Home of the Squeezebox™ & Transporter® network music players.
Page 1 of 5 123 ... LastLast
Results 1 to 10 of 46
  1. #1
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,779

    IMPORTANT: Stop forwarding your LMS ports to the internet!

    I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.

    • Set a password on your LMS, actually locking you out of your own music collection.
    • Change the skin
    • Blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
    • Install the Gallery plugin and have it scan all your folder of all your disks, causing a crash sooner or later
    • Install any plugin they want, including their own development, doing things we don't even know about


    More issues are reported regularly, eg.


    On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

    Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And the have some fun. NOT!

    So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.
    Last edited by mherger; 2017-11-14 at 05:59.
    Michael

    http://www.herger.net/slim-plugins - Spotty, MusicArtistInfo

  2. #2
    Senior Member pinkdot's Avatar
    Join Date
    Nov 2009
    Location
    The Netherlands
    Posts
    876
    May be the wiki should be changed accordingly?:
    http://wiki.slimdevices.com/index.ph...cting_remotely
    -LMS on Raspian Stretch -> 2x Radio
    -RPI 3 (Mopidy + Raspotify), Allo Boss DAC- Exposure 3010S2 - PMC FB1i

  3. #3
    Senior Member Jeff07971's Avatar
    Join Date
    Aug 2011
    Location
    London, England
    Posts
    863
    Quote Originally Posted by mherger View Post
    I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.

    - blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
    - install the Gallery plugin and have it scann all your folder of all your disks, causing a crash sooner or later
    - install any plugin they want, including their own development, doing things we don't even know about

    On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

    Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And the have some fun. NOT!

    So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.
    +1 !!!!!!!!!!!

    I found 4,342 mainly insecure worldwide instances with extreme ease
    Players: SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer x3,Wandboard
    Server: LMS Version: 7.9.1 - 1503129892 on Centos 7 VM on ESXi 6.5.0U1 on Dell T320
    Plugins: AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud
    Remotes: iPeng8/Orangesqueeze/PC/Jivelite
    Music: 383GB,1269 albums 17756 songs 4381 artists mostly FLACs

    Want a webapp ? See http://forums.slimdevices.com/showth...Webapp-for-LMS

  4. #4
    Senior Member
    Join Date
    Apr 2013
    Location
    UK
    Posts
    1,007
    Wait till they enforce ipv6, then there will be none.
    --
    Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
    Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

  5. #5
    Senior Member Julf's Avatar
    Join Date
    Dec 2010
    Posts
    2,451
    Quote Originally Posted by drmatt View Post
    Wait till they enforce ipv6, then there will be none.
    Not sure IPv6 will change anything. Yes, a linear scanning of the address space is not feasible, but scanning routing tables is.
    "To try to judge the real from the false will always be hard. In this fast-growing art of 'high fidelity' the quackery will bear a solid gilt edge that will fool many people" - Paul W Klipsch, 1953

  6. #6
    Senior Member
    Join Date
    Apr 2013
    Location
    UK
    Posts
    1,007
    Just because no-one knows how ipv6 works..
    --
    Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
    Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

  7. #7
    Senior Member Julf's Avatar
    Join Date
    Dec 2010
    Posts
    2,451
    Quote Originally Posted by drmatt View Post
    Just because no-one knows how ipv6 works..
    "To try to judge the real from the false will always be hard. In this fast-growing art of 'high fidelity' the quackery will bear a solid gilt edge that will fool many people" - Paul W Klipsch, 1953

  8. #8
    Senior Member Mnyb's Avatar
    Join Date
    Feb 2006
    Location
    Vństerňs Sweden
    Posts
    16,159
    Is it possible to limit LMS to the local subnet via programming , but have it working via a correctly setup VPN ?

    It seems to be a support issues now :/

    Wonder why some hacker finds this funny ?

    It was that tread on the forum where someone actively asked for open IP's and wanted to share ? Wonder if that one was a cheapskate or a troll ?
    That guy got p*** off when mherger told about exactly how bad this idea is ? Sort of guy that can do this ?

    More risks someone can actively listen with your accounts on Spotify and your other services.
    Ads his players to your mysb.com account via LMS it does that automatically .
    Mess up your stats and scrobbling.
    --------------------------------------------------------------------
    Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
    Bedroom/Office: Boom
    Kitchen: Touch + powered Fostex PM0.4
    Misc use: Radio (with battery)
    iPad1 with iPengHD & SqueezePad
    (spares Touch, SB3, reciever ,controller )
    server HP proliant micro server N36L with ClearOS Linux

    http://people.xiph.org/~xiphmont/demo/neil-young.html

  9. #9
    Senior Member
    Join Date
    May 2009
    Location
    Witham, Essex. UK
    Posts
    497
    Hi Michael,

    Thank you for reminding me. I had forwarded 4 or 5 ports to trial accessing various things on my server remotely. It's didn't work the way I wanted so I abandoned the trial but of course forgot to delete the port forwarding. They have been removed now though :-)

    Thank you
    Last edited by bobertuk; 2017-03-24 at 02:18.
    1 x Touch
    1 x Radio
    1 x Boom
    1 x Intel-NUC server/squeezelite running LMS 7.91 on Windows 10
    1 X Odroid-XU4 server/squeezelite running LMS 7.91 on Ubuntu 16.04
    WaveIO USB into Lavry DA-10 DAC
    Starfish Pre-amp : Based on NAIM NAC 72
    Heavily modified NAIM NAP 250 Power-amp
    Behringer DEQ2496
    Linn Isobarik DMS

  10. #10
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,779

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > Is it possible to limit LMS to the local subnet via programming , but
    > have it working via a correctly setup VPN ?


    If using a VPN you should be fine already. If you feel like tinkering,
    check out Settings/Advanced/Security.

    > Wonder why some hacker finds this funny ?


    Never picked up the phone book to call a random number as a kid?

    > More risks someone can actively listen with your accounts on Spotify and
    > your other services.
    > Ads his players to your mysb.com account via LMS it does that
    > automatically .
    > Mess up your stats and scrobbling.


    Or implement the plugin which will wipe your system. Or encrypt your data.

    --

    Michael

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •