Securing a new unRAID installation

By default, unRAID has a few pretty big security vulnerabilities which should be addressed immediately after installation.

My take is that unRAID is secure enough to operate within my home network behind a firewall, not exposed to the internet. Adding the steps here will make it more secure to protect against the unlikely, yet unfortunate possibility that someone nefarious gains access to your home network.

Here’s my list of steps taken to secure my unRAID install. If folks have more that I’m missing, I’d love to add them here!

Add password for root

It’s really bad that unRAID doesn’t force you to set a root user password as part of the installation. There’s really no excuse for this type ‘insecure by default’ philosophy when it’s so easy to fix.

So, to fix it yourself, go to the web UI and navigate to Users > Select ‘root’ > Add a Password.

It will take all of 30 seconds to do it.

Create users that aren’t root

It’s always a good idea to do as little as possible as the root account on a Linux system. While you’re on the Users screen, go ahead and make users for yourself and others you want to have access to shares. The only thing these users can do is access shares.

Restrict access to your shares

If you don’t have to expose a share via SMB, don’t! Just turn them off.

If you don’t have to give people write access, make them read only.

I prefer to set my shares that are available via SMB to “Private” for the Security level which gives guests no access, and then set the proper access control for each user in the house. To make the changes, just go through each share under the Shares tab and set your SMB Security Settings and User Access however you see fit.

Disable access to the /flash share

For some crazy reason, the USB drive that hosts the operating system is shared by default as /flash. I don’t remember if the default permissions on it are “Private” or not, but I think it’s a good idea to just not have it shared at all.

This one is trickier to find, however, because it’s not listed under the Shares tab. To find the controls, go to the Main tab, and click on the Flash drive link.

From there, set the Export to “No”.

Disable SMB1

The folks that built the SMB protocol are serious about telling people to stop using the first version for a variety of security reasons. Now, many of those might relate to Windows-only devices, but there’s no reason not to disable it on your Linux box as well.

Go to Settings > SMB  (Under Network Services). Under the SMB Extras add the following line text:

#disable SMB1 for security reasons
   min protocol = SMB2

Disable Telnet & FTP access

unRAID comes with Telnet and FTP enabled by default. That’s really pretty silly this day and age. If you want to access a command prompt, you should use ssh. If you want to transfer files, use anything but FTP.

The easiest way to disable them both is to leverage the Tips & Tweaks plugin.

  1. Install the Tips and Tweaks plugin by going to Plugins > Install Plugin and using the following URL:
  2. After it’s installed, navigate to Settings > Tips and Tweaks (under User Utilities)
  3. Find the “Disable FTP Server & Telnet” option and select “Yes”

Fix common problems plugin

This one is nice – it’s basically a health check on the unRAID system. It’ll scan logs, look at your current config, and help you find common problems that you may have overlooked.

You can install it by going to Plugins > Install Plugin and using the following URL

You can learn everything you need to know about the Fix Common Problems plugin on it’s forum thread here.

Ransomware protection

I honestly don’t know if this plugin would help in the event of a ransomware attack, but I think the principle is sound and it’s a pretty low hassle way to add some protection. The recent WannaCry ransomware attack highlighted the need for some additional consideration for me.

The general idea is to create a honeypot of files and shared folders that, if modified, immediately trigger unRAID to go into read-only mode (and/or disable access to all shares). If someone tries to encrypt and delete your files, unRAID would simply cut off access. This is particularly useful since these shares can be accessed by all of your users on potentially vulnerable machines… so if one of their machines gets infected with randsomware, and it tries to access your unRAID shares (because those machines likely have the share passwords cached), unRAID can stop the attack from being completely successful.

You can read all about the Randsomware plugin here on it’s forum thread. To install it, I found it easiest to install the Community Applications plugin and search for it and install it from there.

Setup email notifications

This one is important so that you can be notified by the various plugins and unRAID itself about the condition of the server. This isn’t just about security, obviously, but also about the general health of the system.

For example, you’ll be notified about plugin and server updates which are available, hard drives that are too hot, errors that crop up, etc.

You can find the settings under the Settings tab > Notification Settings

Keep your server up to date

unRAID itself and all of the plugins are easy to update – just go to the Plugins tab and click the “Check for Updates” button. Then go through and update each plugin – including the unRAID OS itself.

If you run any Docker containers, unRAID will let you know if they have updates available as well on your dashboard (they’ll be a different color). For any VM you run, make sure to check for updates on them regularly as well.

