PDA

View Full Version : IMPORTANT: Stop forwarding your LMS ports to the internet!



mherger
2017-03-22, 08:12
I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.


Set a password on your LMS, actually locking you out of your own music collection.
Change the skin
Blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
Deface your LMS
Install the Gallery plugin and have it scan all your folder of all your disks, causing a crash sooner or later
Install any plugin they want, including their own development, doing things we don't even know about


More issues are reported regularly, eg.

CVE-2017-16567 (https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16567) (https://www.exploit-db.com/exploits/43122/)
CVE-2017-16568 (https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16568) (https://www.exploit-db.com/exploits/43123/)


On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And then have some fun. NOT!

So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.

pinkdot
2017-03-22, 09:08
May be the wiki should be changed accordingly?:
http://wiki.slimdevices.com/index.php/Connecting_remotely

Jeff07971
2017-03-22, 16:22
I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.

- blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
- install the Gallery plugin and have it scann all your folder of all your disks, causing a crash sooner or later
- install any plugin they want, including their own development, doing things we don't even know about

On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And the have some fun. NOT!

So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.

+1 !!!!!!!!!!!

I found 4,342 mainly insecure worldwide instances with extreme ease

drmatt
2017-03-22, 16:23
Wait till they enforce ipv6, then there will be none.

Julf
2017-03-23, 02:04
Wait till they enforce ipv6, then there will be none.

Not sure IPv6 will change anything. Yes, a linear scanning of the address space is not feasible, but scanning routing tables is.

drmatt
2017-03-23, 04:42
Just because no-one knows how ipv6 works.. :)

Julf
2017-03-23, 04:47
Just because no-one knows how ipv6 works.. :)

:)

Mnyb
2017-03-24, 01:11
Is it possible to limit LMS to the local subnet via programming , but have it working via a correctly setup VPN ?

It seems to be a support issues now :/

Wonder why some hacker finds this funny ?

It was that tread on the forum where someone actively asked for open IP's and wanted to share ? Wonder if that one was a cheapskate or a troll ?
That guy got p*** off when mherger told about exactly how bad this idea is ? Sort of guy that can do this ?

More risks someone can actively listen with your accounts on Spotify and your other services.
Ads his players to your mysb.com account via LMS it does that automatically .
Mess up your stats and scrobbling.

bobertuk
2017-03-24, 01:48
Hi Michael,

Thank you for reminding me. I had forwarded 4 or 5 ports to trial accessing various things on my server remotely. It's didn't work the way I wanted so I abandoned the trial but of course forgot to delete the port forwarding. They have been removed now though :-)

Thank you

mherger
2017-03-24, 02:11
> Is it possible to limit LMS to the local subnet via programming , but
> have it working via a correctly setup VPN ?

If using a VPN you should be fine already. If you feel like tinkering,
check out Settings/Advanced/Security.

> Wonder why some hacker finds this funny ?

Never picked up the phone book to call a random number as a kid?

> More risks someone can actively listen with your accounts on Spotify and
> your other services.
> Ads his players to your mysb.com account via LMS it does that
> automatically .
> Mess up your stats and scrobbling.

Or implement the plugin which will wipe your system. Or encrypt your data.

--

Michael

Mnyb
2017-03-24, 02:39
> Is it possible to limit LMS to the local subnet via programming , but
> have it working via a correctly setup VPN ?

If using a VPN you should be fine already. If you feel like tinkering,
check out Settings/Advanced/Security.

> Wonder why some hacker finds this funny ?

Never picked up the phone book to call a random number as a kid?

> More risks someone can actively listen with your accounts on Spotify and
> your other services.
> Ads his players to your mysb.com account via LMS it does that
> automatically .
> Mess up your stats and scrobbling.

Or implement the plugin which will wipe your system. Or encrypt your data.

--

Michael

Oh on open VPN already , just an idea to not make so easy to just open the ports like apearently >5000 people are doing already ?
If the next upgrade jts blocks this and they have search for info ....

Ransom ware as an lms plugin :)

My LMS machine is only that , another safety measure . Its not running on my daily use computer no other personal info on than the LMS settings , no documents no mail .
So I can just delete that VM and reinstall.

And the NAS that keeps the music files is another VM from the NAS that has my personal backup . So i can deleta that one to , but the music share its mounted read only and no executing of files to the LMS machine..
Music is backed up on USB drives .

doctor_big
2017-03-29, 05:54
Done. Thanks for the heads-up, Michael.

Interestingly, over the past few months LMS has randomly stopped, with no info in the logs and only "possible software conflict" in the diagnostics tray.

Been running and playing on DSTM for three days now without a stoppage. Could this be related?

Jason

sfraser
2017-03-30, 06:42
Their are some real A-holes out there. I work for a router vendor, and we have a non firewalled internet access in our lab. From time to time we turn it up for deep packet inspection testing, within 30 seconds of turning it up we get pounded with attacks.

oyvindo
2017-04-01, 12:38
At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
Nevertheless, it's better than nothing.
The downside is that there are several client apps out there that don't support password logon....

Mnyb
2017-04-01, 12:54
At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
Nevertheless, it's better than nothing.
The downside is that there are several client apps out there that don't support password logon....

Yes clear text and not hard to hack .

But social engineering is also a thing , people reuse passwords even if you should not it's very very likely that someone uses the same passwords as they always do .

pippin
2017-04-02, 02:48
And that's an especially bad idea in this case because it's so easy to log the clear-text username and password from LMS...

Squeezemenicely
2017-04-02, 03:21
I had that problem, where my music player suddenly went whild in the middle of the night, I had forwarded my LMS ports to the internet. Now I use VPN and no problems at all anymore.
Shame, it was practical to use LMS on the road that way, but simply to unsafe.

Absolutely block those ports, this sort of thing does happen!

drmatt
2017-04-02, 03:43
I wonder if anyone has searched the darkwebs for LMS attacks..? There are probably "slurp all the music and set some annoying alarms" scripts out there.

oyvindo
2017-04-02, 04:40
You don't need a script for that. All you need is the IP.

drmatt
2017-04-02, 08:15
You do, you know the control protocol. The script kiddies know nothing, they just run scripts.

SamS
2017-04-18, 18:41
I've been doing this for years (mainly for iPeng playback), with no ill effects. I was using strong password. However, reading the recommendations, I just turned it off. Exactly how is an plain-text password compromised in this scenario?

I get the same functionality by installing the Plex iOS app, and my lifetime Plexpass subscription.

Mnyb
2017-04-18, 21:08
I've been doing this for years (mainly for iPeng playback), with no ill effects. I was using strong password. However, reading the recommendations, I just turned it off. Exactly how is an plain-text password compromised in this scenario?

I get the same functionality by installing the Plex iOS app, and my lifetime Plexpass subscription.

Exactly as i says ,its sent as plain text from for example a browser on your phone to your server . To be intercepted by who knows.
And the security in LMS is not the strongest kind anyhow...

jo-wie
2017-04-25, 13:37
Please do not ALL disable it, I need some bad examples for security awareness trainings. (Sorry, only kidding)

22593

mherger
2017-04-25, 21:59
> Please do not ALL disable it, I need some bad examples for security
> awareness trainings. (Sorry, only kidding)

Are you searching for LMS? Ugh... that's even worse than Squeezebox...

--

Michael

jo-wie
2017-04-25, 22:48
> Please do not ALL disable it, I need some bad examples for security
> awareness trainings. (Sorry, only kidding)

Are you searching for LMS? Ugh... that's even worse than Squeezebox...

--

Michael

The interesting point is, that I have the feeling that the number was falling the last months but now is raising again. I was really using it as bad example for trainings and so I had several times a look at. But maybe the search engine simply found more because it was scanning further areas.

mherger
2017-04-26, 03:03
> The interesting point is, that I have the feeling that the number was
> falling the last months but now is raising again.

Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
But numbers seemed to grow in the past weeks, and significantly dropped
over the past few days (-15%).

I was wondering how I should handle this situation. These users have a
serious security issue they should know about. But am I allowed to
"hack" their system in order to protect themselves from the bad hacker?

