PDA

View Full Version : Access to SlimServer 6.2 from the internet



mparin
2006-01-30, 12:40
Folks,

Apologies if this question is a repeat. Although, I couldn't find anything in the archives w.r.t. my issue with SlimServer.

My Purpose:

Access my mp3 music at work over the internet

Background:

1. I have SlimServer 6.2.1 running at home on XP Pro.[say IP add is 1.2.3.4]

2. the ip address of my linksys router is 34.35.36.37 [Live IP through DSL]

2. I have a linksys router with port 9000 forwarded to 1.2.3.4

3. I have a dynamic dns setup through dyndns:
the link is xxx.homedns.org = 34.35.36.37

4. I have a webhop setup as follows:
yyy.hobby-site.org = xxx.homedns.org:9000

5. Another interesting data point, from my work, if i open-up a browser like explorer and point the url to yyy.hobby-site.org, I can access my SlimServer just fine and I can play my music just fine.

Problem:

Here's the catch, when the wife tries to access the SlimServer from her work - she opens a browser firefox/explorer and points the browser to yyy.hobby-site.org. However, she can't get to the SlimServer webpage like I can ...

The error message she gets is 'Unable to Connect'. With Firefox, the error message is 'Unable to Connect. Firefox can't establish a connection to the server at xxx.homedns.org:9000'

Troubleshooting:

With regards to troubleshooting, if i do a tracert, her pc can resolve the url of yyy.hobby-site.org all the way to dyndns just fine. Obviously, she is getting all the way to the SlimServer to get the message that I am getting.

So, at this point, I am unsure of how do i go about troubleshooting this problem.

Thoughts?

Obviously, any pointers will be more than appreciated.

Thanks in advance..

--parin

MrC
2006-01-30, 13:13
Folks,

Apologies if this question is a repeat. Although, I couldn't find anything in the archives w.r.t. my issue with SlimServer.

My Purpose:

Access my mp3 music at work over the internet

Background:

1. I have SlimServer 6.2.1 running at home on XP Pro.[say IP add is 1.2.3.4]

2. the ip address of my linksys router is 34.35.36.37 [Live IP through DSL]

2. I have a linksys router with port 9000 forwarded to 1.2.3.4

3. I have a dynamic dns setup through dyndns:
the link is xxx.homedns.org = 34.35.36.37

4. I have a webhop setup as follows:
yyy.hobby-site.org = xxx.homedns.org:9000

5. Another interesting data point, from my work, if i open-up a browser like explorer and point the url to yyy.hobby-site.org, I can access my SlimServer just fine and I can play my music just fine.

Problem:

Here's the catch, when the wife tries to access the SlimServer from her work - she opens a browser firefox/explorer and points the browser to yyy.hobby-site.org. However, she can't get to the SlimServer webpage like I can ...

The error message she gets is 'Unable to Connect'. With Firefox, the error message is 'Unable to Connect. Firefox can't establish a connection to the server at xxx.homedns.org:9000'

Troubleshooting:

With regards to troubleshooting, if i do a tracert, her pc can resolve the url of yyy.hobby-site.org all the way to dyndns just fine. Obviously, she is getting all the way to the SlimServer to get the message that I am getting.

So, at this point, I am unsure of how do i go about troubleshooting this problem.

Thoughts?

Obviously, any pointers will be more than appreciated.

Thanks in advance..

--parin

Two thoughts come to mind:

1) Did you add your wife's IP addr/range to the ALLOWED IP ADDRESSES area in Server Settings->Security

2) Your wife might have a proxy / firewall at her work which is interferring with her outbound port 9000 attempt. You can validate this via Windows command shell, starting the command

telnet <ipaddrofyourserver> 9000<Enter>

and typing a ? and hitting <Enter> again. If she gets back something like:

HTTP/1.1 400 Bad Request
Date: Mon, 30 Jan 2006 20:09:30 GMT
Server: libwww-perl-daemon/1.02
Content-Type: text/html
Content-Length: 57

<title>400 Bad Request</title>
<h1>400 Bad Request</h1>

then you know port 9000 is not blocked (by either your slimserver or her work's firewall). At this point, i'd start looking into any proxy issues.

jasenj1
2006-01-30, 13:52
Is it possible your wife's employer is blocking http traffic to those sites?

I'd try manually entering the 34.35.36.37:9000 just to eliminate the intermediaries. The telnet trick is a good one, too.

Good luck. I ran SlimServer from home and listened at work through iTunes for awhile before buying my Squeezebox. It's a pretty spiffy feature.

- Jasen.

mparin
2006-01-30, 13:52
MrC, Thank you so much, Sir!

That seems to be her problem... when she types the following at the command prompt: Telnet <ipaddressofserver> 9000, the error message she get is as follows:
'Could not open connection to host on port 9000: Connect failed'

So, given that that is the problem, is there any way around it?

Again, thanks much for your help so far..

--parin

MrC
2006-01-30, 14:13
MrC, Thank you so much, Sir!

That seems to be her problem... when she types the following at the command prompt: Telnet <ipaddressofserver> 9000, the error message she get is as follows:
'Could not open connection to host on port 9000: Connect failed'

So, given that that is the problem, is there any way around it?

Again, thanks much for your help so far..


Well, if port 9000 is blocked on her side, you could try setting up an SSH server at home and having her connect with an SSH client, and tunneling ports 9000 and 3483. It is likely that the firewall does not block port 22, which is used for an SSH server.

Just to be sure we were clear, your wife did try the actual IP address of your WAN IP and not the intended replacement text of <ipaddressofserver> (eg telnet 34.35.36.37 9000).

The test you ran only indicated that she cannot connect to your server. Her firewall, your firewall, or your slimserver could be blocking the connection. You'll have to determine which of those it is.

mparin
2006-01-30, 14:28
MrC,

Yes, she did try the actual WAN IP address and the connect failed.

So, I will try to setup an SSH server on the same machine as my SlimServer and install the SSH client on her machine and give it a shot.

My guess is that its most likely her work's firewall that is blocking the port, because if it was my router/my firewall or the SlimServer then in that case I would have the same issue, i.e. I would be unsuccessful in accessing the SLimServer as well. However, I can access it just fine. SO, my guess is that the issue is probably on her work's network - i.e. blocking port 9000.

Also, i do have her ip address as an entry in the "allowed' section of the SlimServer. So, that's one more reason why it may not be the SlimServer.

I'll give SSH a shot and update. Again, thanks for all the pointers.

--parin

MrC
2006-01-30, 14:47
My guess is that its most likely her work's firewall that is blocking the port, because if it was my router/my firewall or the SlimServer then in that case I would have the same issue, i.e. I would be unsuccessful in accessing the SLimServer as well.

Not necessarily - port forwarding is typically done on a per IP or IP range basis. You may have the correct IP address for your work, but not the correct one for hers. Does your firewall log give you the ability to see any connection attempts? If not, we can verify that her work is not letting anything out using my setup. I've private messaged you to work this out. See your PMs.

mparin
2006-01-30, 15:08
MrC,

per your instructions, we just tried it with your setup and we ended-up with the same error message.

Hopefully, your logs will clarify things a bit ..

MrC
2006-01-30, 15:44
MrC,

per your instructions, we just tried it with your setup and we ended-up with the same error message.

Hopefully, your logs will clarify things a bit ..

I just PM'd you again. Its her end - port 9000 is not getting out. Try the same test with port 22 to the IP I gave you in the PM.

Michaelwagner
2006-01-30, 18:12
I should point out that circumventing the firewall at work may technically work but may not be in the spirit of what her workplace is trying to accomplish with their firewall, like "this bandwidth is for work only".

If they then catch you circumventing, that may not be good for her work situation.

joncourage
2006-01-30, 19:50
not to mention they'd be some dumb firewall admins at her work if they restrict HTTP traffic to 80/443 but then let ANY out on 22 (or anything else for that matter...). If that's the case tell her mgt to give me a call, my consulting fee is only $250/hour!

MrC
2006-01-30, 23:08
not to mention they'd be some dumb firewall admins at her work if they restrict HTTP traffic to 80/443 but then let ANY out on 22 (or anything else for that matter...). If that's the case tell her mgt to give me a call, my consulting fee is only $250/hour!
Uh, at $250/hour, you should know that's port 9000 for slim, not 80. :-)

Their site does block outbound 9000 (and its not clear what others).

chris.mason
2006-01-31, 03:24
I regularly listen to music streamed from my SlimServer at home, from work.

I have windows XP, running Slim, behind a router and firewall.
I connect using SSH. I have Cygwin installed on my windows PC, and have port 22 (standard SSH port) forwarded to that machine.

In my work place, I can get to web sites that are not running on port 80, but I prefer the security that SSH provides. However, I have the added complexity that I need to use a SOCKS proxy for SSH to work - you may well find that this is the case for your wife as well.

If you use SoftSqueeze, you can configure SSH and SOCKS proxy settings in the GUI, otherwise you will need to install an SSH client (Putty is a good GUI client), and open the tunnel manually.

Hope that helps!

Chris.

mparin
2006-01-31, 11:28
Yesterday, I downloaded OpenSSH and installed and configured it on the same machine as my SlimServer. Note that this machine is behind my linksys router/firewall but I have forwarded port 22 to the machine.

I also setup the rsa, i.e. authentication keys, etc. and it all works great.. I installed softsqueeze at work and now i can connect via OpenSSH to my SlimServer just fine ...

