PDA

View Full Version : piCorePlayer: security



Gaffophone
2018-09-01, 03:31
Hello,

I am a new and happy user of piCorePlayer running its LMS on a Raspberry PI 3B+. LMS was previously running on an old and struggling ReadyNAS NV+ where the music is still stored. piCorePlayer gave a second life to my much loved Squeezebox platform: faster, more syncable players, Spotty plugin, reduced workload on the NAS, etc. Thank you pCP team !

Before moving to my next project, ie building a Touch-like RPi-based player, I would like to finalize the security part.
Are there recommendations or best practices to secure piCorePlayer? I started to look at iptables, but have not even found a way to install it from the Tiny Core forum as my experience of Linux is very limited. Has anyone already managed that part or is it considered risk-free?

Thanks in advance,



Squeezebox Touch, Radio x2, Receiver
piCorePlayer 3.5.0 | Raspberry PI 3B+
LMS 7.9.2 | Spotty
Netgear ReadyNAS NV+
iPeng9, Squeezer, Squeezebox Controller
9,228 FLAC songs from 733 Albums and 327 artists

paul-
2018-09-01, 06:49
Yes you can install iptables on pCP, but it’s really not neccessary. You can shut down all services, so only squeezelite/jivelite is running.

LMS itself is not designed to be ran accessible from the internet. LMS and associated devices should only be on your local network. If you want remote access to your music, use a VPN.

Gaffophone
2018-09-02, 00:54
Nothing to worry then. Thanks a lot!

cfuttrup
2018-12-21, 11:35
I'm intersted in this topic. Just installed a RPi w. piCorePlayer + JiveLite on my network.

Bluetooth and WiFi is disabled, only using Ethernet. I changed the password for tc (tiny-core, I hope it was saved).

Is there some way in which a hacker could potentially get access to tc and manipulate the system to serve a hackers purpose?

Just wondering.

Also I wonder if piCorePlayer could be setup to accept interaction with a specific IP address only (my NAS running LMS has fixed IP) and/or MAC address?

Cheers,
Claus

Greg Erskine
2018-12-21, 12:41
Hi cfuttrup,

If you are "super paranoid" about security issues I would not have a Raspberry Pi on my network.

One of the advantages of piCore is it is in RAM. The system is a clean rebuild on each boot. So a hacker, unless they were TinyCore savvy, could do their thing, but after a reboot it would be clean again.

You could schedule a reboot every 5 minutes!

regards
Greg

paul-
2018-12-21, 13:06
Also I wonder if piCorePlayer could be setup to accept interaction with a specific IP address only (my NAS running LMS has fixed IP) and/or MAC address?


That would be iptables role.

d6jg
2018-12-21, 17:07
Sensible password. Internal network only no port forwarding etc
Other than that why?

DJanGo
2018-12-22, 05:10
Are there recommendations or best practices to secure piCorePlayer?

There are many improvements on the security but most of them are on the other side - not yours and they are not RPI / Picore related.

How does a Hacker / Cracker gets his way into the IOT Devices like a lms?

First they would use a already implemented update scenario like lms update or the pluginsupdate mechanism.
One hack -> many devices with many ips makes a perfect botnet.
Mostly the dont hack a single IOT device.

Unless the updates arent digital certified and the internal update mechanism first checks the updates for their certificates you always have to trust these updates with your brain instead of the update routine.

In case of LMS updates thats a easy procedure because there is a single contributor for these updates.
In case of the plugin side the whole idea is getting worse because there is no manpower to check all plugins and sign them and there a more than one plugin repository.

That means be aware what plugins you install and check the forum for some warnings.

cfuttrup
2018-12-26, 12:13
That would be iptables role.

Hi paul - I'ts a firewall, sounds like an idea i'd like to try.

I've never setup iptables in the past, is there any tips that someone can provide, for example with the classical LAN 192.168.n.xyz ??

Best regards,
Claus

cfuttrup
2018-12-26, 12:16
Sensible password. Internal network only no port forwarding etc
Other than that why?

Hi d6jg

Internal only ... is that something I'd do with iptables?

Is iptables already there on the piCorePlayer, and do I have to edit a text file on the system, to accomplish this?

Sorry for really not knowing much about this. I ask because I'm afraid I'll do something wrong and/or stupid, like for example make it impossible for the Tiny Core Linux to fetch packages and stay up-to-date.

