PDA

View Full Version : Possible??? - Remote Squeezebox



patrija
2006-04-19, 19:05
I have 2 SB2s connecting to Slimserver running on a Dell Server and a Nokia 770 as a remote. Music is AAC and managed with playlists via iTunes. Internet is Comcast cable on a 6MB line (usually) with modem connected to a Belkin Pre-N wireless router. Works fine.

Recently bought a lake house about 1.5 hours away. Installed 384k DSL there. I have an old SB1 sitting in a drawer. Is it possible (and realistic sound quality) to hook it up at the lake house and stream music from home? My current and fall back solution to get the same music and playlists is an iPOD and DLO HomeDock.

Ben Sandee
2006-04-19, 19:18
On 4/19/06, patrija <patrija.26jj2n1145499001 (AT) no-mx (DOT) forums.slimdevices.com>
wrote:
>
>
> I have 2 SB2s connecting to Slimserver running on a Dell Server and a
> Nokia 770 as a remote. Music is AAC and managed with playlists via
> iTunes. Internet is Comcast cable on a 6MB line (usually) with modem
> connected to a Belkin Pre-N wireless router. Works fine.
>
> Recently bought a lake house about 1.5 hours away. Installed 384k DSL
> there. I have an old SB1 sitting in a drawer. Is it possible (and
> realistic sound quality) to hook it up at the lake house and stream
> music from home? My current and fall back solution to get the same
> music and playlists is an iPOD and DLO HomeDock.


It's *possible* but there are a few issues.

First, because you're using AAC SlimServer will need to either stream
uncompressed or transcode to MP3. Depending on how important sound quality
is to you, transcoding might be an issue. Uncompressed would likely not
work at all because it's simply too much data to stream reliably over those
connections.

Second the SB1 has a relatively small buffer -- although for MP3 it should
be plenty large to handle the unpredictable latency of your connection. You
might get better results with the SB2 at the lake.

Finally, the last issue would be security. You would probably want to
investigate some sort of VPN solution between the two networks because
SlimServer really isn't designed to be left open to the internet. There
have been numerous threads about this.

Ben

rudholm
2006-04-19, 20:22
Assuming you have at least 384kbps upload speed in your primary house (where the slimserver is located), you should be fine, but you will have to configure slimserver to limit the bitrate for the player in the lake house down to 256 or 128kbps.

peter
2006-04-20, 00:36
On Wed, 19 Apr 2006 21:18:58 -0500, "Ben Sandee" <tbsandee (AT) gmail (DOT) com>
said:
> On 4/19/06, patrija
> <patrija.26jj2n1145499001 (AT) no-mx (DOT) forums.slimdevices.com>
> wrote:
> >
> > I have 2 SB2s connecting to Slimserver running on a Dell Server and a
> > Nokia 770 as a remote. Music is AAC and managed with playlists via
> > iTunes. Internet is Comcast cable on a 6MB line (usually) with modem
> > connected to a Belkin Pre-N wireless router. Works fine.
> >
> > Recently bought a lake house about 1.5 hours away. Installed 384k DSL
> > there. I have an old SB1 sitting in a drawer. Is it possible (and
> > realistic sound quality) to hook it up at the lake house and stream
> > music from home? My current and fall back solution to get the same
> > music and playlists is an iPOD and DLO HomeDock.
>
> It's *possible* but there are a few issues.
>
> First, because you're using AAC SlimServer will need to either stream
> uncompressed or transcode to MP3. Depending on how important sound
> quality
> is to you, transcoding might be an issue. Uncompressed would likely not
> work at all because it's simply too much data to stream reliably over
> those
> connections.
>
> Second the SB1 has a relatively small buffer -- although for MP3 it
> should
> be plenty large to handle the unpredictable latency of your connection.
> You
> might get better results with the SB2 at the lake.

That would probably be best.

> Finally, the last issue would be security. You would probably want to
> investigate some sort of VPN solution between the two networks because
> SlimServer really isn't designed to be left open to the internet. There
> have been numerous threads about this.

VPN is overkill and adds to the latency and complexity. A simple IP
address filter in your router or firewall should be just as effective. I
believe even slimserver has a way to restrict access to certain ip
addresses.

Regards,
Peter

Ben Sandee
2006-04-20, 06:25
On 4/20/06, Peter <landen-slimp (AT) frg (DOT) eur.nl> wrote:
>
>
> > Finally, the last issue would be security. You would probably want to
> > investigate some sort of VPN solution between the two networks because
> > SlimServer really isn't designed to be left open to the internet. There
> > have been numerous threads about this.
>
> VPN is overkill and adds to the latency and complexity. A simple IP
> address filter in your router or firewall should be just as effective. I
> believe even slimserver has a way to restrict access to certain ip
> addresses.


Will I would disagree, but YMMV as always.