Further Reading

There’s a good thread on the Lime Technologies forum – Is unRAID really unsecure? I would recommend reading that as well – there are some good pointers there about other basics not covered here, like making sure to keep your system up to date, maintaining good backups, etc.

My take is that unRAID is secure enough to operate within my home network behind a firewall, not exposed to the internet. Adding the steps above make it even more secure to protect against the unlikely, yet unfortunate possibility that someone nefarious gains access to your home network.

From Windows to unRAID: choosing my next home-server OS

This is the first in several posts about getting unRAID setup for the first time. Look for the unRAID tag to see all of the related posts.

I’ve run a Windows 10 (and Vista, 7, 8, 8.1) machine as our household’s file server for many, many years. It worked well enough. I had two hard drives set up as a RAID, and an SSD to run the OS from. But I began to realize that this setup was a lil risky and pretty inflexible – most notably it would never notify me if one of my disks started to fail (or any other data-oriented problems, for that matter). And it wasn’t easy to run the open source software packages I was wanting to run (like OpenVPN or ZoneMinder).

This was a prescient worry given that my two 1.5TB drives which stored all of my family’s most important photos & files were about to fail.

I looked around at getting a dedicated box for just file serving (Synology, QNAP). I looked at software to add to the Windows install to solve some of my issues like better data protection (most notably SnapRAID). And I looked at the slew of dedicated home NAS software like FreeNAS, Nas4Free, and unRAID.

Ultimately I picked unRAID because it looked to be the easiest to get everything running, had a good and active support community, was cheap (but not free) and was based on a Linux distribution (instead of FreeBSD). The biggest thing going against unRAID to me was that (1) it didn’t have native bit rot (data degradation) protection like SnapRAID or FreeNAS and (2) it’s not open source. I decided I can live with a commercial project and that I can find a work around to protect against bit rot.

I was really close to choosing FreeNAS, but they were going through some turmoil with a failed release of their next-generation version 10 that had the Docker support I wanted… so I passed for now.

It should be clear that this isn’t intended to be a comparison of all the NAS options out there – if you’re interested in doing your own comparison, there’s a bunch of info out there and you should judge for yourself. For example, SnapRAID has a really nice comparison table of the file system capabilities that I found very useful.

What my computer did before (running Windows):

  • Store and serve files (documents, pictures, music, and video)
  • Backup those files to the cloud (via CrashPlan)
  • Provide a backup location for the computers in our extended family (via CrashPlan)
  • Run our in-house music system (via Logitech Squeezebox family of devices)
  • Run my IP security camera system
  • Monitor the UPS (backup battery) and gracefully shut down in the event of power loss
  • Occasionally watch Hulu via the web browser & the TV it was connected to.

What it didn’t do:

  • Monitor the health of the disks (and files) and inform me of impending problems
  • Provide a dashboard of system health, status, and related controls
  • Operate power-efficiently, because…
    • Both disks in the RAID spinning up when reading any file
    • Case fans ran all the time (vs. being controlled by HDD temperatures)
    • Spending time & energy updating parts of the OS I’ll never use (looking at you, Windows Modules Installer Worker)
    • Spend time/energy protecting itself from viruses (looking at you, Antimalware Service Executable)
  • Parity check the files in a way to allow for recovery in the event of bit rot (data degradation)
  • Enable me to run open source packages easily (in particular, leverage Docker to manage software installs)
    • OpenVPN, NextCloud, ZoneMinder, for example.
  • Be more resilient to ransomware attacks (e.g. WannaCry)

Choosing unRAID got me all of these missing things on my existing hardware. The only thing that is missing right now is a good parity checking solution to enable finding & fixing data degradation on unRAID.

In the next few posts I’ll cover how I did the conversion, and document some of the hassles I had to overcome to get unRAID working exactly the way I want it to.

In that process I was able to:

  1. Migrate the basic functionality and data of my Windows machine to unRAID
  2. Copy my Windows installation to a VM running on unRAID, and set it up with exclusive access to one of my disks outside of the NAS RAID array.
  3. Setup OpenVPN (which runs way better than it did on my Raspberry Pi)
  4. Verify that unRAID’s parity system does indeed work to recover a failed disk.
  5. Setup custom fan controls so the machine runs very, very quietly (which is important, because it’s in our TV room)

Look for the unRAID tag to see all of the posts related to this project.