PDA

View Full Version : Security consequences of opening port 9000



sbjaerum
2005-08-04, 01:04
By forwarding port 9000 from my ADSL router to the machine running slimserver, I am able to connect to my slimserver from work. I can also stream using http://homeipadress:9000/stream.mp3.

I am not a security expert. What are the security consequences for my home network if I permanently open port 9000?

Steinar

MrC
2005-08-04, 01:06
Any port opening represents a possible attack vector. Meaning, there's software at the other end listening, and if there are flaws in that software, they can and will eventually be exploited.

You'd be better off setting up an SSH tunnel, as SSH server implementations are widely scrutinized and deployed. Best to trust a couple of security providers who specialize in such things.

sbjaerum
2005-08-04, 01:14
Any port opening represents a possible attack vector. Meaning, there's software at the other end listening, and if there are flaws in that software, they can and will eventually be exploited.

You'd be better off setting up an SSH tunnel, as SSH server implementations are widely scrutinized and deployed. Best to trust a couple of security providers who specialize in such things.

My slimserver runs on WindowsXP.
Is there any step-by-step prodcedure available for how to set up a SSH server and how to set up a tunnel connection?

Steinar

MrC
2005-08-04, 10:02
Free or can you pay a little?

Pay: for the easiest method, try vshell from www.vandyke.com. They have outstanding support, excellent forums, and its a one program solution. They have the premiere SSH products for Windows. You can download a 30 day eval product. Its not cheap, but it is excellent.

Free: you can use the open source cygwin environment (Unix/Linux environment for your PC) and use the openssh server available. This is more work, and requires more learning on your part. You an start by going to www.cygwin.com

If your work allows inward SSH connections, you don't need an SSH server, but can just use an SSH client (free [ putty ] or pay [ secureCRT, Entunnel ]), make the remote connection inward and use a reverse tunnel. You'll have to check with your work's admins if they support SSH connections, saving the setup.exe program to your desktop, and run it. It will download the necessary components (plus lots more that you can disable). Then all you need to do is configure.

By the way, once you have SSH installed, you can setup secure, complete access to your desktop at home.

Post more when you have considered which direction you want to go, and have started down the road.

Roy Owen
2005-08-04, 10:15
SSH for Windows:
http://sourceforge.net/projects/sshwindows

SSH Setup
http://www.vbmysql.com/articles/ssh-tunnel-part2.html

Easy SSH client
http://www.bitvise.com/tunnelier.html

All of the above software is free and not nag-ware.

On 8/4/05, MrC <MrC.1t91ub (AT) no-mx (DOT) forums.slimdevices.com> wrote:
>
>
> Free or can you pay a little?
>
> Pay: for the easiest method, try vshell from www.vandyke.com<http://www.vandyke.com>.
> They
> have outstanding support, excellent forums, and its a one program
> solution. They have the premiere SSH products for Windows. You can
> download a 30 day eval product. Its not cheap, but it is excellent.
>
> Free: you can use the open source cygwin environment (Unix/Linux
> environment for your PC) and use the openssh server available. This is
> more work, and requires more learning on your part. You an start by
> going to www.cygwin.com <http://www.cygwin.com>
>
> If your work allows inward SSH connections, you don't need an SSH
> server, but can just use an SSH client (free [ putty ] or pay [
> secureCRT, Entunnel ]), make the remote connection inward and use a
> reverse tunnel. You'll have to check with your work's admins if they
> support SSH connections, saving the setup.exe program to your desktop,
> and run it. It will download the necessary components (plus lots more
> that you can disable). Then all you need to do is configure.
>
> By the way, once you have SSH installed, you can setup secure, complete
> access to your desktop at home.
>
> Post more when you have considered which direction you want to go, and
> have started down the road.
>
>
> --
> MrC
>

radish
2005-08-04, 14:38
Any port opening represents a possible attack vector. Meaning, there's software at the other end listening, and if there are flaws in that software, they can and will eventually be exploited.

You'd be better off setting up an SSH tunnel, as SSH server implementations are widely scrutinized and deployed. Best to trust a couple of security providers who specialize in such things.

I'm not going to disagree with any of this, except to say that the likleyhood of an attack being mounted against slimserver on :9000 are very (extremely) low. The vast majority of "attacks" are simply automated scripts looking for known flaws in commonly used software. SlimServer simply isn't a big enough target to warrant the attention required for someone to find a flaw, craft an exploit and add it to a scanner. Of course if you really annoy someone and they happen to know what they're doing, all bets are off :)

So by all means use a tunnel, it's certainly more secure, but I (personally) wouldn't be particularly unhappy about running it as an open service.

MrC
2005-08-04, 14:46
So by all means use a tunnel, it's certainly more secure, but I (personally) wouldn't be particularly unhappy about running it as an open service.
I don't think I'd want my works' admins snooping my traffic.

radish
2005-08-04, 15:16
I don't think I'd want my works' admins snooping my traffic.