--

Michael

Jeff07971
2017-04-26, 03:26
> The interesting point is, that I have the feeling that the number was
> falling the last months but now is raising again.

Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
But numbers seemed to grow in the past weeks, and significantly dropped
over the past few days (-15%).

I was wondering how I should handle this situation. These users have a
serious security issue they should know about. But am I allowed to
"hack" their system in order to protect themselves from the bad hacker?

--

Michael

I'm afraid the simple answer is NO it would be extremely unwise !! If you "hacked" (not sure if thats even the right term as these systems are wide open) I'm very sure it would be seen as illeagal in many countries.

A large and sticky warning on the home page of the forums would be wiser.

Whilst the situation is quite serious I see noting that can really be done about it, if the "hacks" are just waking people up at obscene hours hopefully a message in the forums will get more attention.

I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the list of open LMS's meaning people update (or is done automatically) so a software change may work to help.
I was thinking that not responding (unless specifically allowed) to the router address (or gateway) may work. That way those that use VPN can turn it on but those who forward ports will have to come to the forum to ask why their forwarding no longer works.

Edit: Nothing much can be done about the 7.7.5's

Jeff

Jeff07971
2017-04-26, 03:36
Hi Michael

Another idea !

Use a list generated by THAT search engine to grab a list of open LMS's and automatically sent a command to turn all player on and stream a file from Logitech saying something like "This system is compromised please see article on forum" repeatedly until stopped.

This idea is more agressive and would need to be run by legal but may have a better effect

Jeff

Paul Webster
2017-04-26, 05:10
You could change LMS to require a password if the IP address is not local and have a maximum number of password attempts before suspending such access for X hours - and a setting to disable all of this for someone who really insists on taking the risk.
At least those users who have auto-update enabled would have a bit better protection.

mherger
2017-04-26, 05:30
> A large and sticky warning on the home page of the forums would be
> wiser.

Unfortunately only a very small percentage of the SB community is
regularly visiting these forums. Even I wouldn't get to see that message!

> I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
> list of open LMS's meaning people update (or is done automatically) so a
> software change may work to help.

Interesting. In my list there are far more 7.7.x installations than
7.9.x. And many are really old, like 7.7.2/3.

> Use a list generated by THAT search engine to grab a list of open LMS's
> and automatically sent a command to turn all player on and stream a file
> from Logitech saying something like "This system is compromised please
> see article on forum" repeatedly until stopped.

This is about as far as my "hacking" would go: interact with LMS.

--

Michael

mherger
2017-04-26, 05:31
> You could change LMS to require a password if the IP address is not
> local and have a maximum number of password attempts before suspending
> such access for X hours - and a setting to disable all of this for
> someone who really insists on taking the risk.

I can't change the users' LMS. And as said before: most of those
installation aren't up to date, therefore unlikely to see a change in a
new build.

--

Michael

Jeff07971
2017-04-26, 05:46
> A large and sticky warning on the home page of the forums would be
> wiser.

Unfortunately only a very small percentage of the SB community is
regularly visiting these forums. Even I wouldn't get to see that message!

> I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
> list of open LMS's meaning people update (or is done automatically) so a
> software change may work to help.

Interesting. In my list there are far more 7.7.x installations than
7.9.x. And many are really old, like 7.7.2/3.

> Use a list generated by THAT search engine to grab a list of open LMS's
> and automatically sent a command to turn all player on and stream a file
> from Logitech saying something like "This system is compromised please
> see article on forum" repeatedly until stopped.

This is about as far as my "hacking" would go: interact with LMS.

--

Michael

Yes I see your point I make it about 25% are 7.9.0 - 7.9.1 (BTW I searched "logitech media server" or "logitech media server 7.9.0" or "logitech media server 7.9.1")

Still removing 25% would be a start !

Jeff

Paul Webster
2017-04-26, 05:59
I can't change the users' LMS. And as said before: most of those
installation aren't up to date, therefore unlikely to see a change in a
new build.

I wasn't suggesting directly changing their systems - but them receiving updates (if they have automatic update enabled).
If they are very old and not auto-updating then clearly it won't help them.
However, such a change (or even better ones) would help protect those who do install new versions in the future.

drmatt
2017-04-26, 06:12
If you can identify their mysb accounts then you could insert a message on their login banner?

Sent from my ONEPLUS A3003 using Tapatalk

StephenC
2017-05-18, 08:20
I've been running LMS, open to the Internet, for years. Never had an issue (of which I'm aware, anyway). Until a few weeks ago. Bizarre alarms in the middle of the night, across a few different players. Then, 1am yesterday, multiple players firing up at full volume. A couple of these aren't local, and the users were far from impressed.

To avoid the complication of VPN, or passwords (the remote users are very technologically challenged), is the IP filtering within LMS considered 'acceptable'? The remote users are all on semi-static IPs (Virgin Media - IP addresses seem to persist for years, even through router reboots):
22714

Thanks a lot.

Stephen.

mherger
2017-05-18, 09:00
> To avoid the complication of VPN, or passwords (the remote users are
> very technologically challenged), is the IP filtering within LMS
> considered 'acceptable'? The remote users are all on semi-static IPs

TBH: I don't know what IP address your LMS would see in this case. Give
it a try and let us know.

But then I'd really not expose LMS to the internet. I just wouldn't.

--

Michael

drmatt
2017-05-18, 09:12
On Linux I would suggest iptables.

Sent from my ONEPLUS A3003 using Tapatalk

StephenC
2017-05-18, 09:59
TBH: I don't know what IP address your LMS would see in this case. Give
it a try and let us know.

But then I'd really not expose LMS to the internet. I just wouldn't.

--

Michael

I used to use this function, and everything worked fine. I changed it only because one user was astonishingly technophobic, whilst at the same time entirely addicted to BBC iPlayer on the Squeezebox. Their solution to pretty much every problem in the house was to switch off the router, and leave it for an hour before turning it on again (I kid you not - even if their Humax DVR had crashed!) It was an ADSL connection, so the IP changed regularly. They no longer use Squeezebox, having switched to a Roberts Stream 93i.

I really would rather not have to implement a VPN client from the remote user ends, but it might come to that.

But, I'll see how things go with the switch to IP whitelisting, and maybe also set up some iptables entries...

Thanks a lot.

Stephen

StephenC
2017-05-18, 11:42
... Give it a try and let us know.

...


I gave it a try, and all was fine, except...

Spotify Protocol Handler - Booms and SB3s reported 'Bad Player (Error: -1)' when I tried to play Spotify tracks. Touches and Radios were fine.

So, I changed back to 'Do Not Block' (even though the whitelist was correct, and external Radios were fine with Spotify) and then the Booms and SB3s were ok again.

Oddly, once the affected players had successfully played Spotify tracks, re-enabling the 'Block' didn't affect them - they remained working. But, only until a restart of LMS, when they stopped again.

Have now left the setting as 'Do Not Block', and set some iptables rules to achieve the same (probably much better!) security. Here are the ufw commands (I cheated a bit - ufw is much nicer to work with than iptables):


ufw allow 22/tcp
ufw allow from 192.168.1.0/24 to any port 9000 proto tcp
ufw allow from 82.27.???.??? to any port 9000 proto tcp
ufw allow from 90.204.???.??? to any port 9000 proto tcp
ufw allow from 192.168.1.0/24 to any port 9005 proto tcp
ufw allow from 90.204.???.??? to any port 9005 proto tcp
ufw allow from 82.27.???.??? to any port 9005 proto tcp
ufw allow from 192.168.1.0/24 to any port 3483
ufw allow from 82.27.???.??? to any port 3483
ufw allow from 90.204.???.??? to any port 3483



My LAN is on the 192.168.1.0 subnet - If yours differs then you'll need to change to suit.
The 82.27.???.??? and 90.204.???.??? are the IPs of my remote users.

Hope this helps someone, some time.

Cheers.

Stephen.

Peter Galbavy
2017-05-25, 05:28
At the moment I do have ports 3483 and 9000 open but with a password. However there is still passwordless access available to support older SB units (like the SB3 on my desk at work).