VPN is certainly not overkill if the OP is at all concerned about security
of anything on either of the networks (not just the music data in transit).
SlimServer could easily be used as a vector for an attack. The only thing
preventing attacks is the relatively low installed base of SlimServer as
compared to the number of computers on the internet.

IP filters and MAC filters are trivial to bypass and a VPN solution doesn't
add dramatic latency in my experience. Most of the overhead in VPN
solutions is during the setup phase (similar to SSL). Once running they are
very efficient and very secure.

peter
2006-04-20, 06:47
On Thu, 20 Apr 2006 08:25:15 -0500, "Ben Sandee" <tbsandee (AT) gmail (DOT) com>
said:
> On 4/20/06, Peter <landen-slimp (AT) frg (DOT) eur.nl> wrote:
> >
> >
> > > Finally, the last issue would be security. You would probably want to
> > > investigate some sort of VPN solution between the two networks because
> > > SlimServer really isn't designed to be left open to the internet. There
> > > have been numerous threads about this.
> >
> > VPN is overkill and adds to the latency and complexity. A simple IP
> > address filter in your router or firewall should be just as effective. I
> > believe even slimserver has a way to restrict access to certain ip
> > addresses.
>
>
> Will I would disagree, but YMMV as always.
>
> VPN is certainly not overkill if the OP is at all concerned about
> security
> of anything on either of the networks (not just the music data in
> transit).
> SlimServer could easily be used as a vector for an attack. The only
> thing
> preventing attacks is the relatively low installed base of SlimServer as
> compared to the number of computers on the internet.
>
> IP filters and MAC filters are trivial to bypass and a VPN solution
> doesn't

Please explain, IMHO IP filters are essentially impossible to bypass
without the attacker having insider access to the internal network of
the target's ISP. A risk I'm sure most of us would be willing to take.

> add dramatic latency in my experience. Most of the overhead in VPN
> solutions is during the setup phase (similar to SSL). Once running they
> are
> very efficient and very secure.

I didn't say anything about dramaticality, but they unquestionably add
latency and they sure do add to the complexity, since the VPN links need
to be up all the time for this to work. I try to maintain several VPN
links and I'm sad to say they do have the tendency to go down.

I maintain that a VPN solution is overkill for allowing an SB in a
remote location to access a slimserver in your home. Running a VPN would
be a good idea for allowing a remote laptop access to the home network.
That's what I use it for all the time. I mostly use a Windows PPTP
tunnel, but the Hamachi P2P VPN is a very nice lightweight alternative.
Useless for an SB, but SoftSqueeze could probably run over it.

Regards,
Peter

geoffb
2006-04-21, 07:17
On 4/20/06, Peter <landen-slimp (AT) frg (DOT) eur.nl> wrote:
>
> On Thu, 20 Apr 2006 08:25:15 -0500, "Ben Sandee" <tbsandee (AT) gmail (DOT) com>
> said:
> > On 4/20/06, Peter <landen-slimp (AT) frg (DOT) eur.nl> wrote:
> > >
> > >
> > > > Finally, the last issue would be security. You would probably want to
> > > > investigate some sort of VPN solution between the two networks because
> > > > SlimServer really isn't designed to be left open to the internet. There
> > > > have been numerous threads about this.
> > >
> > > VPN is overkill and adds to the latency and complexity. A simple IP
> > > address filter in your router or firewall should be just as effective.. I
> > > believe even slimserver has a way to restrict access to certain ip
> > > addresses.
> >
> >
> > Will I would disagree, but YMMV as always.
> >
> > VPN is certainly not overkill if the OP is at all concerned about
> > security
> > of anything on either of the networks (not just the music data in
> > transit).
> > SlimServer could easily be used as a vector for an attack. The only
> > thing
> > preventing attacks is the relatively low installed base of SlimServer as
> > compared to the number of computers on the internet.
> >
> > IP filters and MAC filters are trivial to bypass and a VPN solution
> > doesn't
>
> Please explain, IMHO IP filters are essentially impossible to bypass
> without the attacker having insider access to the internal network of
> the target's ISP. A risk I'm sure most of us would be willing to take.
>
> > add dramatic latency in my experience. Most of the overhead in VPN
> > solutions is during the setup phase (similar to SSL). Once running they
> > are
> > very efficient and very secure.
>
> I didn't say anything about dramaticality, but they unquestionably add
> latency and they sure do add to the complexity, since the VPN links need
> to be up all the time for this to work. I try to maintain several VPN
> links and I'm sad to say they do have the tendency to go down.
>
> I maintain that a VPN solution is overkill for allowing an SB in a
> remote location to access a slimserver in your home. Running a VPN would
> be a good idea for allowing a remote laptop access to the home network.
> That's what I use it for all the time. I mostly use a Windows PPTP
> tunnel, but the Hamachi P2P VPN is a very nice lightweight alternative.
> Useless for an SB, but SoftSqueeze could probably run over it.
>
> Regards,
> Peter

I had to think about this one; I've always considered online security
as a "you can't be too paranoid" type issue, but that should be
tempered with risk vs. effort. If you don't have a PC at the remote
end, of course, there isn't much else you can do.