However, the wife has to try it. She'll be at work tomorrow and i'll have her try it then..

A quick question on OpenSSH, is there a way for me to change the default port from 22 to something more random?

I couldnt find information on that in the archives..

--parin

MrC
2006-01-31, 11:39
However, the wife has to try it. She'll be at work tomorrow and i'll have her try it then..

Did your wife attempt port 22 access to my server? I didn't get a response from you on this.



A quick question on OpenSSH, is there a way for me to change the default port from 22 to something more random?

Yes. man sshd_config, and look for Port and ListenPort.

Beware, if her firewall is outbound blocking all but some standard ports, changing your sshd port may prevent her from connecting.

Finally, limit which IPs can connect to SSH via your firewall, as this will help avoid the constant script-kiddie attacks.

chris.mason
2006-01-31, 13:00
Also, check if she has access to a SOCKS proxy cos you can SSH out via that, as I do...

mparin
2006-02-01, 12:34
Gents,

Thanks much for all your help. Yes, it worked from the wife's work!

MrC: No, I figured out how i could see incoming requests on my router and I had her point to my router on port 22. So, I was fairly confident that this would work.

Also, you make a good point about limiting the IP address that can access the SlimServer using SSH. Is this something that I would configure on my router? Or is this a configuration in OpenSSH?

--parin

MrC
2006-02-01, 14:07
Gents,

Thanks much for all your help. Yes, it worked from the wife's work!

MrC: No, I figured out how i could see incoming requests on my router and I had her point to my router on port 22. So, I was fairly confident that this would work.


Awesome!



Also, you make a good point about limiting the IP address that can access the SlimServer using SSH. Is this something that I would configure on my router? Or is this a configuration in OpenSSH?

Yes, just port forward (if your router has this capability) on the source IP address (ranges) that you desire. Some routers only give you an all or none option though, so in that case you can use other security options, like tcpwrappers on the server (I don't know if your server is windows or linux-based). Otherwise, you'll start finding lots of logging info indicating failed SSH dictionary attacks login attempts.

Make sure you configure AllowUsers with only yours and your wifes login names.

treble
2006-02-01, 20:54
I have a question about ports.

So if I remotely connect with SoftSqueeze to my slimserver at home, and have OpenSSH set up on the home machine, do I still have to have ports 9000 and 3483 open on my firewall (it's an hardware firewall, behind the DSL modem, the home pcs don't have a firewall), or is port 22 enough (routed to the pc with slimserver)?

Thanks,

mparin
2006-02-01, 21:08
As far as my setup is concerned, I have only port 22 forwarded to my pc with the SlimServer.

MrC,

A quick question for you, My SlimServer is running on an XP Pro machine and my router does not have the capability to forward ports based on IP Addresses. ITs an all or nothing deal. So, what would you recommend I do to add some security?
I have done the following:
1. I have a user configured on the PC running SlimServer and OpenSSh. This is the user that is configured in Softsqueeze SSH settings.
2. I have rsa passphrases configured between the softsqueeze client and the SlimServer
3. I have userids setup for us in SlimServer
4. I have IP Address ranges specified in the AllowedIP address setting in the SLimServer

Anything else I could do?

Also, if I have a friend who would like to access my mp3 collection over the internet, can i use itunes instead of the softsqueeze client? This is assuming that i can get him the rsa.txt file for the security settings.

Again, thanks for all your help ..

--parin

MrC
2006-02-01, 22:39
I have a question about ports.

So if I remotely connect with SoftSqueeze to my slimserver at home, and have OpenSSH set up on the home machine, do I still have to have ports 9000 and 3483 open on my firewall (it's an hardware firewall, behind the DSL modem, the home pcs don't have a firewall), or is port 22 enough (routed to the pc with slimserver)?

If you want to tunnel via SSH, then you do not need the slimserver ports open, only port 22 for SSH. The firewall doesn't interpret the tunneled, encrypted data.

MrC
2006-02-01, 22:55
My SlimServer is running on an XP Pro machine and my router does not have the capability to forward ports based on IP Addresses. ITs an all or nothing deal. So, what would you recommend I do to add some security?
I have done the following:
1. I have a user configured on the PC running SlimServer and OpenSSh. This is the user that is configured in Softsqueeze SSH settings.

This is good. Are you using the cygwin version of OpenSSH? If not, which package? If its cygwin, there's an option /etc/ssh/sshd_config called AllowUsers which will permit only the listed login names to work.



2. I have rsa passphrases configured between the softsqueeze client and the SlimServer
3. I have userids setup for us in SlimServer

Good.



4. I have IP Address ranges specified in the AllowedIP address setting in the SLimServer

This doesn't matter too much, since if someone compromises your SSH connection, they're not going to be doing it to play music. But its good to have anyway.