Perhaps one step in the right direction to help those of us who run exposed services would be to add an option to not allow "legacy" password-less access and make that the default on install? Then, if we choose to knowingly connect older hardware we have to make a choice to allow this access?

Hip-Priest
2017-07-17, 03:25
OK - so now that I am completely locked out of LMS, can any one tell a non-techie how to get into it so that I can disable the password? I am running LMS on a Synology Diskstation, with a SBTouch/iPeng/Macbook as my player. I have closed the relevant ports on my router, but I still get the password screen when I try to log in via a my Mac.

mherger
2017-07-19, 23:17
> OK - so now that I am completely locked out of LMS, can any one tell a
> non-techie how to get into it so that I can disable the password? I am
> running LMS on a Synology Diskstation, with a SBTouch as my player. I
> have closed the ports on my router, but I still get the password screen
> when I try to log in via a Mac or iPeng on an iPhone.

You'll have to shut down LMS, and edit its server.prefs file. Where
exactly that file is stored you better ask in a Synology specific
thread. There are prefs for authorize and username. Remove those lines
and restart LMS.

--

Michael

jimzak
2017-07-23, 12:09
Quick somewhat OT question.

Are other music serves such as Younity, Subsonic, Plex also as easily susceptible to attack?

I currently have SB for internal use and Plex for external use.

d6jg
2017-07-23, 12:14
Anything that is open to the internet must be considered a risk.
You need to check the forums for Plex etc as general advice won't be good enough. My understanding of subsonic is that it was designed for remote streaming but I'd still check.
The best solution is a VPN (not pptp) with solid credentials.

Nonreality
2017-10-18, 11:02
You could change LMS to require a password if the IP address is not local and have a maximum number of password attempts before suspending such access for X hours - and a setting to disable all of this for someone who really insists on taking the risk.
At least those users who have auto-update enabled would have a bit better protection.So am I understanding that I should not have auto updates turned on in LMS?

Sent from my SM-G955U using Tapatalk

Paul Webster
2017-10-18, 11:05
So am I understanding that I should not have auto updates turned on in LMS?


No. The logic was that if an update was made to close the hole in LMS then those with updates enabled would get it.
However, the world is not that simple.

tom6475
2017-11-22, 10:41
Hello

After your warning (this post), I'm quite sure I've properly closed the open ports and also disable the port forwarding on the internet. But issue/ hack stills happen (Actually, I can see this happen because I've got huge CPU load during many hours as it was scanning hard drive).

Is there any log where we could see the hack happens, what's the source IP, and also the used ports ?

Thanks

Thomas

Jeff07971
2017-11-22, 15:20
Hello

After your warning (this post), I'm quite sure I've properly closed the open ports and also disable the port forwarding on the internet. But issue/ hack stills happen (Actually, I can see this happen because I've got huge CPU load during many hours as it was scanning hard drive).

Is there any log where we could see the hack happens, what's the source IP, and also the used ports ?

Thanks

Thomas

You could turn "INFO" (Or higher) level logging on for HTTPD under Settings>Advanced>Logging you'll end up with big logs to grep through.
Alternatively go to "THAT" website and see if your IP address appears.

drmatt
2017-11-23, 00:04
If you're still being hacked after genuinely disabling the port from internet access that means the hackers are already inside your network... Suggest you look at intrusion detection software.


Transcoded from Matt's brain by Tapatalk

mherger
2017-11-23, 01:51
> After your warning (this post), I'm quite sure I've properly closed the
> open ports and also disable the port forwarding on the internet. But
> issue/ hack stills happen (Actually, I can see this happen because I've
> got huge CPU load during many hours as it was scanning hard drive).

The huge CPU load and potential crashes often were caused by the Picture
Gallery plugin being installed by the intruders. Make sure you remove it
or at least review its settings if you've been using it. It often was
set up to scan all filesystems - causing the high load and crashes.


--

Michael

bambadoo
2017-11-23, 10:21
Another victim here. Couldn't figure out what happened. Crashed occasionally. High cpu spikes and gallery plugin was installed. Disabled it and it kept coming back..
This was on a Netgear NAS and it scanned through everything.
Also additional repos was configured.
Music library is around 160000 songs (13400 albums - flac) sŚ it is quite big.
Disabled port forwarding, uninstalled everything and installed LMS on 3 different machines.
On win2012, raspberry pi2 and again on the LMS. At least everything works fine internally on my network again. Would love to be able to bring the music to my cellphone again. Used squeezeplay and squeezer app on android.

Before this happened I never had any issues.

Jeff07971
2017-11-23, 10:25
Another victim here. Couldn't figure out what happened. Crashed occasionally. High cpu spikes and gallery plugin was installed. Disabled it and it kept coming back..
This was on a Netgear NAS and it scanned through everything.
Also additional repos was configured.
Music library is around 160000 songs (13400 albums - flac) sŚ it is quite big.
Disabled port forwarding, uninstalled everything and installed LMS on 3 different machines.
On win2012, raspberry pi2 and again on the LMS. At least everything works fine internally on my network again. Would love to be able to bring the music to my cellphone again. Used squeezeplay and squeezer app on android.

Before this happened I never had any issues.

It sounds like you know what you're doing so just set up a SSL vpn and use openvpn app on your phone works great

bambadoo
2017-12-04, 04:21
Yes did that.
Had to do it on a new virtual instance of linux server install. Openvpn. Everything works out fine.
Gave up on dd-wrt and openvpn server install there. Made it work but the router became unstable (100%cpu).

Actually a better solution than exposing LMS direct to internett IMO.

PasTim
2017-12-06, 11:04
I have tested (and occasionally used) LMS remotely on my mobile using an SSH login with a public/private key arrangement, from mobile and DDNS (since my IP changes regularly). To enable this I opened port 9 (for Wake on Wan) and 22 for SSH to my LMS server. I closed the ports after the test.

Is opening those ports in this way likely to expose me to much risk?

mherger
2017-12-06, 22:02
> Is opening those ports in this way likely to expose me to much risk?

SSH should be fine if it's well configured and maintained.

--

Michael

PasTim
2017-12-07, 01:36
> Is opening those ports in this way likely to expose me to much risk?

SSH should be fine if it's well configured and maintained.

--

Michael
Thanks.

Paul Webster
2018-01-11, 05:41
I see some LMS changes being made to try to improve this (password needed to get to settings from outside).
Of course, it will need people to update their LMS to do it but a good first step.

mherger
2018-01-11, 06:05
> I see some LMS changes being made to try to improve this (password
> needed to get to settings from outside).
> Of course, it will need people to update their LMS to do it but a good
> first step.

That's correct. I was fighting over this myself. But looking at open
systems there obviously are quite a few who do install updates. I might
actually do a release in the near future to push the changes out to
users of the "stable" release, too.

--

Michael

JJZolx
2018-01-11, 23:29
How do you require a password if one hasn't been set in the options?

mherger
2018-01-12, 00:51
> How do you require a password if one hasn't been set in the options?

You can't. In order to get access to the settings from the outside you'd
have to set a password. Otherwise you'd simply get blocked (http status
403 - "forbidden"), no questions asked.

--

Michael

mherger
2018-01-12, 07:03
> Since i am in charge for the computer stuff in my company and should
> know some tricks and basics - i cant say ssh from outside is somewhere
> near safe.

We all appreciate your knowledge. But then, please tell Joe Average what
safe method there is to access his network from the outside. If ssh
isn't, then don't even start to type the other three letters starting
with "V".

--

Michael

slartibartfast
2018-01-12, 09:47
since michael didnt see edits.....

just a not so old example
http://www.zdnet.com/article/linux-malware-enslaves-raspberry-pi-to-mine-cryptocurrency/That does target devices with the default password though. You would normally change it.

Sent from my SM-G900F using Tapatalk

drmatt
2018-01-12, 11:54
Clearly, computers should be licensed only to those who can pass a test... (and device developers should be forced to use the products they produce...)

Interested to see how the code can distinguish an external request from internal though.


Transcoded from Matt's brain by Tapatalk

mherger
2018-01-12, 13:09
> whatever Joe uses it must be somewhere up2date. And needs some minimal
> security.

Fully agreed. Up to date and well configured. Then the difference in
terms of ssh vs. VPN aren't what you think.

> Using VPN or not is a big difference.

As is ssh. But again: only if well configured etc. You mention the
"hacking" of Raspis over ssh which was basically just using the default
password. That's stupid. But if your VPN is configured the same stupid
way, then it's no more secure.

> Cracker Jimboy needs to crack/hack/socialengineering your vpn settings.

No more than your ssh setup.

> I dont think any Joe on linux is using tools like faillock or something
> else.

Unless it's configured by default in your OS (which happened to me, and
I didn't know before being locked out...).

> So what do you expect me to do?

Take a break.

> Tell joe what do to on his 512MB NAS > Tell joe dont do it unless you really know what your doing?

Yes.

--

Michael

mherger
2018-01-12, 13:16
> Clearly, computers should be licensed only to those who can pass a
> test... (and device developers should be forced to use the products they
> produce...)

Ahm... well, at least for the SB I can assure you, I do use it. But
there clearly are products I've been working on I hardly ever (or never)
use... And this admittedly is a problem for a dev.

> Interested to see how the code can distinguish an external request from
> internal though.

It's not very sophisticated, and not even fully correct: when a request
is coming from the network's default gateway, I'm assuming it's coming
from the outside. I know that this is a rather simplistic approach. But
I thought I'd push it out this way and see whether people run into
issues :-). If they do, then at least they can double check their
network configuration to make sure they really don't open things up.

And then there's that undocumented pref you can set to disable the check
in such an exceptional case.

--

Michael

Jeff07971
2018-01-12, 13:30
> Clearly, computers should be licensed only to those who can pass a
> test... (and device developers should be forced to use the products they
> produce...)

Ahm... well, at least for the SB I can assure you, I do use it. But
there clearly are products I've been working on I hardly ever (or never)
use... And this admittedly is a problem for a dev.

> Interested to see how the code can distinguish an external request from
> internal though.

It's not very sophisticated, and not even fully correct: when a request
is coming from the network's default gateway, I'm assuming it's coming
from the outside. I know that this is a rather simplistic approach. But
I thought I'd push it out this way and see whether people run into
issues :-). If they do, then at least they can double check their
network configuration to make sure they really don't open things up.

And then there's that undocumented pref you can set to disable the check
in such an exceptional case.

--

Michael

This unfortunately might be a very common problem as a VPN server is often the GW (Mine is both, IPSEC and SSL)

EDIT: I take it that blocking must be turned on ? My LMS does accept connections from my GW

PasTim
2018-01-12, 13:38
I'm not sure whether I'm an 'average joe' or not. However, having spent a working lifetime in IT (albeit nothing much to do with security) I suspect not quite (judging by most of my friends). Nonetheless I have found it pretty hard to work out how to do stuff like use ssh, ddns (my IP address changes most nights), open selected ports in the router and so on to make it all work with some semblance of security. I have a public key exchange set up between my mobile and laptop (using ssh) and my music server, and don't allow password access. Being retired I have time to work such things through when I know they must be possible, even when I can't quite get them to work for quite a while :)

As I understand it from some of the previous discussion, something has been added to a recent LMS to require a password to change settings if coming from the router/gateway address. Is that right? If so, which password is that? I have LMS from yesterday installed.

I may never want to do this, but I'd like to know, just in case....

drmatt
2018-01-12, 13:58
>
> Interested to see how the code can distinguish an external request from
> internal though.[/color]

It's not very sophisticated, and not even fully correct: when a request is coming from the network's default gateway, I'm assuming it's coming from the outside. I know that this is a rather simplistic approach. But I thought I'd push it out this way and see whether people run into issues :-). If they do, then at least they can double check their network configuration to make sure they really don't open things up.

And then there's that undocumented pref you can set to disable the check in such an exceptional case.


Ok, figured it might be something like that. Not an easy problem to solve. In this circumstance it would be better to receive a page back that says *why* the request was blocked and where to look to allow it rather than a 403. Anonymise the hell out of the response of course so people can't reasonably guess it's an LMS instance.


Transcoded from Matt's brain by Tapatalk

mherger
2018-01-12, 17:00
> This unfortunately might be a very common problem as a VPN server is
> often the GW (Mine is both, IPSEC and SSL)

I doubt it'll be anywhere near "common". Please let me know if it causes
you a problem.

--

Michael

mherger
2018-01-12, 17:02
> As I understand it from some of the previous discussion, something has
> been added to a recent LMS to require a password to change settings if
> coming from the router/gateway address. Is that right? If so, which
> password is that?

I tried to explain this before... If you have a password set, then
you're all fine. If you haven't, then you won't be able to access the
settings from the outside. LMS won't ask for a password unless you've
set it yourself.

--

Michael

mherger
2018-01-12, 17:03
> Ok, figured it might be something like that. Not an easy problem to
> solve. In this circumstance it would be better to receive a page back
> that says *why* the request was blocked and where to look to allow it
> rather than a 403. Anonymise the hell out of the response of course so
> people can't reasonably guess it's an LMS instance.

That's kind of an oxymoron, isn't it? Tell the user what to do to open
the door, but not tell the attacker what system it is?...

--

Michael

Jeff07971
2018-01-12, 17:32
> This unfortunately might be a very common problem as a VPN server is
> often the GW (Mine is both, IPSEC and SSL)

I doubt it'll be anywhere near "common". Please let me know if it causes
you a problem.

--

Michael

Hi Michael

No I don't think it'll be a problem for me, my LMS is via a HTTPs (pasworded) proxy or by VPN only so don't even need to turn the password on

Thanks anyway

Jeff

drmatt
2018-01-13, 03:07
>That's kind of an oxymoron, isn't it? Tell the user what to do to open the door, but not tell the attacker what system it is?...
Yes, I know. Thought that as I wrote it. But a change to default behaviour really should be documented and even this is a vast improvement over just being wide open, even if an attacker knows what's there if they can't get anything back from it (not even a password prompt) there's little they can do to get into it.


Transcoded from Matt's brain by Tapatalk

PasTim
2018-01-13, 10:48
> As I understand it from some of the previous discussion, something has
> been added to a recent LMS to require a password to change settings if
> coming from the router/gateway address. Is that right? If so, which
> password is that?

I tried to explain this before... If you have a password set, then
you're all fine. If you haven't, then you won't be able to access the
settings from the outside. LMS won't ask for a password unless you've
set it yourself.

--

Michael
I managed to get my remote access working again (a while since I had used it and some bits and bobs have changed). Using SSH (port 22) and public key. With Squeeze Commander I could still change the audio settings of players, even though I have no CLI password set. Is this what you would expect?

Setting a password would be problematic for some of my plugins, like the UPnP bridge.

Paul Webster
2018-01-13, 12:48
I managed to get my remote access working again (a while since I had used it and some bits and bobs have changed). Using SSH (port 22) and public key. With Squeeze Commander I could still change the audio settings of players, even though I have no CLI password set. Is this what you would expect?

What does your LMS system see as your IP address when you connect in via that route?
I don't remember if LMS logs it ... but you could SSH to the LMS server and type
set | grep -i ssh
on a pCP server (and I suspect other Linux platforms) you will see the IP address of this SSH session.

PasTim
2018-01-13, 13:57
What does your LMS system see as your IP address when you connect in via that route?
I don't remember if LMS logs it ... but you could SSH to the LMS server and type
set | grep -i ssh
on a pCP server (and I suspect other Linux platforms) you will see the IP address of this SSH session.
It's an external IP address that I don't recognise - it isn't an internal one, nor the external IP address of my router/gateway.

I have tried looking at the standard web page in the mobile browser, and can still see all the settings and have changed one or two advanced plugin settings.

I'm running Logitech Media Server Version: 7.9.1 - 1515659378 @ Thu Jan 11 09:26:58 UTC 2018

Paul Webster
2018-01-14, 03:34
I'm running Logitech Media Server Version: 7.9.1 - 1515659378 @ Thu Jan 11 09:26:58 UTC 2018
I noticed the changes in the secureSettings branch in github.
I don't think it is in the daily build yet.

PasTim
2018-01-14, 04:59
I noticed the changes in the secureSettings branch in github.
I don't think it is in the daily build yet.
I see. I think I misunderstood 'stable release' to mean beyond the 9.1 beta daily updates, rather than just in github.

JJZolx
2018-01-14, 07:34
> As I understand it from some of the previous discussion, something has
> been added to a recent LMS to require a password to change settings if
> coming from the router/gateway address. Is that right? If so, which
> password is that?

I tried to explain this before... If you have a password set, then
you're all fine. If you haven't, then you won't be able to access the
settings from the outside. LMS won't ask for a password unless you've
set it yourself.

How do you determine that the connection is coming from "outside"? If someone is doing port forwarding in order to make the LMS server available to the internet, wouldn't the connection appear to come from the router on the same subnet?

drmatt
2018-01-14, 07:42
How do you determine that the connection is coming from "outside"? If someone is doing port forwarding in order to make the LMS server available to the internet, wouldn't the connection appear to come from the router on the same subnet?I think you answered your own question, read back up the thread.


Transcoded from Matt's brain by Tapatalk

JJZolx
2018-01-14, 07:45
Ok, I see it. Thanks.

Paul Webster
2018-01-14, 08:14
I noticed the changes in the secureSettings branch in github.
I don't think it is in the daily build yet.

Correction - I see it was merged into 7.9 branch 5 days ago.
https://github.com/Logitech/slimserver/tree/public/7.9/Slim/Plugin/CLI

Try turning on Info level logging in "(plugin.cli) - Command Line Interface (CLI)"

If you have access to the source code then check
Slim/Plugin/CLI/Plugin.pm
to see if it contains


if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
&& $prefsServer->get('protectSettings') && !$prefsServer->get('authorize')
&& Slim::Utils::Network::ip_is_gateway($tmpaddr)
) {
$log->error("Access to CLI is restricted to the local network or localhost: $tmpaddr");
$cli_socket->close;
}
elsif (!($prefsServer->get('filterHosts')) || (Slim::Utils::Network::isAllowedHost($tmpaddr))) {

PasTim
2018-01-14, 08:47
Correction - I see it was merged into 7.9 branch 5 days ago.
https://github.com/Logitech/slimserver/tree/public/7.9/Slim/Plugin/CLI

Try turning on Info level logging in "(plugin.cli) - Command Line Interface (CLI)"

If you have access to the source code then check
Slim/Plugin/CLI/Plugin.pm
to see if it contains


if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
&& $prefsServer->get('protectSettings') && !$prefsServer->get('authorize')
&& Slim::Utils::Network::ip_is_gateway($tmpaddr)
) {
$log->error("Access to CLI is restricted to the local network or localhost: $tmpaddr");
$cli_socket->close;
}
elsif (!($prefsServer->get('filterHosts')) || (Slim::Utils::Network::isAllowedHost($tmpaddr))) {

Yes, I have that code. In my server.prefs 'protectSettings' is set to 1. I don't know how the ip_is_gateway works, but since the IP I see for ssh is certainly not for my gateway maybe that's why it doesn't get trapped on my system (which has no password set).

Paul Webster
2018-01-14, 09:02
Yes, I have that code. In my server.prefs 'protectSettings' is set to 1. I don't know how the ip_is_gateway works, but since the IP I see for ssh is certainly not for my gateway maybe that's why it doesn't get trapped on my system (which has no password set).

Try increasing the log level for the module I referred to above.
I think it will log both success and failure with the IP address.

PasTim
2018-01-14, 10:29
Try increasing the log level for the module I referred to above.
I think it will log both success and failure with the IP address.
I go no report at all with the plugin.cli info settings.

Maybe I have misunderstood something (wouldn't be the first time!), so I had better be more precise about what I'm doing.

I am connecting via my mobile, using a data connection, not wifi. I use an app called ConnectBot to connect with SSH to LMS via a netgear DDNS service to my router which has port 22 open. I have a public key shared between my mobile and the music server. ConnectBot has the ability to listen to local ports on the mobile and forward on the requests to my music server.

So a local port 9000 is set up in ConnectBot to route to my home-server-ip-address:9000. I can connect mobile LMS tools (eg Squeeze Commander and Squeeze Player), or just my web browser connecting to http://localhost:9000. Using the browser, I can look at LMS settings and change some (stopping and restarting the UPnP bridge for instance).

I know almost noting about the internals of LMS or its CLI. Does using a web browser go via CLI and hence get checked when accessing Settings?

paul-
2018-01-14, 10:42
I don't know how the ip_is_gateway works, but since the IP I see for ssh is certainly not for my gateway maybe that's why it doesn't get trapped on my system (which has no password set).

He is simply using the lms servers routing table to find the gateway address.

If I read the perl correctly (Which there is a good chance that I am not)

Allowed Addresses
IP address of the server itself
127.0.0.1
Any Address in the List of permitted IP addresses defined on the Security page.

Not Allowed Addresses
Gateway address of the LMS server.


However, the gateway is only a hop point. Even in a DNAT network, if you allow an external device through the firewall, it will not have the gateways address.

mherger
2018-01-14, 13:48
> I go no report at all with the plugin.cli info settings.

plugin.cli is only used by the CLI itself. But network.http=info would
be more helpful.

> So a local port 9000 is set up in ConnectBot to route to my
> home-server-ip-address:9000.

That's a use case I haven't tested yet. Will do. Could you please enable
logging as mentioned above, then see what IP address LMS is seeing? Also
what is your gateway's IP, and your server's?

--

Michael

mherger
2018-01-14, 13:53
> However, the gateway is only a hop point. Even in a DNAT network, if
> you allow an external device through the firewall, it will not have the
> gateways address.

I guess that most systems which currently are systematically attacked
simply forward port 900x on their router to LMS. In this case the
incoming IP address would be the gateway's.

I know the current code is far from perfect. But it certainly covers
many of the cases I've seen so far. I do know there are already
installations out there which take advantage of this slightly improved
default behaviour.

Please note that I did NOT implement this to make publishing your LMS to
the world more safe. I'm still saying: don't do it. But I know that many
users did it out of some need, or ignorance. And many of them are not
aware of the problem. In these cases new LMS at least does provide a
minimum more protection than before.

--

Michael

PasTim
2018-01-14, 14:14
> I go no report at all with the plugin.cli info settings.

plugin.cli is only used by the CLI itself. But network.http=info would
be more helpful.

> So a local port 9000 is set up in ConnectBot to route to my
> home-server-ip-address:9000.

That's a use case I haven't tested yet. Will do. Could you please enable
logging as mentioned above, then see what IP address LMS is seeing? Also
what is your gateway's IP, and your server's?

--

Michael
I turned that info on, and looked at "HTTP request: from " lines. I got them from my desktop (...2), my Touch (...7), and the music server itself (...10) when I connected from my mobile. I can see nothing from my gateway (I searched for it).

I therefore surmise that the SSH server is sending from the music server's own IP address to the same address.

If you need bits of the log I could pm them (tomorrow) rather than attach them here (being paranoid, I know....).

paul-
2018-01-14, 17:00
>
I guess that most systems which currently are systematically attacked
simply forward port 900x on their router to LMS. In this case the
incoming IP address would be the gateway's.


Not that I do this, but I opened up the ports to do some testing. On my netgear router, when it lets the traffic in, the connection at the server is shown as whatever the external device address.

mherger
2018-01-14, 22:45
> mea culpa i just forget the NAT/Routing Mode from some devices....
>
> There is the transparent Mode and the NAT/Routing Mode thats the one
> Michael is using. That Mode really translates the external IP from
> sender/receiver to the router.....

Oh, good point. Thanks for the hint. I did have a check for non-local
addresses in that code at some point. Should have left it in.

