Hi TBTG! I have been trying to harden the SMB configuration with the following improvements: Null passwords are disabled, SMB signing is mandatory, SMB encryption is mandatory, the minimum protocol version for supported is SMB3_11 for all communications and the ntlm auth is configured to be ntlmv2-only. I have not yet found a way to configure this correctly via the web interface as the "Samba extra configuration" field is confusing. If you could create an additional video about this, that would be exceptionally helpful! Thanks.
Great video, logical and well laid out. I just subbed... would love to see a walk through or a breakdown of reverse proxy, the pros and cons / vulnerabilities in a similar manner, rather than just the usual this is how to install it in docker and add cloudflare :)
At 7:06, hard to understand what you are saying: ". . . for this setting, I recommend setting to yes and ????" Nice video - thank you for creating this.
Oh wow, guess my noise gate caught me there. I recommend "Yes (Hidden)" That's the problem with listening to my own videos, my ears fill in gaps I know no matter how many times I listen to it. Thanks for catching that!
thanks. please make a total noob video on everything unraid.. with SMB explained also how to use torrent and prowlarr with openvpn. how to setup plex with hardware transcoding
I was following along and making changes here and there as I thought I needed them, and when I was finished with "Turn on Unraid notifications" I found out that I suddently had explanations folded out everywhere, do you have any idea on where to turn those off ? I run version 6.11.5
In the top right hand corner there should be a little question mark in a circle. If it has a line under it, that means it's enabled / selected witch auto expands all the tips. If you want that off, it should not have a line under it. Here is what it looks like when off (top image) and on (bottom image): imgur.com/a/rbFW0EF
So realistically, any port forwarding (including Plex) introduces risk to your network. For me, I "trust" Plex enough to be served traffic from the Internet so I port forward 32400 for it. Port 80 is usually used for HTTP traffic which means it is not encrypted and sent in the clear, so anyone who can see the traffic can see the contents. Because of this, it is recommended to not use and instead use HTTPS over 443 with a certificate to help protect the traffic - IF you need web browser traffic forwarded to a device in your home network. Even though HTTPS is encrypted, anyone can still access the webpage so that server could still be hacked.
If you only have 32400 being forwarded then that would be the only traffic sourced from the Internet that would get forwarded into your home network. At that point, as long as your Plex server isn't vulnerable for any known attacks (always keep it up to date to help protect it), then your risk would be minimal.
Great question! That honestly never crossed my mind. Are you asking for the files stored on the shares of Unraid or for the Unraid OS / storage itself?
My understanding is that you would not need SSH for the My Servers feature, so it should be able to be turned off if you don't want even local (on network) remote access to the server.
@@BeardedTechGuy Thanks for that. I do remotely access my server via my PC (local, on the same intranet) to manage it, so would I need to leave SSH enabled to do that? Or does My Servers bypass all of that and allow me to remotely admin my server via browser on my PC?
SSH is used for the CLI access. For GUI either local or through "My Servers" uses HTTPs. If you do not need CLI access to unraid locally you should be able to disable SSH without impact to My Servers.
Hmm that's a weird one. You could check the credential store and see if a account is saved for it. Or if its not too destructive I'd remove the share and readd it to see what happens.
I think I'm getting ripped off! I only put 3 ad breaks in for the 15 minute video and RUclips very rarely uses all of them ¯\_(ツ)_/¯ imgur.com/a/KmawmsA
What other steps are you taking to secure your Unraid storage server? Let me know below!
Hi TBTG!
I have been trying to harden the SMB configuration with the following improvements:
Null passwords are disabled, SMB signing is mandatory, SMB encryption is mandatory, the minimum protocol version for supported is SMB3_11 for all communications and the ntlm auth is configured to be ntlmv2-only. I have not yet found a way to configure this correctly via the web interface as the "Samba extra configuration" field is confusing. If you could create an additional video about this, that would be exceptionally helpful! Thanks.
EPIC! This is phenomenal. It's both general good security practices as well as high level hardening that just about every video misses!
Outstanding!
Glad you liked it!
Great video, logical and well laid out. I just subbed... would love to see a walk through or a breakdown of reverse proxy, the pros and cons / vulnerabilities in a similar manner, rather than just the usual this is how to install it in docker and add cloudflare :)
Glad you liked the video and thank you for subscribing!
I'll keep your suggestion in mind for an upcoming video, thanks for the input!
That was a great video! Watched it just to make sure and I'm pretty proud that I did all the things already :)
Glad you liked the video!!