/Claus

cfuttrup
2018-12-26, 12:20
How does a Hacker / Cracker gets his way into the IOT Devices like a lms?

Hi DJanGo - you have many good points (I only quote one line in your response above). IOT are potential targets and in these times, we should think how to reduce the risk in a product like piCorePlayer.

Cheers,
Claus

Greg Erskine
2018-12-26, 13:25
Is iptables already there on the piCorePlayer, and do I have to edit a text file on the system, to accomplish this?

No
Yes

cfuttrup
2019-01-05, 07:52
Sorry to bring this to the surface again. Can anyone offer help how to install iptables?

Presumably it's available as a package from Tiny Core -> piCore. Is there a simple command that installs iptables?

Next about the configuration, I'm far from an expert, never done this before. Would this make sense?



# Allow any connection from this host.
iptables -A INPUT -i lo -j ACCEPT
# Allow any connection from the local network.
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
# Allow all broadcast traffic.
iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT


Will such an installation be erased when updating piCorePlayer ... meaning I'll have to reinstall ?

/Claus

paul-
2019-01-05, 08:09
Where are you doing the configuration steps?

cfuttrup
2019-01-05, 11:16
Hi paul

I have just picked someones recommendations for a start - to allow "everything" ... I haven't actually configured iptables yet, because it isn't installed on my piCorePlayer yet.

Cheers,
Claus

paul-
2019-01-05, 11:49
I'm not going to get into your rules. But if you are just allowing everything, what is the point.

You wanted to know if it would be wiped out during update, and the answer is..... it depends. Where is your config script? And how is it being called?

cfuttrup
2019-01-06, 08:35
Hi Paul

My understanding is that iptables is not installed in a default piCorePlayer, so I need to install it first. I understand that Tiny Core has the following modules ready to install:

http://tinycorelinux.net/9.x/armv6/tcz/

... but exactly how does one install such packages in piCorePlayer ... can I through the web interface execute some commands and they will be downloaded and installed? - or do I have to find these packages elsewhere?

P.S. I think it is wise to let all traffic go through the firewall for a start (i.e. start with iptables being wide open), then I can assess later what's allowed and what's blocked. I'm just being careful.

Cheers,
Claus

paul-
2019-01-06, 08:39
You can install packages from the "Extensions" button on the main pCP web page. Sometimes you might need to install kernel module packages that are only found on the piCorePlayer repo first.

cfuttrup
2019-01-06, 11:36
Hi Paul

Thanks. i see the "Extensions" button now - when going from Normal to Advanced ... and the need to resize first :-). I have to say it's really nice to use piCorePlayer. It's quite an amazing piece of software.

Cheers,
Claus

cfuttrup
2019-01-06, 11:46
OK, eh, I chose the iptables.tcz package (from piCore repository - it's the default), but it seems piCorePlayer downloads the wrong package (!?). I get:

Downloading: ipv6-4.14.81-pcpCore_v7.tcz
Error on ipv6-4.14.81-pcpCore_v7.tcz

... but that's not iptables, that's the package next in the table of packages ( :-) ). I wonder why the wrong package is downloaded. Anyway, ipv6 is 311 kb, whereas iptables is 307 kb. I first expanded the SD card to 100 Mb, leaving 51 Mb free, then to 200 Mb (it's a 1 GB card). Free space is now 142 Mb. It's impossible that I'm short of space. It seems the files are downloaded to another partition, and this partition is too small, maybe a RAM disk partition (?).

Next - i changed to the piCorePlayer repository, and the correct file was downloaded. ipv6 was also downloaded, and netfilter, it looks like dependencies are automatically taken care of.

/Claus

peterw
2019-03-24, 17:25
I just finally decided to play with piCorePlayer -- nice work!

Am I missing something, or is there no official way to password-protect the piCorePlayer web interface?

Thanks,

Peter

paul-
2019-03-24, 18:46
You can shut It down. There is a command line program “setup”

peterw
2019-03-25, 19:08
You can shut It down. There is a command line program “setup”

Got it, thanks. Kinda fun that both setup & the alsa equalizer require me to SSH in from 'xterm', which I haven't used much in years. :-)

Greg Erskine
2019-03-25, 22:06
hi peterw,

Yeah, the original piCorePlayer's configuration was done via a "setup" script. :) The web interface is easier to use but there were some circumstances where a script still made sense.