--

Michael

mherger
2018-01-15, 00:29
> I therefore surmise that the SSH server is sending from the music
> server's own IP address to the same address.

Hmm... it depends on how your tool is setting up the tunnel. But when I
ssh into my box and forward requests to the internal IP of the LMS
machine, then LMS does see the IP address of the SSH server. If that was
the router itself (which I doubt), then LMS would see the gateway
address. If the router forwarded SSH to some other box, then LMS would
see that other box' IP address.

--

Michael

PasTim
2018-01-15, 01:16
> I therefore surmise that the SSH server is sending from the music
> server's own IP address to the same address.

Hmm... it depends on how your tool is setting up the tunnel. But when I
ssh into my box and forward requests to the internal IP of the LMS
machine, then LMS does see the IP address of the SSH server. If that was
the router itself (which I doubt), then LMS would see the gateway
address. If the router forwarded SSH to some other box, then LMS would
see that other box' IP address.

--

Michael
My router is forwarding all incoming on port 22 to the music server where there is an SSH server, so that matches what you say.

mherger
2018-01-16, 02:43
> mea culpa i just forget the NAT/Routing Mode from some devices....
>
> There is the transparent Mode and the NAT/Routing Mode thats the one
> Michael is using. That Mode really translates the external IP from
> sender/receiver to the router.....

Both modes now should be covered.

--

Michael

Paul Webster
2018-01-16, 03:58
I have not updated my LMS yet but I thought I'd try connecting via a VPN to see what happens.
I installed OpenVPN on a Pi (not the one running LMS) and used port forwarding on intermediate routers to get the traffic from an iOS device using iPeng through the VPN server to the LMS server ... and it worked.
LMS logs show that it saw the IP address of the connection as being the VPN server.
So I think that when I update LMS this will still work without me needing to set a password on LMS.

I know that my LMS is not reachable from outside except through this VPN so this is good for me.

PasTim
2018-01-16, 05:22
Notwithstanding the recent LMS security improvements, I assume that explicitly specifying each of the local IP addresses that might use LMS in the 'Allowed' list, and not including the router, will achieve much the same effect, so I don't need to use the CLI password. If an SSH or VPN server is on the home network that could be explicitly included or excluded as required.

PasTim
2018-01-16, 08:46
Hi,

sounds like a "clever" idea but....

1)
Who should change that setting?

The Installer/updater on a clean install -> yes
The Installer/updater on a update install -> ????
The Installer/updater on a update install where allowedHosts: 127.*, not in the Server.prefs-> yes

2)
Remember the guys we are talking about are "clever" - when Michael changes these settings for them -> They cant use lms from outside (and these clever guys are stupid enough to change that setting back to something they think of)

IMHO Michael had the "better" Idea with "lms is available from everywhere but the settings are only from internal except Gateway....
I'm not trying to be clever or better, just trying to understand my options. I'm the only (valid) user. Why would I need to change a setting on an update?

I don't really understand what or who you mean about the "clever" guys (and presumably gals) and Michael changing settings for them, but it doesn't matter.

d6jg
2018-01-16, 09:46
> This unfortunately might be a very common problem as a VPN server is
> often the GW (Mine is both, IPSEC and SSL)

I doubt it'll be anywhere near "common". Please let me know if it causes
you a problem.

--

Michael

My gateway is also my VPN server. It may be more common than you think.

mherger
2018-01-16, 10:47
> My gateway is also my VPN server. It may be more common than you think.

Are you saying you're facing any issue due to these recent changes?

I said it wasn't common because I doubt there are many LMS users using a
VPN. That simple. And in a VPN situation you would dial in to the
router, but AFAIK the client would receive its own IP address from
through the VPN. In that case LMS would not see the gateway's address
but the one of the remote client.

--

Michael

Jeff07971
2018-01-16, 11:13
> My gateway is also my VPN server. It may be more common than you think.

Are you saying you're facing any issue due to these recent changes?

I said it wasn't common because I doubt there are many LMS users using a
VPN. That simple. And in a VPN situation you would dial in to the
router, but AFAIK the client would receive its own IP address from
through the VPN. In that case LMS would not see the gateway's address
but the one of the remote client.

--

Michael


I don't think d6jg will have a problem, I think he uses the same system as I.
I tried accessing via both IPSEC and SSL (To iPhone with iPeng ) and had no problems playing etc though I have not tried "settings"
I could not work out how to see the accessing IP in the log ( I tried Plugin:cli @ info level logging ) though.

Jeff

Paul Webster
2018-01-16, 11:27
I could not work out how to see the accessing IP in the log ( I tried Plugin:cli @ info level logging ) though.

Jeff
Turn on the http logging that mherger referred to. I saw it in there earlier today.

Jeff07971
2018-01-16, 11:33
Turn on the http logging that mherger referred to. I saw it in there earlier today.

Thanks for that, Yes I can confirm that the accessing IP address is that assigned by the VPN to the remote device (In my case this is NATted to a fixed IP)

d6jg
2018-01-16, 11:48
I don't think d6jg will have a problem, I think he uses the same system as I.
I tried accessing via both IPSEC and SSL (To iPhone with iPeng ) and had no problems playing etc though I have not tried "settings"
I could not work out how to see the accessing IP in the log ( I tried Plugin:cli @ info level logging ) though.

Jeff

Jeff is correct. I have no problem because I use high end kit.
I was just saying that router & vpn is actually more common than you would think.
DJanGo - I am more than familiar with DMZ and public IP assignment thank you.


Sent from my iPhone using Tapatalk

d6jg
2018-01-16, 11:53
> My gateway is also my VPN server. It may be more common than you think.

Are you saying you're facing any issue due to these recent changes?

I said it wasn't common because I doubt there are many LMS users using a
VPN. That simple. And in a VPN situation you would dial in to the
router, but AFAIK the client would receive its own IP address from
through the VPN. In that case LMS would not see the gateway's address
but the one of the remote client.

--

Michael

No issues Michael. I use site to site IPSEC and SSL client VPNs via Draytek Vigor router that is also a VPN server.
I was simply saying that router & vpn on the same device may be a little more common than you might think.


Sent from my iPhone using Tapatalk

Mnyb
2018-01-16, 13:15
No issues Michael. I use site to site IPSEC and SSL client VPNs via Draytek Vigor router that is also a VPN server.
I was simply saying that router & vpn on the same device may be a little more common than you might think.


Sent from my iPhone using Tapatalk

Yes my linksys router has open vpn built in , and thats what iím using the wrt1900ac is quite common?

But iím out on site work will test later if it still works for me

PasTim
2018-01-16, 13:17
@Tim:
The "clever" People are the People that causes Michael to open this Thread and thinks about a "solution" or minimize the worst case szenario.

AFAIK Michael wants a solution that the settings from LMS (even when the LMS Server IP & Ports are forwarded to the Internet) are "safer" then now.

Your idea (completly disable the access except for "known" IPs) sounds clever and might be a better solution, but (the people we are talking about) would redo these changes (if MIcheal would add them in a next Version) cause that would stopp these people to access their LMS from allover the World.

Since setting up a VPN isnt that easy/simple and we're dealing with lots of different devices and usecases..
OK - thanks.
Never having set up a VPN I think that for solo usage like mine, SSH using public keys seems to be the simplest solution that should be reasonably secure.

ian_heys
2018-01-17, 01:05
I have been using my Synology NAS, which sits behind my cable TV router, as a VPN Server for connections to my LAN from remote locations.

The only use I have for this is for using LMS/Player combinations, usually but not exclusively on my Android Phone, on the rare occasions that I am away from home.

The only port that is open on my router is that which is required by the Synology NAS VPN plugin and this port is forwarded by my cable TV router.

I have been following, but not fully understanding this thread, for quite a while and thought I'd better ask the question.

I'm not sure I'm up to setting up and understanding all the logging that is needed to examine this issue and it wouldn't be too much of a wrench for me to simply stop doing this as I must admit my use is rather more experimental than useful.

My only significant discovery has been that my free hospital wifi blocks the Synology VPN port and I have to revert to a 4G phone connection which can be expensive if used for any significant time.

mherger
2018-01-17, 03:52
> I have been following, but not fully understanding this thread, for
> quite a while and thought I'd better ask the question.

