|
Heners_UK posted:While I cannot say when Unraid 6.8 will come out, it's been previously posted that it ups the SMB version to people's satisfaction. I've personally just disabled it for a bit (wasn't day to day using SMB). Coming to Unraid from Synology I had expected superior security options to be available and have been surprised to find the reverse to be true. Not being able to disable root is irksome.
|
# ? Dec 9, 2019 17:36 |
|
|
# ? May 19, 2024 01:09 |
|
*describes poor security practices*Heners_UK posted:When I said atypical, I didn't mean necessarily poor,
|
# ? Dec 9, 2019 17:41 |
|
Tamba posted:Seems like they don't care about supporting that though, so it will be gone with the next version. (You can still use existing VMs or manually make your own) It doesn't really do a whole lot but was still kinda useful, so it figures they'd kill it. At least I already have my Rancher VM running. Someday I'll be able to replace all this with a plain Fedora CoreOS or equivalent
|
# ? Dec 9, 2019 17:58 |
|
eames posted:Unraid is kind of unique in that it gives you access to the Linux stack without requiring a whole lot of underlying knowledge or computer janitoring. The community is ok, there are simple YouTube tutorials for advanced topics, manual updates are relatively rare and done via webinterface, docker containers can be set to auto-update if you trust the third parties publishing them. In my experience it is quite hands off once up and running. Don't forget that you can do containers(jails) in Ubuntu Server. LxC and LxM is what it is called I believe?
|
# ? Dec 9, 2019 18:01 |
|
Thermopyle posted:*describes poor security practices* Referring to VPNs when I said that (i.e. not necessarily bad advice but atypical it's the only advice), should have been clearer but the kid was jumping on me. For the rest, yes they are poor practices. My general rules given the limitations: * Don't frigging expose it's Web UI, SSH or Telnet ports externally. Ever. Know what you're doing before you expose anything else. * Strong root password - best you can do really (I would have disabled this too, and as a distant second, only allowed pubkey authentication to it) * Somehow see if we can get Limetech to shift it's thinking. Keeping in mind that this product is generally targetted at home users I'm not sure how far we'd get on the last one. I'd expect the analogy used would be that most users are used to Windows Local Admin and this is, in their eyes, the same. I also don't like being made to make a choice between minimal CJing and following the commonplace security advice that's still given today for most linux use.
|
# ? Dec 9, 2019 18:08 |
|
VPN or you don't get to access the network., including the services.
|
# ? Dec 9, 2019 18:18 |
|
Did some more digging and it's possible to disable root login via SSH: https://forums.unraid.net/topic/77471-secure-your-unraid-ssh-access-and-tunnel-using-putty Only briefly read but it ticks some of the boxes. Importantly not the same as disabling login as root entirely
|
# ? Dec 9, 2019 18:51 |
|
"Media" is a Share on my Unraid 6.7.2 server. From Windows 10: code:
code:
|
# ? Dec 9, 2019 19:03 |
|
Having network shares show in the "Network" pane requires SMBv1 to be enabled. Mapping shares as a network drive or navigating directly to \\hostname will work without enabling SMBv1 on Windows. 6.8 will use the Western Digital (iirc) protocol to have the server show back up in the Network pane. No clue why everyone decided to interpret it as "unraid only uses SMBv1"
|
# ? Dec 9, 2019 19:38 |
Heners_UK posted:Did some more digging and it's possible to disable root login via SSH: https://forums.unraid.net/topic/77471-secure-your-unraid-ssh-access-and-tunnel-using-putty The default configuration for sshd in OpenBSD is "#PermitRootLogin prohibit-password" - not allowed, but if you uncomment it you can login with a keyfile. Most other distributions default to #PermitRootLogin no" - not allowed, and you have to change it to a yes if you uncomment it. Anything else is horribly insecure because it assumes things which certainly aren't true for other SSH implementations and even with OpenSSH implementations can be dangerous.
|
|
# ? Dec 9, 2019 19:49 |
|
Buff Hardback posted:Having network shares show in the "Network" pane requires SMBv1 to be enabled. Mapping shares as a network drive or navigating directly to \\hostname will work without enabling SMBv1 on Windows. Ok, that's a pretty important distinction
|
# ? Dec 9, 2019 20:15 |
|
Buff Hardback posted:Mapping shares as a network drive or navigating directly to \\hostname will work without enabling SMBv1 on Windows. I can't get this to work on my son's Win10 computer for the loving life of me, but it works just fine on mine. Both are updated fully and I don't think it's firewall bullshit.
