Home of the Squeezebox™ & Transporter® network music players.
Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 56
  1. #11
    Senior Member Mnyb's Avatar
    Join Date
    Feb 2006
    Location
    Vństerňs Sweden
    Posts
    16,171
    Quote Originally Posted by mherger View Post
    > Is it possible to limit LMS to the local subnet via programming , but
    > have it working via a correctly setup VPN ?


    If using a VPN you should be fine already. If you feel like tinkering,
    check out Settings/Advanced/Security.

    > Wonder why some hacker finds this funny ?


    Never picked up the phone book to call a random number as a kid?

    > More risks someone can actively listen with your accounts on Spotify and
    > your other services.
    > Ads his players to your mysb.com account via LMS it does that
    > automatically .
    > Mess up your stats and scrobbling.


    Or implement the plugin which will wipe your system. Or encrypt your data.

    --

    Michael
    Oh on open VPN already , just an idea to not make so easy to just open the ports like apearently >5000 people are doing already ?
    If the next upgrade jts blocks this and they have search for info ....

    Ransom ware as an lms plugin

    My LMS machine is only that , another safety measure . Its not running on my daily use computer no other personal info on than the LMS settings , no documents no mail .
    So I can just delete that VM and reinstall.

    And the NAS that keeps the music files is another VM from the NAS that has my personal backup . So i can deleta that one to , but the music share its mounted read only and no executing of files to the LMS machine..
    Music is backed up on USB drives .
    --------------------------------------------------------------------
    Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
    Bedroom/Office: Boom
    Kitchen: Touch + powered Fostex PM0.4
    Misc use: Radio (with battery)
    iPad1 with iPengHD & SqueezePad
    (spares Touch, SB3, reciever ,controller )
    server HP proliant micro server N36L with ClearOS Linux

    http://people.xiph.org/~xiphmont/demo/neil-young.html

  2. #12
    Senior Member
    Join Date
    Jan 2008
    Posts
    264
    Done. Thanks for the heads-up, Michael.

    Interestingly, over the past few months LMS has randomly stopped, with no info in the logs and only "possible software conflict" in the diagnostics tray.

    Been running and playing on DSTM for three days now without a stoppage. Could this be related?

    Jason

  3. #13
    Senior Member sfraser's Avatar
    Join Date
    Oct 2005
    Posts
    235
    Their are some real A-holes out there. I work for a router vendor, and we have a non firewalled internet access in our lab. From time to time we turn it up for deep packet inspection testing, within 30 seconds of turning it up we get pounded with attacks.
    2 Chan. System
    SB3->Benchmark DAC-1-> Bryston(BP-25,3B)->PMC TB2
    Home Theater System
    SB2-> Bryston(SP1,4B,4B,2B,2B)-> PSB Stratus Goldi
    Basement System
    Duet-> Parasound Preamp (carver M1.0t) ->Klipsch La Scala's
    Bedroom System
    SB2-> Sony BoomBox
    Rear Deck/Patio
    Duet-> Yamaha Reciever-> PSB Mini's,
    Office
    Squeezebox Boom
    Kitchen
    Squeeze Radio
    Ensuite
    Squeeze Radio

  4. #14
    Senior Member
    Join Date
    Aug 2008
    Location
    Norway
    Posts
    338
    At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
    Nevertheless, it's better than nothing.
    The downside is that there are several client apps out there that don't support password logon....
    QNAP TS-453Mini 4x3TB RAID5 QTS 4.3.3
    LMS 7.9.0 running in Docker
    Madsonic 6.2 running in Docker
    Plex running in Docker

    QNAP HS-251 2x2TB RAID0, QTS 4.3.3
    Kodi 16.1 Jarvis

    QNAP TS-119 1TB Single, QTS 4.3.3
    Almost Retired

  5. #15
    Senior Member Mnyb's Avatar
    Join Date
    Feb 2006
    Location
    Vństerňs Sweden
    Posts
    16,171
    Quote Originally Posted by oyvindo View Post
    At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
    Nevertheless, it's better than nothing.
    The downside is that there are several client apps out there that don't support password logon....
    Yes clear text and not hard to hack .

    But social engineering is also a thing , people reuse passwords even if you should not it's very very likely that someone uses the same passwords as they always do .
    --------------------------------------------------------------------
    Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
    Bedroom/Office: Boom
    Kitchen: Touch + powered Fostex PM0.4
    Misc use: Radio (with battery)
    iPad1 with iPengHD & SqueezePad
    (spares Touch, SB3, reciever ,controller )
    server HP proliant micro server N36L with ClearOS Linux

    http://people.xiph.org/~xiphmont/demo/neil-young.html

  6. #16
    Senior Member pippin's Avatar
    Join Date
    Oct 2007
    Location
    Berlin
    Posts
    14,202
    And that's an especially bad idea in this case because it's so easy to log the clear-text username and password from LMS...
    ---
    learn more about iPeng, the iPhone and iPad remote for the Squeezebox and
    Logitech UE Smart Radio as well as iPeng Party, the free Party-App,
    at penguinlovesmusic.com
    New: iPeng 9, the Universal App for iPhone, iPad and Apple Watch

  7. #17
    I had that problem, where my music player suddenly went whild in the middle of the night, I had forwarded my LMS ports to the internet. Now I use VPN and no problems at all anymore.
    Shame, it was practical to use LMS on the road that way, but simply to unsafe.

    Absolutely block those ports, this sort of thing does happen!
    LMS 7.9.0 - 1470391720 on Pi2 (Max2play)
    Synology DS-414 NAS
    Squeezebox Touch, Squeezebox Boom, Squeezebox Radio, HifiBerry PicorePlayer
    Schiit - BIFROST AKM 4490 Dac
    Spotify Premium

  8. #18
    Senior Member
    Join Date
    Apr 2013
    Location
    UK
    Posts
    1,034
    I wonder if anyone has searched the darkwebs for LMS attacks..? There are probably "slurp all the music and set some annoying alarms" scripts out there.
    --
    Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
    Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

  9. #19
    Senior Member
    Join Date
    Aug 2008
    Location
    Norway
    Posts
    338
    You don't need a script for that. All you need is the IP.
    QNAP TS-453Mini 4x3TB RAID5 QTS 4.3.3
    LMS 7.9.0 running in Docker
    Madsonic 6.2 running in Docker
    Plex running in Docker

    QNAP HS-251 2x2TB RAID0, QTS 4.3.3
    Kodi 16.1 Jarvis

    QNAP TS-119 1TB Single, QTS 4.3.3
    Almost Retired

  10. #20
    Senior Member
    Join Date
    Apr 2013
    Location
    UK
    Posts
    1,034
    You do, you know the control protocol. The script kiddies know nothing, they just run scripts.
    --
    Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
    Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •