Home of the Squeezebox™ & Transporter® network music players.
Page 7 of 12 FirstFirst ... 56789 ... LastLast
Results 61 to 70 of 117
  1. #61
    Senior Member DJanGo's Avatar
    Join Date
    Sep 2005
    Location
    Germany
    Posts
    2,521
    Quote Originally Posted by mherger View Post
    > Is opening those ports in this way likely to expose me to much risk?

    SSH should be fine if it's well configured and maintained.

    --

    Michael
    mea culpa Michael,

    but thats a little bit tooo short....

    Remember under a actual version of Raspbian ssh isnt activated out of the box any more because of security reasons.

    Its not a question of a well configured ssh- its a matter of strong passwords for users that could access ssh.

    Since i am in charge for the computer stuff in my company and should know some tricks and basics - i cant say ssh from outside is somewhere near safe.

  2. #62
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,870

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > Since i am in charge for the computer stuff in my company and should
    > know some tricks and basics - i cant say ssh from outside is somewhere
    > near safe.


    We all appreciate your knowledge. But then, please tell Joe Average what
    safe method there is to access his network from the outside. If ssh
    isn't, then don't even start to type the other three letters starting
    with "V".

    --

    Michael

  3. #63
    Senior Member DJanGo's Avatar
    Join Date
    Sep 2005
    Location
    Germany
    Posts
    2,521
    Quote Originally Posted by mherger View Post
    But then, please tell Joe Average what safe method there is to access his network from the outside.
    If ssh isn't, then don't even start to type the other three letters starting
    with "V".

    --

    Michael
    Hi,

    whatever Joe uses it must be somewhere up2date. And needs some minimal security.

    Using VPN or not is a big difference.
    Cracker Jimboy needs to crack/hack/socialengineering your vpn settings.
    Thats a big step for him - unless Joe uses some very old methods for his vpn.
    Simply natting a vpn port to the world - is a bad idea - whatever port your natting everyone who scans for open ports finds the real service behind that very soon and very easy.

    I dont think any Joe on linux is using tools like faillock or something else.
    Maybe some using something like iptables to only allow ssh from special ips only.

    So what do you expect me to do?
    Tell joe what do to on his 512MB NAS ?
    Tell joe dont do it unless you really know what your doing?

  4. #64
    Senior Member DJanGo's Avatar
    Join Date
    Sep 2005
    Location
    Germany
    Posts
    2,521
    since michael didnt see edits.....

    just a not so old example
    http://www.zdnet.com/article/linux-m...ryptocurrency/

  5. #65
    Senior Member
    Join Date
    Jan 2010
    Location
    Hertfordshire
    Posts
    1,327
    Quote Originally Posted by DJanGo View Post
    since michael didnt see edits.....

    just a not so old example
    http://www.zdnet.com/article/linux-m...ryptocurrency/
    That does target devices with the default password though. You would normally change it.

    Sent from my SM-G900F using Tapatalk

  6. #66
    Senior Member DJanGo's Avatar
    Join Date
    Sep 2005
    Location
    Germany
    Posts
    2,521
    Quote Originally Posted by slartibartfast View Post
    That does target devices with the default password though. You would normally change it.
    Is You Average Joe ?
    How many additional lines are needed no sending the std. passwort but prase from a dictionary?
    The Answer is: one additional line of source code.

  7. #67
    Senior Member
    Join Date
    Apr 2013
    Location
    UK
    Posts
    1,097
    Clearly, computers should be licensed only to those who can pass a test... (and device developers should be forced to use the products they produce...)

    Interested to see how the code can distinguish an external request from internal though.


    Transcoded from Matt's brain by Tapatalk
    --
    Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
    Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

  8. #68
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,870

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > whatever Joe uses it must be somewhere up2date. And needs some minimal
    > security.


    Fully agreed. Up to date and well configured. Then the difference in
    terms of ssh vs. VPN aren't what you think.

    > Using VPN or not is a big difference.


    As is ssh. But again: only if well configured etc. You mention the
    "hacking" of Raspis over ssh which was basically just using the default
    password. That's stupid. But if your VPN is configured the same stupid
    way, then it's no more secure.

    > Cracker Jimboy needs to crack/hack/socialengineering your vpn settings.


    No more than your ssh setup.

    > I dont think any Joe on linux is using tools like faillock or something
    > else.


    Unless it's configured by default in your OS (which happened to me, and
    I didn't know before being locked out...).

    > So what do you expect me to do?


    Take a break.

    > Tell joe what do to on his 512MB NAS > Tell joe dont do it unless you really know what your doing?


    Yes.

    --

    Michael

  9. #69
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,870

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > Clearly, computers should be licensed only to those who can pass a
    > test... (and device developers should be forced to use the products they
    > produce...)


    Ahm... well, at least for the SB I can assure you, I do use it. But
    there clearly are products I've been working on I hardly ever (or never)
    use... And this admittedly is a problem for a dev.

    > Interested to see how the code can distinguish an external request from
    > internal though.


    It's not very sophisticated, and not even fully correct: when a request
    is coming from the network's default gateway, I'm assuming it's coming
    from the outside. I know that this is a rather simplistic approach. But
    I thought I'd push it out this way and see whether people run into
    issues :-). If they do, then at least they can double check their
    network configuration to make sure they really don't open things up.

    And then there's that undocumented pref you can set to disable the check
    in such an exceptional case.

    --

    Michael

  10. #70
    Senior Member Jeff07971's Avatar
    Join Date
    Aug 2011
    Location
    London, England
    Posts
    943
    Quote Originally Posted by mherger View Post
    > Clearly, computers should be licensed only to those who can pass a
    > test... (and device developers should be forced to use the products they
    > produce...)


    Ahm... well, at least for the SB I can assure you, I do use it. But
    there clearly are products I've been working on I hardly ever (or never)
    use... And this admittedly is a problem for a dev.

    > Interested to see how the code can distinguish an external request from
    > internal though.


    It's not very sophisticated, and not even fully correct: when a request
    is coming from the network's default gateway, I'm assuming it's coming
    from the outside. I know that this is a rather simplistic approach. But
    I thought I'd push it out this way and see whether people run into
    issues :-). If they do, then at least they can double check their
    network configuration to make sure they really don't open things up.

    And then there's that undocumented pref you can set to disable the check
    in such an exceptional case.

    --

    Michael
    This unfortunately might be a very common problem as a VPN server is often the GW (Mine is both, IPSEC and SSL)

    EDIT: I take it that blocking must be turned on ? My LMS does accept connections from my GW
    Last edited by Jeff07971; 2018-01-12 at 13:51.
    Players: SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard
    Server: LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320
    Plugins: AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups
    Remotes: iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX
    Music: 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs

    Want a webapp ? See http://forums.slimdevices.com/showth...Webapp-for-LMS

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •