you use the docker-compose code as is, you may run into issues with your new instance of UniFi Controller failing to adopt your APs. To solve this, you may have to revert to the old interface (Settings > System > uncheck New User Interface), then go to Settings > Network Application and change 'Console Hostname/IP' to the controller's IP address and also check 'Override inform host with the UniFi OS Console’s hostname/IP.' Restart the controller and your APs should adopt. bobfather fucked around with this message at 17:19 on Dec 13, 2021 |
|
#
?
Dec 13, 2021 14:44
|
|
|
The unifi controller is also available as a package most places. EDIT: Well, I say that, but I typed the URI from memory, and it looks like it's mostly not up-to-date unless you're using FreeBSD, pkgsrc (so NetBSD or anything pkcsrc installs on), or some user repositories for certain Linux distributions  RealEDIT: bobfather posted:If you self-host a UniFi controller, version 6.5.54 has the log4j mitigation. Update your machines! BlankSystemDaemon fucked around with this message at 15:52 on Dec 13, 2021 |
|
#
?
Dec 13, 2021 15:43
|
|
|
|
| # ? May 7, 2024 23:21 |
|
|
BlankSystemDaemon posted:It should go without saying, but BE VERY CAREFUL about curling a bash script into your shell (which is effectively what these instructions involve), as it's essentially the same as giving someone remote code execution privileges on your shell, with the added option of enabling privilege escalation for them for free if sudo or doas is involved. Thanks for this, and yeah, sorry. I will edit my post with caveats.
|
|
#
?
Dec 13, 2021 16:17
|
|