We have been doing some "security" development but it probably won't make it into the next pCP. For instance, the web interface can be turned off, or it will only work for x number of seconds after a reboot.

There is a [Configure] button for alsaequal (after it has been installed) on the web interface! The original help message is still valid though.

regards
Greg

huxmut
2019-03-31, 05:01
would a public/private certificate ever be an option ?

paul-
2019-03-31, 05:34
Busybox httpd doesn’t support https. There are solutions like stunnel that supposedly work without needing any changes to the httpd code. But it’s not actively being worked on. Easier options for access control is what we are looking at.

huxmut
2019-03-31, 05:53
Cool.
Thanks Paul

peterw
2019-03-31, 06:53
would a public/private certificate ever be an option ?

BTW, pCP seems to include OpenSSH's sshd so you might be able to do things like configure busybox httpd to listen on the loopback address only (looks like you'd want to edit /usr/local/etc/init.d/httpd), and then use ssh port forwarding to access it remotely via something like http://localhost:8010/ on your SSH client box. I expect you should also be able to configure sshd to only accept public key authentication if you'd like to avoid passwords. Editing those files is a bit cumbersome -- http://www.brianlinkletter.com/persistent-configuration-changes-in-tinycore-linux/ seems to explain how to make persistent changes.

I think it'd be nice if pCP supported something like the old Pi config.txt (https://www.raspberrypi.org/documentation/configuration/config-txt/README.md) to allow setting some common options (including disabling the httpd or binding it only to loopback) when preparing the SD card, so the system could be locked down from the moment it first booted up without jumping though so many hoops. Might be nice to offer a web UI (on picoreplayer.org?) that would output a textarea whose contents could be pasted straight into the config text file to help avoid errors. I'd include wifi configuration in such a tool.

peterw
2019-03-31, 07:03
BTW, pCP seems to include OpenSSH's sshd so you might be able to do things like configure busybox httpd to listen on the loopback address only (looks like you'd want to edit /usr/local/etc/init.d/httpd)

Looks like a much simpler approach would be to "disable" the web UI with the command line 'setup' tool and then have one of the User Commands be
/usr/sbin/httpd -h /home/tc/www -p 127.0.0.1:80
(pCP's sshd config already allows port forwarding.)

Greg Erskine
2019-03-31, 14:45
hi peterw,

Thanks for your continued interest in pCP. Are you still using it?

We understand the security issues you mention. We are working on security in the background but generally don't discuss things we are developing.

The current pCP has a method of disabling ssh. The next version of pCP has a new "beta" method of disabling the web GUI. It can be permanently on, permanently off or shuts down after so many seconds. The general password checking code has been written but not implemented yet. Adding a password authentication on the web server has been tested but not implemented yet. It requires a restructure of the current web server, planned for some time after pCP 5.0.0

BTW: My last job was in the SIEM Team for a large IT company working for a major bank. I was the team Audit/Compliance officer. I know what it's like to have processes and security so tight you can barely do any work!!! I used to work in various data centres so know a bit about physical security as well.

regards
Greg

peterw
2019-03-31, 18:57
Greg, I am still playing with pCP a bit.

Frankly the biggest problem is finding a case for a touchscreen that will work with (and enclose and protect) a 3B+ and an I2S DAC.** :-) The Smartipi case with optional extended backs is about the best I've found so far, but it looks not quite polished/tidy enough for some rooms. :-(

For the httpd I'm pretty comfortable with my loopback binding and tunneling through ssh. At least with that sshd is the only listening daemon. BTW I'm glad you chose OpenSSH instead of something like dropbear.

I also played with Ubuntu Mate today and ooh, boy, Jivelite on pCP is soo much snapper than my first attempt at Squeezeplay on Mate on Pi that it's hard to imagine Mate being viable. pCP with a 3B+ seems likely to be snappier than my Touch but I expect Mate would be a step backward.