I think if you're using VPN to access your LMS at home, then you're on
the safe side. Nothing to log or investigate.

--

Michael

ian_heys
2018-01-17, 05:12
>
I think if you're using VPN to access your LMS at home, then you're on
the safe side. Nothing to log or investigate.

--

Michael

Thanks Michael.

Pommes
2018-02-24, 15:01
Hi,
after opening the ports today I found this thread.
Now I set up OpenVPN and it works fine, only one issue:
In iPeng I set the Audio Bitrate for cellular to 192kbit and for WiFi to unlimited .
Unfortunately this doesnít work with open vpn. All music is transcoded to 192 when connected to OpenVPN.
When using port forwarding instead it works fine, untranscoded flac when connected to WiFi, transcoded to 192 when cellular.
Does Anybody have a hint for me?
Thanks
Pommes

epoch1970
2018-02-25, 07:11
Open VPN only seen as cellular
Even when connected via wifi to a hostspot?
(or with an alternate ovpn config that specifies the "remote" address as the router OVPN server LAN address, eg 192.168.1.1 instead of 77.16.32.250)

If from within your own (wifi) LAN the iPhone can't reach the public address of your OVPN gateway (due to the 'hairpin' routing problem), I suspect it would send that traffic to cellular which is an external network.

Pommes
2018-02-27, 10:12
Even when connected via wifi to a hostspot?
(or with an alternate ovpn config that specifies the "remote" address as the router OVPN server LAN address, eg 192.168.1.1 instead of 77.16.32.250)

If from within your own (wifi) LAN the iPhone can't reach the public address of your OVPN gateway (due to the 'hairpin' routing problem), I suspect it would send that traffic to cellular which is an external network.

I tested again:
When I connect my iPhone from remote to my LMS at home via openvpn, it connects as cellular, both on WiFi and 4g/lte
When I connect my iPhone from remote to my LMS at home via public ip/ open ports, it connects as WiFi, both on WiFi and 4g/lte
Thatís both fine with me, I just thought that iPeng would check the connection on my phone.
But:
When connecting via openvpn, all my iPads,Mac, iPhones work well, but my old windows7 squeezeplay laptop buffers every few seconds.
When connecting via public ip/ open ports the windows squeezeplay works fine, as all other devices.

So I would rather keep connecting via public ip/ open ports.
I have put a user/password into LMS, so do you really think itís a huge security problem with the open ports???
Pease let me know what you honestly think of the security risks.
Thanks
Pommes

mherger
2018-02-27, 11:33
I have put a user/password into LMS, so do you really think itís a huge security problem with the open ports???
Pease let me know what you honestly think of the security risks.

There's no known, major issue yet. But LMS has not been developed with security in mind. A lot has been added to lower the risks. But I wouldn't be surprised if there were major issues we don't know yet.

Pommes
2018-02-27, 11:49
There's no known, major issue yet. But LMS has not been developed with security in mind. A lot has been added to lower the risks. But I wouldn't be surprised if there were major issues we don't know yet.
Thank you Michael,
I think I will leave the ports open for now. It is just working much better than with OpenVPN and more convenient.
The server is actually only serving audio and video files. The audio gets backuped every week, I donít care about loosing the video.
Pommes

epoch1970
2018-02-27, 12:16
(I don't understand your connection test report. Anyways.)

When connecting via openvpn, all my iPads,Mac, iPhones work well, but my old windows7 squeezeplay laptop buffers every few seconds.
Are you using an UDP tunnel or a TCP tunnel for OpenVPN? I would think UDP works much better.
There seems to be a Win7-specific OVPN issue with network buffer sizes: https://community.openvpn.net/openvpn/ticket/640
According to bug report, setting this in the Win7 client config file:
sndbuf 131072
rcvbuf 131072
or having this in the corresponding ccd on the server side:
push "sndbuf 131072"
push "rcvbuf 131072"
could solve the issue you see with Win7.

Pommes
2018-02-27, 13:21
(I don't understand your connection test report. Anyways.)

Are you using an UDP tunnel or a TCP tunnel for OpenVPN? I would think UDP works much better.
There seems to be a Win7-specific OVPN issue with network buffer sizes: https://community.openvpn.net/openvpn/ticket/640
According to bug report, setting this in the Win7 client config file:
sndbuf 131072
rcvbuf 131072
or having this in the corresponding ccd on the server side:
push "sndbuf 131072"
push "rcvbuf 131072"
could solve the issue you see with Win7.
Sorry but I donít understand that .
I am just a user with no programming nor Linux skills.
My router runs the OpenVPN server and I just imported the ovpn file into open vpn GUI on windows 7.
The tunnel is udp and runs fine on Mac, iPad and iPhone

epoch1970
2018-02-28, 01:44
In other words, try to add
sndbuf 131072
rcvbuf 131072 in the OpenVPN configuration file of the Win7 machine and see if squeezelite works better.

d6jg
2018-02-28, 02:03
I tested again:
When I connect my iPhone from remote to my LMS at home via openvpn, it connects as cellular, both on WiFi and 4g/lte
When I connect my iPhone from remote to my LMS at home via public ip/ open ports, it connects as WiFi, both on WiFi and 4g/lte
Thatís both fine with me, I just thought that iPeng would check the connection on my phone.
But:
When connecting via openvpn, all my iPads,Mac, iPhones work well, but my old windows7 squeezeplay laptop buffers every few seconds.
When connecting via public ip/ open ports the windows squeezeplay works fine, as all other devices.

So I would rather keep connecting via public ip/ open ports.
I have put a user/password into LMS, so do you really think itís a huge security problem with the open ports???
Pease let me know what you honestly think of the security risks.
Thanks
Pommes

Open ports are dangerous. If you can see them externally then so will others (and they will look).
You will need to ask Pippin about why iPeng sees the openvpn connection as cellular and not wifi when it is wifi but it could be to do with the outgoing public IP that is detected i.e. if it isn't public then perhaps iPeng assumes it to be cellular. I use an SSL VPN connection on my iPhone and that seems to work correctly.

Pommes
2018-02-28, 03:31
In other words, try to add
sndbuf 131072
rcvbuf 131072 in the OpenVPN configuration file of the Win7 machine and see if squeezelite works better.
I edited my ovpn file on windows, squeezeplay still not able to play flac without buffering every few seconds.
I stream from my satelite reciever via openvpn, and this does work a lot better after i edited the ovpn file the way you asked, so thanks for that.
But for streaming flac with squeezeplay i will use the open ports.

epoch1970
2018-02-28, 03:45
I edited my ovpn file on windows, squeezeplay still not able to play flac without buffering every few seconds.
Mhh. FLAC or WAV take a lot of bandwidth, probably the tunnel can't keep up.
I have used bridged OpenVPN tunnels from time to time, everything is fine for mp3/AAC/near CD-quality stuff but for hi-def or lossless I've seen issues.
The server side uses its upload link to send the data, with asymmetric connexions (small upload/large download bandwidths) you get a bottleneck there.

You can try adding
fast-io
passtos
comp-lzo no to your configs (all clients and server). It might help but probably not. The first 2 options are related to network QoS and are not portable, your linux server will probably be happy to comply but the Win machine I don't know. Use the subset that works on both sides.
NOTE: If an option is not supported the OpenVPN process may fail. Don't change these options over the tunnel...
The last option says to disable compression. You're sending binary data, there is nothing to compress there, so by default OpenVPN will just spend a bit of time trying to compress data before changing its mind. Just disable it.
(In openvpn 2.4 there is a new "compress <algo>" option. The way to say "compress no" is to remove/comment the option.)