PC requirements aside, presuming that you didn't put any security in
place apart from router IP filtering at the both ends, that would
still leave you open to whatever exploits your routers expose. For
example, there's at least one router I read about a while back that
shuts down and requires a hard boot if (a) IP filtering is on and (b)
it detects more than a certain number of port scans from unauthorized
IPs. Means that you have no music for the rest of the weekend, unless
there is someone at home you can call to reset it.

I think a far better, and more stable solution, would be to set up a
SSH tunnel between the two. This works really well for me streaming
from work, although it does mean you need a PC at the remote end.
There's plenty of good free software for doing it, for all common
platforms, and its flexible enough to deal with most situations. The
only thing I haven't tried is forwarding packets to and from a
hardware SB; I've always used SoftSqueeze or SqueezeSlave (thanks,
Richard!). Has anybody tried this?

Cheers
Geoff

Mark Lanctot
2006-04-21, 07:27
PC requirements aside, presuming that you didn't put any security in place apart from router IP filtering at the both ends, that would still leave you open to whatever exploits your routers expose. For example, there's at least one router I read about a while back that shuts down and requires a hard boot if (a) IP filtering is on and (b) it detects more than a certain number of port scans from unauthorized IPs. Means that you have no music for the rest of the weekend, unless there is someone at home you can call to reset it.


I believe what was referred to is IP filtering by SlimServer itself, i.e. Server Settings - Security - Block Incoming Connections.

I suppose IP blocking at the router would eliminate all access attempts to the SlimServer machine, from SlimServer clients or otherwise. I'm wondering if it would offer any additional protection though - while the router would let traffic through SlimServer wouldn't respond to any connection attempts.

geoffb
2006-04-21, 07:55
On 4/21/06, Mark Lanctot wrote:
> geoffb Wrote:
> > PC requirements aside, presuming that you didn't put any security in
> > place apart from router IP filtering at the both ends, that would still
> > leave you open to whatever exploits your routers expose. For example,
> > there's at least one router I read about a while back that shuts down
> > and requires a hard boot if (a) IP filtering is on and (b) it detects
> > more than a certain number of port scans from unauthorized IPs. Means
> > that you have no music for the rest of the weekend, unless there is
> > someone at home you can call to reset it.
>
> I believe what was referred to is IP filtering by SlimServer itself,
> i.e. Server Settings - Security - Block Incoming Connections.
>
> I suppose IP blocking at the router would eliminate all access attempts
> to the SlimServer machine, from SlimServer clients or otherwise. I'm
> wondering if it would offer any additional protection though - while
> the router would let traffic through SlimServer wouldn't respond to any
> connection attempts.
>

Ah, I see that I misread the original suggestion, although I have to
say, I don't think this changes the security issue.
Although it's unlikely, given the relatively few SS instances running
on the internet, wouldn't it be possible to spoof a source IP and
issue commands to the SS - presuming that you didn't care about the
return packets?
This is reaching into the realm of 'unlikely, so don't bother worrying
about it', but it's still a possiblity. Since SS usually runs as a
semi-previledged process, at least on Windows, with read/write access
to the hard drive, any buffer overflows or other problems would
presumably make the server a liability.

But I'm probably unduly biased because I enjoy being able to listen to
music in hotel rooms, while I'm travelling, via SS. This of course
precludes IP filtering, so I always considered it unsecure :)

Cheers
Geoff

Mark Lanctot
2006-04-21, 08:09
Ah, I see that I misread the original suggestion, although I have to say, I don't think this changes the security issue. Although it's unlikely, given the relatively few SS instances running on the internet, wouldn't it be possible to spoof a source IP and issue commands to the SS - presuming that you didn't care about the return packets?
This is reaching into the realm of 'unlikely, so don't bother worrying about it', but it's still a possiblity. Since SS usually runs as a semi-previledged process, at least on Windows, with read/write access to the hard drive, any buffer overflows or other problems would presumably make the server a liability.

But I'm probably unduly biased because I enjoy being able to listen to music in hotel rooms, while I'm travelling, via SS. This of course precludes IP filtering, so I always considered it unsecure :)


Yes, if the attacker were to spoof the IP address, they could just walk right in to SlimServer. And once they were in, there's an extensive set of documentation both for the web interface and the CLI / TCP/IP interface explaining just what they can do and how to do it.

