Any tips on hardening Umbrel’s PI security? Can I use UFW and if so what ports does Umbrel need open? Fail2ban? My umbrel is behind a router in a LAN with no ports open on the router to it; nevertheless I am in the habit of hardening pi’s whenever I use them.
None of those are necessary for Umbrel.
All traffic is behind Tor, so no ports need to be open in your router/machine.
Tor is using onion addresses for each Umbrel app (like being a port) without need of any port.
Only in special cases if you really want to use reverse proxy Tor-to-clearnet, will be necessary more changes, but those are mostly for BTCpay, LNbits and are guides dedicated to that.
But for normal use as a BTC/LN node is enough and you can connect all your mobile apps using Tor onion address.
Thanks for reply and it is understood that using onion addresses requires no open ports on router, but what about on node/pi. While UFW may not be necessary for Umbrel while using the onion addresses, if I have some other apps running where UFW would be helpful for security, I just wanted to make sure that by using UFW, I wouldn’t accidently prevent umbrel from working. So, the question is: would blocking ports via UFW on my umbrel node (not on the router) in any way hinder umbrel from working?
the simple answer is NO.
You can play with UFW as much as you like and if you know what are you doing.
Just in case, to not use some of the other apps ports from Umbrel, open your Umbrel from local IP and open the apps, one by one. You will see for each which port they are using.
So note those ports NOT to be used for other of your apps you install on that machine and NOT to be open in UFW (only if you really want it).
Actually you just gave me an idea to add to my Umbrel guides a list of all ports used.
Thanks. A list of all ports used by Umbrel would be perfect for helping us avoid any conflicts with other apps.
Yes, I am planning to extend this getting started guide for Umbrel to a larger manual. I will add there the ports for apps.
@DarthCoin One more request if possible for your “getting started guide”. I am wondering about the best ways to share my umbrel node with family and friends. I am aware of Spectre Desktop which allows me to create other user accounts for cold/hardware wallets. But my question is regarding on chain hot wallets (not the Lightning wallets). Can I allow friends to use the Wallet connect info for a specific wallet to use my node for checking for on chain transactions? Is it a security risk or could it cause confusion for my transaction records? I am assuming hot wallets are just connecting to the umbrel node to watch for transactions and confirmations, but are not saving info on the umbrel node. Is this correct for all those wallets available in the connect wallet area?
Here you have another 2 guides that you can use:
It is easy to check with
nmap which ports are open by default.
nmap umbrel.local Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-17 20:19 CEST Nmap scan report for umbrel.local (192.168.21.3) Host is up (0.0020s latency). Other addresses for umbrel.local (not scanned): ::f14f:5bae:c04f:3d2b Not shown: 991 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3000/tcp open ppp 3006/tcp open deslogind 8000/tcp open http-alt 8080/tcp open http-proxy 8333/tcp open bitcoin 10009/tcp open swdtp-sv 50001/tcp open unknown
This is exactly the reason for using ufw (or any other firewall) on umbrel!
The node may be behind a NAT, but there are multiple insecure devices inside the local network which could pose a threat to the system security.
So many IoT devices are in everybody’s home network running on obsolete software. Those devices could very easily be used for brute-force attacking umbrel if it is not firewalled properly.
In my opinion the best way is to close all ports to all IP addresses except the one is used for administration. Also, the dhcp / router device must reserve IP addresses by MAC address.