** I'd especially like one in which I could fit an IR receiver and a rotary encoder knob for Radio-style quick volume control.

cfuttrup
2019-04-02, 09:44
Frankly the biggest problem is finding a case for a touchscreen that will work with (and enclose and protect) a 3B+ and an I2S DAC.** :-) The Smartipi case with optional extended backs is about the best I've found so far, but it looks not quite polished/tidy enough for some rooms. :-(

Hi Peter

I've had success with the DesignSpark case and a Dremel tool. Please see: http://www.cfuttrup.com/touch_upgrade.html

... but yes, finding a good case for a different board and/or with different features requires some work, or you use a setup without a rear cover, or you design your own (maybe 3D printed). Another option is to connect the pieces with cables and e.g. use one of the Audiophonics cases.

/Claus

peterw
2019-04-02, 15:11
Hi Peter

I've had success with the DesignSpark case and a Dremel tool. Please see: http://www.cfuttrup.com/touch_upgrade.html

... but yes, finding a good case for a different board and/or with different features requires some work, or you use a setup without a rear cover, or you design your own (maybe 3D printed). Another option is to connect the pieces with cables and e.g. use one of the Audiophonics cases.

Claus, hanks for the info & suggestions. I spent a bunch of time on Thingverse the other day, and this project looked pretty good, a revised cap for a widely available case that looks sufficient for an audio HAT: https://www.thingiverse.com/thing:2268017

cfuttrup
2019-04-03, 10:01
a widely available case that looks sufficient for an audio HAT: https://www.thingiverse.com/thing:2268017

Yup, that's the DesignSpark case that I'm using, and it looks like a nice 3D-printed extension.

/Claus

Greg Erskine
2019-06-13, 23:08
RE: pCP5.0.0

One small step towards increased security, for those that can't wait for the Web GUI to be updated and know vi.

The httpd web server now uses a configuration file /etc/httpd.conf


$ sudo cat httpd.conf
# Maintained by piCorePlayer
H:/home/tc/www
#/cgi-bin:admin:admin


Just remove the # on the last line and make sure there is a newline added to the end of the last line.

Do a $ pcp br

The browser will now prompt for a user name and password. Default is admin/admin.

regards
Greg

cfuttrup
2019-06-17, 10:27
Grazie mille :-)

trigdog
2019-08-14, 14:07
Just remove the # on the last line and make sure there is a newline added to the end of the last line.



This is great. Is there anyway to change the default WWW_PORT="80" in the config to something like 8080? It would be nice if I could change the LMS to 80 instead of 9000.

paul-
2019-08-14, 14:12
You should be able to add SERVER_PORT=8080 to the config.


Not sure why you would want to change LMS interface.......we don't offer a way to do that.

Greg Erskine
2019-08-14, 15:39
hi trigdog,


Is there anyway to change the default WWW_PORT="80" in the config to something like 8080?

This option will be available in pCP6.0.0 when we release it. Best to wait.

27920

If you are using pCP6.0.0-b1 you *may* be able to edit your pcp config file manually (/usr/local/etc/pcp/pcp.cfg)?


It would be nice if I could change the LMS to 80 instead of 9000.

You can't do this.

Most people only change the LMS port if it clashes with other software. 9001 is usually used.

We offer only this option on the [Tweaks] page. Please read the note carefully.

27919

regards
Greg

trigdog
2019-08-14, 15:56
If you are using pCP6.0.0-b1 you *may* be able to edit your pcp config file manually (/usr/local/etc/pcp/pcp.cfg)?



Actually, I just tried this on 5.0 before I saw this reply....it seems to have worked just fine when I edited manually and used "pcp br" to reboot afterward. Is that not suppose to work in 5.0?

trigdog
2019-08-14, 16:04
You can't do this.

Most people only change the LMS port if it clashes with other software. 9001 is usually used.



I see LMS doesn't support 80 now. I was just trying to make a more user friendly url to get to the LMS server. I created a host file record in my pi-hole DNS server that redirects the domain: my.music to the IP of the PCP LMS server...I just can't redirect to a specific port using DNS. Maybe I can create a redirect with busybox httpd from 80 to 9000....will investigate. Thanks.

Greg Erskine
2019-08-14, 16:54
Some people consider using port 80 to be less secure because it is the http default.

The LMS http port number is really not part of piCorePlayer security. It might confuse people talking about it in the same thread/post/paragraph as piCorePlayer http port.

trigdog
2019-08-14, 17:30
Some people consider using port 80 to be less secure because it is the http default.


Agreed which is why I replied here. I also agree the LMS stuff is off topic, sorry about that.