|
# ? Dec 9, 2019 20:55 |
|
Henrik Zetterberg posted:I can't get this to work on my son's Win10 computer for the loving life of me, but it works just fine on mine. Both are updated fully and I don't think it's firewall bullshit. Does the network location work, it just won't authenticate or does it even load the network location? If it won't authenticate, try making sure no shares are mapped, searching for "credential manager", deleting everything that relates to your server authentication, then log out/in and try again
|
# ? Dec 9, 2019 21:18 |
|
No it just plain doesn't see the share and I can't go to \\$ip_address or \\$unraid_name
|
# ? Dec 9, 2019 21:19 |
Henrik Zetterberg posted:No it just plain doesn't see the share and I can't go to \\$ip_address or \\$unraid_name If you guys figure this out please walk me through how to add it this way? I was only able to do it via SMB1 but I know gently caress all about networking in general compared to most itt. If I can get it working another route without SMB1 then I'd be more likely to just leave the setup as-is.
|
|
# ? Dec 9, 2019 21:43 |
|
Can you ping the ip address through the windows 10 computer?
|
# ? Dec 9, 2019 22:11 |
|
I... believe so, yes. (at work right now, so working off memory)
|
# ? Dec 9, 2019 22:12 |
|
CommieGIR posted:VPN or you don't get to access the network., including the services. b...bb..bbb...but my idiot friends who can't work a tunnel!!?? gently caress em they're dumb and not worth your time
|
# ? Dec 9, 2019 22:15 |
|
Henrik Zetterberg posted:I... believe so, yes. (at work right now, so working off memory) Welp that eliminates a lot of the easy networking issues. I am not super familiar with unraid but it appears to be a legitimate weakness. https://forums.unraid.net/topic/73750-windows-10-smb-share-issues/ Now the solution I see here would make sense just from what people are saying: https://answers.microsoft.com/en-us...43-ecc7ab8b5119 Which I find hilarious as a professional NAS person.
|
# ? Dec 9, 2019 23:09 |
|
The common thread seems to be unauthenticated access to shares is what Windows doesn't entirely like. Does your son have a user account in Unraid to access shares?
|
# ? Dec 9, 2019 23:14 |
|
also even though it sounds silly, make sure there's no credentials in credential manager the auth flow for SMB in Windows is dumb as hell and I think a bad username/password or already instantiated connection with a different username/password causes the new connection to freak out before even loading shares
|
# ? Dec 9, 2019 23:16 |
|
Buff Hardback posted:Having network shares show in the "Network" pane requires SMBv1 to be enabled. Mapping shares as a network drive or navigating directly to \\hostname will work without enabling SMBv1 on Windows. quote:No clue why everyone decided to interpret it as "unraid only uses SMBv1" HalloKitty posted:Ok, that's a pretty important distinction If it supports SMB3 but still allows connections from SMB1 that's not the most secure configuration in the world but it's a reasonable default for a commercial product where compatibility without configuration is desirable to some users. If it requires that clients have SMB1 enabled to access the current stable version, something is horribly wrong with their priorities and it'd make me wonder what else they have that badly wrong.
|
# ? Dec 10, 2019 22:51 |
|
wolrah posted:My local Samba server shows up just fine in my Network pane on Windows 10 with SMB1 disabled entirely at both ends (Samba is actually set to use only the Win7 and later variant of SMB2 because there will never again be a Vista machine on my LAN), so this is definitely not true. According to Samba as long as nmbd is set up properly it should browse normally. it's WS-discovery, not WD. I can't speak to the specifics of your setup, but it's possible that service is running on your samba server? Raymond T. Racing fucked around with this message at 23:05 on Dec 10, 2019 |
# ? Dec 10, 2019 23:00 |
|
I'm not an expert on smb, but I know that I can browse to all my unraid shares on the 3 win10 machines I've tried and I've never installed anything smb related on any of them.
|
# ? Dec 11, 2019 00:24 |
|
Hoping to get new drives for my Synology 1513+ and curious what the latest best recommendation is for NAS drives?
|
# ? Dec 11, 2019 03:46 |
|
Direct purchase is still WD Reds But most of us shuck WD external drives to get white label versions of those.
|
# ? Dec 11, 2019 03:54 |
|
Heners_UK posted:Direct purchase is still WD Reds just cheaper?
|
# ? Dec 11, 2019 03:57 |
|
MMD3 posted:just cheaper? Correct. Usually it's about a ⅓ saving if you shuck, but can be more.