For general SSH traffic, sure, it's advantage is that it's snoop proof. But if my work policy said "no streaming music" then I ain't gonna do it, even if I can find a way through the firewall. There are plenty of ways they could deduce what you are doing if they wanted to, and instant dismissal is not worth the convenience. I know if I was an admin and I saw a ton of SSH traffic through the firewall (and it is detectable) I'd sure as hell take a closer look.

MrC
2005-08-04, 15:44
Yup, a "no streaming policy" would make this entire thread moot.

chris
2005-08-04, 23:09
I personally wouldn't do this. I also use SSH to tunnel the connection, but my slimserver is on a linux machine.

This leads interesting results, and shows you what may happen:
http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+

sbjaerum
2005-08-05, 05:42
I personally wouldn't do this. I also use SSH to tunnel the connection, but my slimserver is on a linux machine.

This leads interesting results, and shows you what may happen:
http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+

Unfortunately, the firewall/proxy at work does not allow ssh connection. Anyway, I have managed to set up ssh on my slimserver. Tested by successful tunneling from another machine on my home network.

So at the moment, my only option is to connect using http.
How effective/robust is the IP blocking feature available at Server settings -> Security?
I guess I should only allow IP adresses matching the local network and the domain at work.
Will the server be visible (e.g. for Google), but not allow connections, or will the server be invisible for all IP adresses outside the allowed range?

Steinar

Roy Owen
2005-08-05, 06:06
Your network at work won't allow an outbound SSH tunnel? That is usually one
of the few outbound ports that are allowed. You could try setting your
tunnel up on a different port (80), usually the firewall/proxy are not
protocall specific, however they can be. Ask your network admin (very
nicely) to allow outbound SSH traffic.

On 8/5/05, sbjaerum <sbjaerum.1takh0 (AT) no-mx (DOT) forums.slimdevices.com> wrote:
>
>
> chris Wrote:
> > I personally wouldn't do this. I also use SSH to tunnel the connection,
> > but my slimserver is on a linux machine.
> >
> > This leads interesting results, and shows you what may happen:
> > http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+
>
> Unfortunately, the firewall/proxy at work does not allow ssh
> connection. Anyway, I have managed to set up ssh on my slimserver.
> Tested by successful tunneling from another machine on my home network.
>
>
> So at the moment, my only option is to connect using http.
> How effective/robust is the IP blocking feature available at Server
> settings -> Security?
> I guess I should only allow IP adresses matching the local network and
> the domain at work.
> Will the server be visible (e.g. for Google), but not allow
> connections, or will the server be invisible for all IP adresses
> outside the allowed range?
>
> Steinar
>
>
> --
> sbjaerum
>

dropbear
2005-08-05, 06:06
If you set your modem/router to only forward IP addresses from your work to your PC that runs slimserver then it should be invisible to the rest of the internet.

Pete

radish
2005-08-05, 07:40
This leads interesting results, and shows you what may happen:
http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+
If you don't link to it, Google won't find it.

fuzzyT
2005-08-05, 09:00
chris wrote:

> This leads interesting results, and shows you what may happen:
> http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+

Just taking the step of setting up an SS password will avoid this effect.

And if you're going to expose via HTTP, you should also take the step of
limiting inbound traffic to just your nets or IPs using your
firewall(s). You're still vulnerable, but from a much lower number of
potential attackers.

--rt

JJZolx
2005-08-05, 10:49
By forwarding port 9000 from my ADSL router to the machine running slimserver, I am able to connect to my slimserver from work. I can also stream using http://homeipadress:9000/stream.mp3.

I am not a security expert. What are the security consequences for my home network if I permanently open port 9000?

On the one hand, it's very unlikely that anyone is going to exploit the open port. For a number of reasons

1) The only thing there is a fairly specialized web server, meaning that the script-kiddies are going to pass it right by.

2) For the non script-kiddies, who is going to _want_ to break into your system such that they'd go to the trouble? If you're on a DSL or cable connection then your IP is easily identified as a home connection. It's just not worth anyone's time.

On the other hand the HTTP server and the SlimServer application aren't used to being on the public Internet so I'm sure that security against exploits isn't a terribly high priority. Given that very few SlimServers are facing the Internet unprotected it's unlikely that any existing security holes are going to be found and then patched.

mikeb
2005-08-05, 15:30
> sbjaerum Wrote:
>> By forwarding port 9000 from my ADSL router to the machine running
>> slimserver, I am able to connect to my slimserver from work. I can also
>> stream using http://homeipadress:9000/stream.mp3.
>>
>> I am not a security expert. What are the security consequences for my
>> home network if I permanently open port 9000?
>
> On the one hand, it's very unlikely that anyone is going to exploit the
> open port. For a number of reasons
>
> 1) The only thing there is a fairly specialized web server, meaning
> that the script-kiddies are going to pass it right by.

