Setting up Umbrel Securely

Hi I just installed Umbrel on a Mac Pro 3,1 last night and want to share what I do to make this thing secure. I’ll be posting more in this tread as I run across other configurations that will make sense to do in instances.

First. I change umbrel password as well as root since by default both passwords are umbrel

passwd umbrel
sudo passwd root

Then I update apt and do any upgrades, but I change to root for the next few things:

sudo -i
apt update
apt upgrade

Then I install net-tools so I can look at the networking and enhance networking later:

apt install net-tools

Now I go install UFW to add a firewall that will control networking

apt install ufw

authorize umbrel GUI and allow ports 80 and 443 requests. Later, will switch Umbrel docker instance to using a certificate

ufw allow 80
ufw allow 443
ufw deny 7777
ufw deny 13962
ufw deny 14178
sudo ufw deny from  141.94.45.159 to any  
sudo ufw deny from  23.128.248.0/24  to any  
sudo ufw deny from  91.123.158.251 to any  

now I regenerate my SSH keys since they are the same as everyone’s

cd /etc/ssh
rm *_key
rm *_key.pub
ssh-keygen -A

then I customize my root login so I have the normal alias of ll and colorize my root login text

cd /root
nano .bashrc

uncomment the fallowing with changing the ll alias to the normal affair:

epxort LS_OPIONS='--color=auto'
eval "$(dircolors)"
alias ls=' ls $LS_OPTIONS'
alias ll=' ls $LS_OPTIONS -al'

now that is the start.

the next post on this thread I will post how to generate an SSL and make Umbrel Docker instance use it.

But first, I will have to find where all of the files are at

What happens when an update to Umbrel OS is release? Do I have to do it again?

Shouldn’t have to since its just a docker program running on Debian.

And it does make me wonder if they do the Debian security updates automatically, or have to install them manually.

I haven’t had much time in the real world to work on this software stack.

But I’m discovering other things that I am going to install which is webmin so I have a system side file manager.

What really comes into question is why the file manager in docker can’t access usb drives on the PC install I am running.

This is my first docker experience and I really don’t like it because there is so many restrictive things about it. Besides the small network compromises.

I would rather just roll them a kernel and desktop os and use Apache Guacamole to remote connect to it by https. Then if they want to continue this with a docker container they can.

But I would expand on this project more and add the Nvidia tools and AMD video tools and bring in hardware sensors so it could run GPU/CPU miners. and have a total solution for that group of people since they don’t have one that is really independent from a cloud service.

One thing I haven’t found is litecoind and that software. But I only have scratched the surface.

I’m not good enough for this but it might be time to do a straight Debian with Docker.

Its already there, you would just install and execute tasksel through apt.

sudo apt install tasksel

Then fallow the prompts to install debain desktop system and gnome or cinanamon or any or all of the other destop managers on the list. Then you can switch desktops on the login screen. Bcause you are not stuck with just one desktop gui either. There are other things you can install with tasksel like Apache but I rather just do that on the root shell.

I just find it a little pointless to run this in docker since there is a web based remote desktop solution.

This, what they call Umbrel OS, is a toy to me compared to what I worked on (Ubuntu developer off an on for 22 years). Just never got into docker and always had to work on patching drivers and other stuff people didn’t want to do. I’m swamp with paid work and the other Linux projects wanting me to go through things.

Problem with docker is, that it is a bottleneck in performance. Even though they tried to not make it that much of an issue.

Even though docker might be fun like web programming from what other people told me.