|
# ? Dec 11, 2019 04:23 |
|
Unraid 6.8 is out: https://unraid.net/blog/unraid-6-8 Forum post with description of the SMB1 stuff: https://forums.unraid.net/topic/86028-unraid-os-version-68-available/
|
# ? Dec 11, 2019 09:39 |
|
Heners_UK posted:Unraid 6.8 is out: https://unraid.net/blog/unraid-6-8 This is great, I can finally dump OpenVPN for Wireguard. I do wish they'd let me get rid of the root login account, but SSL + VPN seems secure enough for me - I can just set up my devices to always auto-connect for safe private browsing on public wifi while I'm not at home. Corb3t fucked around with this message at 15:38 on Dec 11, 2019 |
# ? Dec 11, 2019 15:35 |
|
Gay Retard posted:This is great, I can finally dump OpenVPN for Wireguard. I do wish they'd let me get rid of the root login account, but SSL + VPN seems secure enough for me - I can just set up my devices to always auto-connect for safe private browsing on public wifi while I'm not at home. Now that its finally forms based for login you can at least set a secure password and use a manager to log in.
|
# ? Dec 11, 2019 15:55 |
|
Matt Zerella posted:Now that its finally forms based for login you can at least set a secure password and use a manager to log in. Actually that brings me to a point, one I think I'd better ask seeing as I fell flat on my own face talking about security earlier, what are people's thoughts on using a long passphrase? E.g. "tomatoes yoghurt canopy chainsaw cats phesant" rather than "3wM%64t4&&WQW$Wk*qgx". I'm thinking about the time I might have to log in interactively at the console (i.e. use a mouse and keyboard, cannot get to password manager). EDIT: Generated another passphrase example from bitwarden: "Endurable-Moonlit-Marine-Rush-Frisbee-Dreaded4"
|
# ? Dec 11, 2019 17:24 |
|
Long passphrases are strongly encouraged in most modern security structures, on the grounds that random alphanumeric passwords effectively forces you to write it down / store it somewhere, which itself is a vulnerability. Total entropy of a sufficiently long passphrase is at least as good (usually better) than shorter complex passwords. For home use it almost doesn't matter, since no one is going to sit there trying to brute-force your password. At best they'll throw a common wordlist / dictionary attack at it in passing and then move on to the next server.
|
# ? Dec 11, 2019 17:31 |
|
Heners_UK posted:Actually that brings me to a point, one I think I'd better ask seeing as I fell flat on my own face talking about security earlier, what are people's thoughts on using a long passphrase? E.g. "tomatoes yoghurt canopy chainsaw cats phesant" rather than "3wM%64t4&&WQW$Wk*qgx". I'm thinking about the time I might have to log in interactively at the console (i.e. use a mouse and keyboard, cannot get to password manager). So from your example, the entropy on the first wordlist password would be 26 letters plus space, 27^(number of characters, or 46) = 696198609130885597695136021593547814689632716312296141651066450089 vs Numbers, upper and lower case letters, and 4 special characters, so 10+26*2+4 = 66^18th power = 564664961438246926567398233604096 So yeah, without explicit knowledge of the pattern used or any of that the first is like 10x more secure than the second one.
|
# ? Dec 11, 2019 17:39 |
|
Just use a password manager with a good keystore password and generate crazy long garbage passwords with abandon. Passphrases are really more geared towards being easy to remember while maintaining security which makes them applicable to keystore passwords but should be irrelevant to the backend services themselves.
|
# ? Dec 11, 2019 17:44 |
|
H2SO4 posted:Just use a password manager with a good keystore password and generate crazy long garbage passwords with abandon. Passphrases are really more geared towards being easy to remember while maintaining security which makes them applicable to keystore passwords but should be irrelevant to the backend services themselves. In this case I'm addressing the fringe case that I might actually have to type the password in, without Copy & Paste from Password Manager available. However, looking back, it seems that it's secure enough against Password Hacking, Keyboard Using Robots who are also Burglars.
|
# ? Dec 11, 2019 18:01 |
H2SO4 posted:Just use a password manager with a good keystore password and generate crazy long garbage passwords with abandon. Passphrases are really more geared towards being easy to remember while maintaining security which makes them applicable to keystore passwords but should be irrelevant to the backend services themselves.
|
|
# ? Dec 11, 2019 18:03 |
|
Given the earlier discussions, I went into UnRAID's settings > SMB and disabled NetBIOS, which appears to also disable SMB1 support.
|
# ? Dec 11, 2019 18:46 |
|
|
# ? May 19, 2024 01:09 |
|
God loving damnit. I switched off of FreeNAS to avoid stupid reactionary changes.code:
quote:I will be removing most of my PPAs from public access due to continued and persistent abuse by companies using these packages for commercial gain with flagrant disregard to the knowledge and effort required to maintain them.
|
# ? Dec 11, 2019 18:59 |