PDA

View Full Version : Password protecting the server ...



jmhayes
2006-03-24, 17:42
I get how to password protect the server for external players, but it doesn't seem to work for actual Slim Devices hardware. How can I stop my server from playing on just anyone's hardware?

Mark Lanctot
2006-03-24, 18:10
Do you mean that the password protection on the server doesn't work? I haven't tried it, so I can't confirm this.

Note you can also block connections from all IP addresses except for a whitelist you specify.

Also, normally your SlimServer will be running on your LAN, which is behind your router, so it'll be as protected as any other device on your LAN.

mherger
2006-03-24, 23:55
> I get how to password protect the server for external players, but it
> doesn't seem to work for actual Slim Devices hardware. How can I stop
> my server from playing on just anyone's hardware?

You can't. Only the http stream and CLI interface can be protected. Don't
have those players on _your_ network :-)

--

Michael

-----------------------------------------------------------
Help translate SlimServer by using the
StringEditor Plugin (http://www.herger.net/slim/)

JSonnabend
2006-03-25, 08:58
You can't. Only the http stream and CLI interface can be protected. Don't have those players on _your_ network :-)
Does that mean that once I've opened my server to the outside world, anyone with a Squeeze Box can connect to my server? If so, that's pretty sad.

- Jeff

mherger
2006-03-25, 09:24
> Does that mean that once I've opened my server to the outside world,
> anyone with a Squeeze Box can connect to my server? If so, that's
> pretty sad.

SlimServer is meant to feed players inhouse. There's very little security,
nobody knows about vulnerabilities. It's really not meant to be opened to
the world. If you have another computer or (good) router on the player's
side you could build some kind of VPN or SSH tunnel to protect your
server. Or install a real firewall which can limit access to the server to
certain IP addresses.

Still there are people who do it:
http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+


--

Michael

-----------------------------------------------------------
Help translate SlimServer by using the
StringEditor Plugin (http://www.herger.net/slim/)

stevieweevie
2006-03-25, 09:56
Ohhh free music ... LOL

JSonnabend
2006-03-26, 07:43
Well, at least we can turn on password protection (and change the default port).

rudholm
2006-03-26, 12:44
I agree that the password protection is curiously incomplete since it only controls access to Slimserver's web interface.

There is, in fact, no way to completely restrict access to a slimserver within the slimserver application itself.

However, slimserver's IP address restriction blocks all port 9000 traffic. With IP address restriction enabled, any Squeezebox could browse your collection but only authorized Squeezeboxes could actually play any music. This is probably sufficient.

If you want to completely restrict access to your slimserver, you must use a firewall of some sort. For Linux, there is IPTables, which works quite well. Alternatively, you could set up some kind of access control on your router.

jmhayes
2006-03-26, 14:29
SlimServer is meant to feed players inhouse.

That's dumb. I bought an extra player for my shop, which is on one of those DSL lines that changes IP addresses all the time, so a firewall with limitation by IP address is gonna get old quickly. Weird that they put in the ability to set a WEP key but not some kind of password on the player itself. Also: I'd like to let friends who have players use my server too, but not just any old bloke who has Google :-)

jmhayes
2006-03-26, 14:35
Still there are people who do it:
http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+

And of course, there should be a robots.txt at the top of the server ...

Robin Bowes
2006-03-26, 14:40
jmhayes wrote:
> mherger Wrote:
>
>>SlimServer is meant to feed players inhouse.
>
>
> That's dumb.

No, that's a design criterion.

> I bought an extra player for my shop, which is on one of
> those DSL lines that changes IP addresses all the time, so a firewall
> with limitation by IP address is gonna get old quickly. Weird that
> they put in the ability to set a WEP key but not some kind of password
> on the player itself. Also: I'd like to let friends who have players
> use my server too, but not just any old bloke who has Google :-)

Slimserver is open source. Patches are welcome.

R.

Mark Lanctot
2006-03-26, 14:53
That's dumb.