Anything else I could do?

Again, if you're using the cygwin port of OpenSSH, it is built with tcpwrappers, which means you can add entries in /etc/hosts.allow to allow only certain IPs to access the SSH server - all others will be rejected. While anyone can probe the SSH server, connections will only be allowed via the specified IPs.



Also, if I have a friend who would like to access my mp3 collection over the internet, can i use itunes instead of the softsqueeze client? This is assuming that i can get him the rsa.txt file for the security settings.

Sure, but he'll also need to SSH connect with port 9000 tunneled and use:

http://localhost:9000/stream.mp3

as the URL in iTunes. I would create separate users for you, your wife, and your friend, so that you can log who's on, and who's doing what. Using the same userid makes for difficult intrusion investigation should someone let the cat out of the bag.

mparin
2006-02-02, 14:23
I am using the Cygwin version, So, all i have to do is configure the sshd_config file and the hosts.allow file and I shall be set!

Excellent, sir! Thanks a ton for all your help, you've been most helpful!

--parin

eagleeye
2006-04-04, 02:35
I’m doing my head in trying to get Softsqueeze to work across the internet via SSH and have read (and tried) all the suggestions on here but with limited success so hope someone can suggest a ‘fix’.

First of all my setup:

Home PC has the Slim and SSH server installed on it and the XP firewall has been configured to allow SSH(22) and Slimserver(9000&3483) through.

Router has been setup so SSH & Slimserver ports forward to home PC.

Work PC is running Putty and obviously Softsqueeze.

First of all I tried configuring Softsqueeze to use the built-in SSH but just could not connect no matter what I tried. Well it did actually start talking to my home PC because I got the usual warning messages and was prompted for user name and password but after that it just gave the message ‘Failed to connect’ so I then started using Putty. I have it configured so that local port 9000 connects to madeupname.homedns.org:9000 and local port 3483 connects to madeupname.homedns.org:3483 (I’m using the DynDNS service).

Running Putty connects and allows me to login without a problem and running netstat –a on my work PC shows that a connection has been made to my home PC on port 22. I then run Softsqueeze which has been configured to localhost in the network section and no SSH but all I get is a repeated message saying lost contact with Slimserver.

Everything seems to be in place and working as I can connect to my Slimserver via a browser using madeupname.homedns.org:9000 and if I configure Softsqueeze to madeupname.homedns.org in the network section it connects and work perfectly. The drawback with that is that it is not running via SSH.

At this stage I just cannot think what more to try so any suggestions are most welcome.

mherger
2006-04-04, 03:09
> Home PC has the Slim and SSH server installed on it and the XP firewall
> has been configured to allow SSH(22) and Slimserver(9000&3483) through.
>
> Router has been setup so SSH & Slimserver ports forward to home PC.
>
> Work PC is running Putty and obviously Softsqueeze.

Only open ssh - you will be tunneling slimserver protocols through the ssh
channel.

> message ‘Failed to connect’ so I then started using Putty. I have it
> configured so that local port 9000 connects to
> madeupname.homedns.org:9000 and local port 3483 connects to
> madeupname.homedns.org:3483 (I’m using the DynDNS service).

Have those ports tunneled to your slimserver's internal address, not the
external: localhost, if the ssh server is running on the same machine as
slimserver. Or "yourslimserver" if this is your server's name. But don't
use the external address as SSH will then try to loop your data out the
house and back in through the router.

> Everything seems to be in place and working as I can connect to my
> Slimserver via a browser using madeupname.homedns.org:9000 and if I

Don't do this. Don't open these ports to the net as _anyone_ could connect
there, having fun waking you up at night with some songs from your
collection.

--

Michael

-----------------------------------------------------------
Help translate SlimServer by using the
SlimString Translation Helper (http://www.herger.net/slim/)

eagleeye
2006-04-04, 04:20
Only open ssh - you will be tunneling slimserver protocols through the ssh
channel.
Okay I can see why it only needs SSH so will change that when I get home.



Have those ports tunneled to your slimserver's internal address, not the external: localhost, if the ssh server is running on the same machine as slimserver. Or "yourslimserver" if this is your server's name. But don't use the external address as SSH will then try to loop your data out the house and back in through the router.
And of course as soon as I made this change it all started working via SSH. Looking at it now it seems such an obvious mistake to have made but I just couldn't think where it was going wrong. Many thanks for putting me right with that part of the configuration.



Everything seems to be in place and working as I can connect to my Slimserver via a browser using madeupname.homedns.org:9000 and if I

Don't do this. Don't open these ports to the net as _anyone_ could connect there, having fun waking you up at night with some songs from your collection.
I'll close this down tonight but at least I had it set in the router to only allow access from my work PC so no-one else could get in.

Thanks again.