This is very true. Until slimserver gets more popular and you don't
remember to close off the port. Or someone bored finds a hole and gives
the exploit to a script kid. The obscurity of uncommon software is not
security.


> 2) For the non script-kiddies, who is going to _want_ to break into
> your system such that they'd go to the trouble? If you're on a DSL or
> cable connection then your IP is easily identified as a home
> connection. It's just not worth anyone's time.

While this is very untrue. Home connections are purposely attacked for
phishing schemes, spam, virus mailing, etc.. These blocks are some of the
most attacked on the Internet. It is worth their time if they make money
from spam or phishing. One attacked cable modem could yield hundreds of
credit card numbers from phishing emails.


> On the other hand the HTTP server and the SlimServer application aren't
> used to being on the public Internet so I'm sure that security against
> exploits isn't a terribly high priority. Given that very few
> SlimServers are facing the Internet unprotected it's unlikely that any
> existing security holes are going to be found and then patched.

Truely skilled people spend their lives tearing apart odd applications,
and some of these people are not so honest. I wouldn't doubt that there
are quite a number of security problems inside slimserver.

Anyone who cares about the security of their home systems should not be
giving any more privileges out than those that are absolutely necessary.
I have yet to see any valid (to me) reason to open up slimserver to the
world. A firewall allowing specific addresses through would be better.
Encrypted tunnels requiring authentication would be best.

Of course, you use keys for authentication and not password auth right?! =)

--mikeb


--
"Never believe anything until it's been officially denied"
- Claud Cockburn

JJZolx
2005-08-05, 16:01
> For the non script-kiddies, who is going to _want_ to break into
> your system such that they'd go to the trouble? If you're on a DSL or
> cable connection then your IP is easily identified as a home
> connection. It's just not worth anyone's time.

While this is very untrue. Home connections are purposely attacked for
phishing schemes, spam, virus mailing, etc.. These blocks are some of the
most attacked on the Internet. It is worth their time if they make money
from spam or phishing. One attacked cable modem could yield hundreds of
credit card numbers from phishing emails.
They're purposely "attacked", but only en mass by scripts. It's extremely unlikely that anyone would take the time to manually crack an anonymous home system. Viruses, worms, spam and phishing attacks are hazards unrelated to running a public web server or the type of Internet connection you have.

That said, I certainly wouldn't recommend it in any way. If someone _did_ want in, it probably wouldn't be very difficult.

pfarrell
2005-08-05, 16:03
On Fri, 2005-08-05 at 15:30 -0700, Mike Benjamin wrote:
> > sbjaerum Wrote:
> > 1) The only thing there is a fairly specialized web server, meaning
> > that the script-kiddies are going to pass it right by.
>
> This is very true. Until slimserver gets more popular and you don't
> remember to close off the port. Or someone bored finds a hole and gives
> the exploit to a script kid. The obscurity of uncommon software is not
> security.

It is unwise to put any trust in security by obscurity.
The limited functionality of the SlimServer, and its use
of Perl, are good. But unless a piece of software has been
tested, it is impossible to know how hardened it is.

The script's are dumb, but they don't every bother to remove
old exploits. They just blindly try every trick every found.
So if a hole is found, it will be probed, essentially forever.

You are not safer just because you use obscure software or
an old and obscure operating system.

> > connection. It's just not worth anyone's time.
>
> While this is very untrue.


Yes, very untrue. It is worthwhile to attack any resources you
can. Any computer that is on the internet, and
can be attacked provides at least a host for
subsequent attacks on other machines.

More than 13 years ago, I had a security paper published
at a NSA conference on this.
http://www.pfarrell.com/resume/towardsabstract.html
It discusses this topic. A full copy of also on that site.

> Anyone who cares about the security of their home systems should not be
> giving any more privileges out than those that are absolutely necessary.

Very true.

Use SSH tunneling, or a VPN.
Whether you should expose a Windows machine is left
as an exercise to the reader.

--
Pat
http://www.pfarrell.com/music/slimserver/slimsoftware.html

Mitch Harding
2005-08-05, 16:12
On 8/5/05, Pat Farrell <pfarrell (AT) pfarrell (DOT) com> wrote:
> You are not safer just because you use obscure software or
> an old and obscure operating system.

You may not be *safe*, but I daresay you are *safer* using obscure
software than you are using mainstream software.

Not that I'm recommending that people rely on this as any means of security..

Mitch

MrC
2005-08-05, 16:18
It is nice to see the voice of sensibility regarding this security question finally tilting the scales towards reason.

I see these things as risk/reward propositions. In this case, as some feel, the risk of an attack is low, yet they fail to quantify the cost (negative reward) of a succesfully attack, which could be dramatic and high. The flip side reduces the risk to almost nil, and the cost is minimal (learning to install and configure a piece of software), and the reward is quite high (peace of mind, supplimental knowledge useful for other inet apps and services). When there is such an imbalance in the risk/reward proposition, the choice is clear.