C'mon now. That's what the software is intended for, and 95% of users do it that way. The software is NOT intended for streaming over the Internet and the fact that it can do so at all is pure dumb luck. This function is unsupported.

If you wish to change it...patches are welcome. This is an open-source project and it's possible to change it if you have the knowledge or if others agree with you.

jmhayes
2006-03-26, 15:59
Slimserver is open source.

It's not the server that's the problem, it's the hardware device. Where can I download the firmware?

jmhayes
2006-03-26, 16:06
So either start learning Perl or be a little more constructive and considerate please.

I know Perl. And I also know a dumb feature when I see one :) I didn't come here to pick a fight, and I don't think I read anywhere that the device was "designed for a firewalled local network" -- a lot of the features are all about streams. Streams happen, ya know? There's a password feature on the server; how does the device get around it?

kdf
2006-03-26, 16:08
On 26-Mar-06, at 2:59 PM, jmhayes wrote:

>
>> Slimserver is open source.
>
> It's not the server that's the problem, it's the hardware device.
> Where can I download the firmware?
>
I fail to see how firmware has anything to do with this. The player is
a client. you don't need to stop anyone on the internet from getting
to your player. You can alter the server to accept ONLY players with a
given MAC, for instance. That should be 'fairly simple' since the
server identifies each hardware player by it's mac address. Look in
Slimproto, and it might be as simple as bouncing any player with a non
matching MAC.
-k

stinkingpig
2006-03-26, 16:31
jmhayes wrote:
> Mark Lanctot Wrote:
>
>> So either start learning Perl or be a little more constructive and
>> considerate please.
>>
>
> I know Perl. And I also know a dumb feature when I see one :) I
> didn't come here to pick a fight, and I don't think I read anywhere
> that the device was "designed for a firewalled local network" -- a lot
> of the features are all about streams. Streams happen, ya know?
> There's a password feature on the server; how does the device get
> around it?
>
>
>
That password only affects access to the web interface; the device
doesn't use the web interface. QED.

--
Jack at Monkeynoodle dot Org: It's a Scientific Venture...
Riding the Emergency Third Rail Power Trip Since 1996

Robin Bowes
2006-03-26, 16:39
jmhayes wrote:
>>Slimserver is open source.
>
>
> It's not the server that's the problem, it's the hardware device.
> Where can I download the firmware?

What has the firmware got to do with this?

R.

jmhayes
2006-03-26, 16:48
What has the firmware got to do with this?

If there was a password required for the player, you'd have to have a way to tell the player what the password was.

Robin Bowes
2006-03-26, 17:07
jmhayes wrote:
> Robin Bowes Wrote:
>
>>What has the firmware got to do with this?
>
>
> If there was a password required for the player, you'd have to have a
> way to tell the player what the password was.

But there isn't, so you don't. :)

Submit an enhancement request at http://bugs.slimdevices.com and it may
get added in the future.

R.

jmhayes
2006-03-26, 17:43
Submit an enhancement request at http://bugs.slimdevices.com and it may
get added in the future.
I guess it got reported already http://bugs.slimdevices.com/show_bug.cgi?id=48

jmhayes
2006-03-26, 17:45
You can alter the server to accept ONLY players with a given MAC, for instance.
That's an interesting direction. Thanks.

Mark Lanctot
2006-03-26, 18:27
I know Perl. And I also know a dumb feature when I see one :) I didn't come here to pick a fight, and I don't think I read anywhere that the device was "designed for a firewalled local network" -- a lot of the features are all about streams. Streams happen, ya know? There's a password feature on the server; how does the device get around it?

OK, I take back my earlier comments then. As you can see, support for Internet streaming is not all that advanced yet. Yes, there's no mention that it's designed for a firewalled LAN...but there's no mention it supports Internet streaming either. In fact, the RIAA may have a word or two to say about that. But all the discussion is surrounding how SlimServer controls your players, so a LAN is certainly implied. In fact the diagram here (http://www.slimdevices.com/images/connectiondiagram.gif) pretty clearly shows it on the LAN - there isn't even a WAN connection drawn.