Pommes
2018-02-28, 03:48
Mhh. FLAC or WAV take a lot of bandwidth, probably the tunnel can't keep up.
I have used bridged OpenVPN tunnels from time to time, everything is fine for mp3/AAC/CD-quality stuff but for hi-def or hi-quality I've seen issues.
The server side uses its upload link to send the data, with asymmetric connexions (small upload/large download bandwidths) you get a bottleneck there.
High definition playback does work via open Ports on windows though, on iPad and iPhone both OpenVPN and open ports. And the video I stream from my satellite receiver via OpenVPN to windows laptop is about 10 times higher bit rate then FLAC from LMS. So it must be some kind of issue between squeeze play and open VPN on windows which makes the bottleneck.

epoch1970
2018-02-28, 04:13
So it must be some kind of issue between squeeze play and open VPN on windows which makes the bottleneck.
Right. Past the 3 openvpn options I've described just above, I don't know what to do next.
I suppose the idea could be to increase buffering in the player, but I'm not sure how to do that properly with squeezelite (?).
Also take a look at your LMS settings for players, perhaps the preferences for that Win squeezelite are not set the same way as the others.

Pommes
2018-02-28, 04:46
Right. Past the 3 openvpn options I've described just above, I don't know what to do next.
I suppose the idea could be to increase buffering in the player, but I'm not sure how to do that properly with squeezelite (?).
Also take a look at your LMS settings for players, perhaps the preferences for that Win squeezelite are not set the same way as the others.
Donít worry I will just use the open ports for squeezeplay. It is working fine with the open ports. But the modification of ovpn conf which you told me to do definitely increased the streaming ability via open VPN for my video from satellite receiver, so thanks again

drmatt
2018-02-28, 05:56
Personally I would kill the idea of streaming flac to mobile devices and just bandwidth limit the client in LMS. 320kb MP3 is undoubtedly good enough when out and about. I would guess the limitation is insufficient pre buffering, whereas internet video players would be more aware of the requirements for this.

Flac is as you say about 900kbit, maybe just over 1mbit so shouldn't really be a big issue. Note that HD video can be streamed in about 1.8mbit and still be bearable. Probably less, but still more than a flac stream.



Transcoded from Matt's brain by Tapatalk

Pommes
2018-02-28, 07:03
Personally I would kill the idea of streaming flac to mobile devices and just bandwidth limit the client in LMS. 320kb MP3 is undoubtedly good enough when out and about. I would guess the limitation is insufficient pre buffering, whereas internet video players would be more aware of the requirements for this.

Flac is as you say about 900kbit, maybe just over 1mbit so shouldn't really be a big issue. Note that HD video can be streamed in about 1.8mbit and still be bearable. Probably less, but still more than a flac stream.



Transcoded from Matt's brain by Tapatalk
For mobile use on iphone i use transcoded stream of 192kbit.
For remote use with laptop connected to highend gear or good headphones i rather use flac. its just around 800kbit.
The videos i stream from my sat reciever use a bandwith of 8-14mbit!
No issue so far, even with openvpn. as i said: only the win7 squeezeplay when used via openvpn doesnt do, but streams flac when not using openvpn

Grumpy Bob
2018-02-28, 07:06
I gave up on remotely accessing my LMS after I inadvertently left the ports open when the vpn no longer worked. I had some clown playing stuff on my system. Nowadays I have a backup on a wifi enabled WD Passport drive that runs its own copy of LMS. I use that to play locally to mobile devices or a Raspberry Pi.

Robert

Pommes
2018-02-28, 07:14
I gave up on remotely accessing my LMS after I inadvertently left the ports open when the vpn no longer worked. I had some clown playing stuff on my system. Nowadays I have a backup on a wifi enabled WD Passport drive that runs its own copy of LMS. I use that to play locally to mobile devices or a Raspberry Pi.

Robert
well, that sucks, some clown taking control of your system.
what did the clown do? was he able to delete anything or mess your LMS completely?
did you have password protection on your lms?

mherger
2018-02-28, 07:33
> what did the clown do?

See the very first posting in this thread.

--

Michael

epoch1970
2018-02-28, 08:30
I backtracked on that thread (should be working instead...) and I want to say having a password protecting settings from remote accesses will be (is?) a great addition.
To those with routed VPNs complaining about the extra password, I say use a bridged network, it makes player discovery work ;)

In passing, I don't know the state of TOTP/QR on perl, but in my opinion a time-based password is a concept end-users grasp easily. Downloading an app and flashing a QR code is somehow an easier proposition than choosing and remembering yet another password, hard to guess please.
It would be probably better to have a short, volatile 6-digit password protect the server rather than the usual "passw0rd" or "lms1234"...
There are plenty of free TOTP clients for mobile, desktop or the command line.

dr..mike
2018-11-26, 11:42
The thread hasn't been active for a while, I hope some xperts are still reading.

Here's another victim...

LMS 7.9.1 on Synology with open - and now closed - port 9002, username and password were set, Picture Gallery installed, an additional non-music folder added in the general preferences (I could browse the entire folderstricture across the entire Diskstation...)

Reading to the first post here, my stomach turned upside down.

I deinstalled the LMS too quickly to check settings etc. and find out what the installation would have allowed the intruder to do.

Replicating with a fresh LMS installation didn't work, as the Picture Gallery plugin seems offline in the repository.

Assuming, someone 'only' installed the gallery plugin: does this allow reading / downloading also PDFs, excels, docs and so on? Or 'only' shows pictures it finds?

Am I understanding correctly, that once someone accessed the LMS, the user & password had to be set, i.e. max one person can go inside as it's locked afterwards?

Thanks for helping me gain a bit clarity on the dimensions...

Gesendet von meinem HTC U Ultra mit Tapatalk

mherger
2018-11-26, 13:15
Assuming, someone 'only' installed the gallery plugin: does this allow reading / downloading also PDFs, excels, docs and so on? Or 'only' shows pictures it finds?

Am I understanding correctly, that once someone accessed the LMS, the user & password had to be set, i.e. max one person can go inside as it's locked afterwards?


The Gallery plugin was developed for pictures only. That said I know that some of the attackers did install modified versions of the plugin. They could potentially do anything they want. They could as well just write their own to download all those files, yes. But then I'm not aware of an attack at that level.

The password can be used by anyone knowing it. Most likely this is only being set to annoy the users, and potentially have a bit more time to explore whatever content they got access to.

dr..mike
2018-11-26, 15:13
The Gallery plugin was developed for pictures only.

Thanks for sharing your thoughts!!

With the above & the seemingly normal outgoing traffic volumes my router is showing, I'm trying to semi-comfort my mind that someone had their fun, looking at family pics or a weekend outing... and browsing the names of my directory structure, leaving the trace of a saved random folder in the settings...

Fingers crossed, but I suppose nothing to actively do to find out if things may have been stolen and where they may have ended up.

Gesendet von meinem HTC U Ultra mit Tapatalk

fominator
2019-04-23, 18:49
And then there's that undocumented pref you can set to disable the check
in such an exceptional case.



So how to disable this check? I didn't find the answer! I want to disable it. Where is that pref, what should i do to disable it?

judojimmie
2019-07-14, 06:04
Just a warning to anyone who blocked theses ports in the past. If you get a new router and and use Synology's automatic router configuration, pay a little more attention than I did. I had blocked theses ports years ago on my old router and did not think to tell the server to not open them back up. Of course someone with too much time on there hands found them and locked me out of my LMS.

Of note, I informed Synology that they should not allow the automatic router configuration tool to do this as it is a known exploit. They basically told me it was my fault for using their software :confused:. Fair enough, but it is the first time I've had a response from Synology that annoyed me in the 9 years I've been using there servers.

edwin2006
2019-07-14, 07:22
But why is your nas open to internet, use router vpn!

compoman
2019-11-17, 11:23
Thanks for the info.

Regards


Just a warning to anyone who blocked theses ports in the past. If you get a new router and and use Synology's automatic router configuration, pay a little more attention than I did. I had blocked theses ports years ago on my old router and did not think to tell the server to not open them back up. Of course someone with too much time on there hands found them and locked me out of my LMS.

Of note, I informed Synology that they should not allow the automatic router configuration tool to do this as it is a known exploit. They basically told me it was my fault for using their software :confused:. Fair enough, but it is the first time I've had a response from Synology that annoyed me in the 9 years I've been using there servers.