Great video!!
Glad you enjoyed it
Love the channel name!
Very helpful, subbed!
Glad you found the video and thank you for subscribing!
Good info thanks. Since you keep that port for Plex open, isn’t that a vulnerability? Do you have docker running? Fail2ban?
Great tutorial and well explained, thank you
I'm glad you found it helpful!
At 7:06, hard to understand what you are saying: ". . . for this setting, I recommend setting to yes and ????"
Nice video - thank you for creating this.
Oh wow, guess my noise gate caught me there. I recommend "Yes (Hidden)"
That's the problem with listening to my own videos, my ears fill in gaps I know no matter how many times I listen to it. Thanks for catching that!
Very well explained, thank you!
Glad you found the video helpful!
good info, liked and subscribed
Glad you liked the video!
Thanks, it's sinking in slowly.
thanks. please make a total noob video on everything unraid.. with SMB explained also how to use torrent and prowlarr with openvpn. how to setup plex with hardware transcoding
I was following along and making changes here and there as I thought I needed them, and when I was finished with "Turn on Unraid notifications" I found out that I suddently had explanations folded out everywhere, do you have any idea on where to turn those off ? I run version 6.11.5
In the top right hand corner there should be a little question mark in a circle. If it has a line under it, that means it's enabled / selected witch auto expands all the tips. If you want that off, it should not have a line under it.
Here is what it looks like when off (top image) and on (bottom image): imgur.com/a/rbFW0EF
Thanks a lot!
You're welcome!!
12:12 so are plex ports on 32400 that are port forwarded ok? just don't forward any common ports like port 80?
So realistically, any port forwarding (including Plex) introduces risk to your network. For me, I "trust" Plex enough to be served traffic from the Internet so I port forward 32400 for it. Port 80 is usually used for HTTP traffic which means it is not encrypted and sent in the clear, so anyone who can see the traffic can see the contents. Because of this, it is recommended to not use and instead use HTTPS over 443 with a certificate to help protect the traffic - IF you need web browser traffic forwarded to a device in your home network. Even though HTTPS is encrypted, anyone can still access the webpage so that server could still be hacked.
@@BeardedTechGuy thanks dude, so if I just only have the plex port forwarded, and thats it, then I should be ok?
If you only have 32400 being forwarded then that would be the only traffic sourced from the Internet that would get forwarded into your home network. At that point, as long as your Plex server isn't vulnerable for any known attacks (always keep it up to date to help protect it), then your risk would be minimal.
Do you install anti virus software on your Unraid server... the only one I see is calmav.
Great question! That honestly never crossed my mind. Are you asking for the files stored on the shares of Unraid or for the Unraid OS / storage itself?
Do you need SSH if you're using the My Servers feature?
My understanding is that you would not need SSH for the My Servers feature, so it should be able to be turned off if you don't want even local (on network) remote access to the server.
@@BeardedTechGuy Thanks for that. I do remotely access my server via my PC (local, on the same intranet) to manage it, so would I need to leave SSH enabled to do that? Or does My Servers bypass all of that and allow me to remotely admin my server via browser on my PC?
SSH is used for the CLI access. For GUI either local or through "My Servers" uses HTTPs. If you do not need CLI access to unraid locally you should be able to disable SSH without impact to My Servers.
@@BeardedTechGuy Awesome, thx for clarifying!
Still dont know how my PC always prompt for credentials even though its a public share
Hmm that's a weird one. You could check the credential store and see if a account is saved for it. Or if its not too destructive I'd remove the share and readd it to see what happens.
I wouldnt do DMZ
Are you bound to the beard for the lifetime of your channel now?
One does not choose The Beard, The Beard chooses the one.
@@BeardedTechGuy My understanding of the truth is that I am talking to the beard 🙌
first
Almost!
I have a 200 pound dog to make sure nobody accesses my computer Grrrrr
Not sure why but I just imagined Snoopy sitting on a laptop wearing the typical "hacker gear" lol
Secure unraid don't don't mention about unraid SSL
🛑🛑🛑That’s not what ppl are clicking this for …. Ppl want volume and pool encryption…. Answer is unfair can’t do it … true nas can🛑🛑🛑
Really trying to monetize this video? 10 ads in 15 mins? Seriously? Thumbs down.
I think I'm getting ripped off! I only put 3 ad breaks in for the 15 minute video and RUclips very rarely uses all of them ¯\_(ツ)_/¯
imgur.com/a/KmawmsA