If you are proficient in Perl, certainly, your assistance would be appreciated. I'm trying to learn it so I can contribute in some way, however small.

Most people who have the knowledge to do so use SSH to stream remotely with SlimServer. That makes it impossible for even permitted remote hardware players to connect though. Software players only.

BTW I don't know if you tried any of the streams Google found, but none of them work in my Squeezebox3. ;-) I realize that's not because of some hidden security feature but probably due to bandwidth restrictions.

Also the firmware is bundled with SlimServer. See here (http://wiki.slimdevices.com/index.cgi?PlayerFirmware). Unlike SlimServer itself, it's closed-source. Slim Devices does this so they can control their own hardware, otherwise a competitor could make a knock-off with very little effort.

rudholm
2006-03-26, 19:37
I know Perl. And I also know a dumb feature when I see one :) I didn't come here to pick a fight, and I don't think I read anywhere that the device was "designed for a firewalled local network" -- a lot of the features are all about streams. Streams happen, ya know? There's a password feature on the server; how does the device get around it?

I agree with you, the security of slimserver should be more complete. And Open Source just means a user *can* contribute, it's not a publisher's abdication of responsibility.

The idea that a product *requires* a firewall is bad design. "Border Security" is a dubious concept in computer security and is not a substitute for essential host-level security.

My Slimserver is in a commercial datacenter, I access it from home and from work via a VPN. I find this works very well.

The Squeezebox sends its MAC address in-protocol so the Slimserver is aware of a player's MAC address even when they're not on the same local network. Modify the server to use player MAC address rather than the source IP address and you should be in business since the SB MAC address won't change even if its source IP address does. The MAC address effectively becomes the password and it's already sending that so there's no need to modify the SB itself.

mherger
2006-03-27, 07:12
> And of course, there should be a robots.txt at the top of the server

Hackers _love_ robots.txt. They really give them the necessary hints where
to look for interesting information.

--

Michael

-----------------------------------------------------------
Help translate SlimServer by using the
StringEditor Plugin (http://www.herger.net/slim/)

MrC
2006-03-27, 08:36
> And of course, there should be a robots.txt at the top of the server

Hackers _love_ robots.txt. They really give them the necessary hints where
to look for interesting information.



They _can_ be. However:

User-Agent: *
Disallow: /

isn't too useful to the punks and kiddies.

rme
2006-03-30, 06:18
How can you limit access to mac addresses in slimserver?

If you set this up, does it eliminate the ability to connect remotely with software players for receiving hostipaddress:9000/stream.mp3?

el_rico
2008-02-07, 10:18
Well, I know this is a rather old thread. But I am also looking at the ability to filter SB clients based on the MAC address. Is it implemented now?

The point is that renting a dedicated server is now cheap. Then I am currently setting-up one that will act as a backup for my data and as a Slimserver: no more need for a 24/24 PC in house...

patrija
2008-02-11, 09:20
I'm interested in this as well. We have a "family" slimserver at a public co-lo with a dedicated 10MP upstream and it's great streaming to the various places I and my brothers may be. We all live in different states and travel internationally.

Sike
2008-02-12, 08:19
Hi

I have entered it as a Feature request. Here is my thread.

http://forums.slimdevices.com/showthread.php?t=42903

I have 7 Squeezeboxes on "the outside" but it's all secured with firewall rules, only allowing access to certain IPs. I am using Cable-Internet, which only changes it's IP if you unplug the modem for longer than 10 mins.

The whole thing works great! It takes a Squeezebox around 2 seconds to start playing remotly. With the speed of internet connections today this should be a feature in squeezecenter (nudge nudge...)

I was demonstrating the system to a friend yesterday who thought Sonos is better... I explained that this would never work with Sonos and he should wait for the new remote, and we can then have a showdown.