It's fortunate that SlimServer isn't widely known outside of the people here, but security by obscurity is not much better than no security at all. :-) I like the fact that security is built into SS but I doubt if it has been subject to intense, repeated attack to see what breaks, unlike certain other programs!

I don't require any external access, have set IP address blocking, CSRF protection to High and no port forwarding. External port scans indicate these ports do not respond, just like all my other ports. If it was me, I'd go for SSH. I'm not sure if VPN surpasses SSH protection or if it can be used to supplement it.

snarlydwarf
2006-04-21, 08:50
Except it's very very difficult to do IP spoofing against a modern operating system.

rudholm
2006-04-21, 10:01
On 4/21/06, Mark Lanctot wrote:
> geoffb Wrote:
> > PC requirements aside, presuming that you didn't put any security in
> > place apart from router IP filtering at the both ends, that would still
> > leave you open to whatever exploits your routers expose. For example,
> > there's at least one router I read about a while back that shuts down
> > and requires a hard boot if (a) IP filtering is on and (b) it detects
> > more than a certain number of port scans from unauthorized IPs. Means
> > that you have no music for the rest of the weekend, unless there is
> > someone at home you can call to reset it.
>
> I believe what was referred to is IP filtering by SlimServer itself,
> i.e. Server Settings - Security - Block Incoming Connections.
>
> I suppose IP blocking at the router would eliminate all access attempts
> to the SlimServer machine, from SlimServer clients or otherwise. I'm
> wondering if it would offer any additional protection though - while
> the router would let traffic through SlimServer wouldn't respond to any
> connection attempts.
>

Ah, I see that I misread the original suggestion, although I have to
say, I don't think this changes the security issue.
Although it's unlikely, given the relatively few SS instances running
on the internet, wouldn't it be possible to spoof a source IP and
issue commands to the SS - presuming that you didn't care about the
return packets?
This is reaching into the realm of 'unlikely, so don't bother worrying
about it', but it's still a possiblity.

I'd say "unlikely" is a bit weak of a word. "Approaching impossible" is closer to it.

If you can predict TCP Sequence Numbers, it is possible to send packets that appear to be from a trusted source, but you never get any return packets.

To successfully cause damage by pretending to be a trusted slimserver client, the slimserver would have to be running on an OS with predictable TCP sequence numbers (Windows, MacOS X, and Linux are all quite secure in this regard) AND the attacker would have to know which source IP address was trusted, AND the attacker would have to know of a bug in slimserver that could be exploited in a way that causes damage, AND the slimserver would have to be running as a user on the host OS that had sufficient privileges to cause that damage.

And besides all of that, slimserver just isn't that big of a prize for anyone to bother. There are far jucier and lower-hanging fruit. If you or your systems are of *that* much interest to someone, there are far easier ways to gain access or cause damage, one of which would be to attack PPTP. As implemented by Microsoft, PPTP is more of a security liability than Slimserver.

ericj
2006-04-22, 02:46
to return to the original topic, I am currently listening to my slimserver in the states, cable modem, 256K up, streaming to my temporary apartment in London. Security iss SSH via Softsqueeze. I am fortunate enough to have high bandwith ether here.
One issue to think about is how to detect the ip address at home. Dyndns.org does that for me for softsqueeze.
Good luck

peter
2006-04-22, 09:14
On Fri, 21 Apr 2006 08:09:36 -0700, "Mark Lanctot"
<Mark.Lanctot.26mduo1145632202 (AT) no-mx (DOT) forums.slimdevices.com> said:
>
> Yes, if the attacker were to spoof the IP address, they could just walk
> right in to SlimServer. And once they were in, there's an extensive set
> of documentation both for the web interface and the CLI / TCP/IP
> interface explaining just what they can do and how to do it.

The IP spoofing is definitely easier said than done. Spoofing a (packet
oriented) UDP connection is quite possible (often used in DNS attacks)
but AFAIK spoofing TCP connections (that require two way negotiations
just to set up the link) are impossible if the attacker can't position
himself somewhere in the local network, and if they've gotten as far as
that you've got bigger problems. Also the slimserver CLI doesn't offer
that much in the way of hacking. You can't just execute arbitrary OS
commands. It's quite possible though that someone left a door open
somewhere (I'd advise against leaving it open without filtering). The
usual attacks are done with buffer overflows which are unlikely since
the server is written in Perl, which has dynamic string allocation. Perl
itself is very well tested (probably even better than sshd).

> It's fortunate that SlimServer isn't widely known outside of the people
> here, but security by obscurity is not much better than no security at
> all. :-) I like the fact that security is built into SS but I doubt
> if it has been subject to intense, repeated attack to see what breaks,
> unlike certain other programs!
>
> I don't require any external access, have set IP address blocking, CSRF
> protection to High and no port forwarding. External port scans indicate
> these ports do not respond, just like all my other ports. If it was me,
> I'd go for SSH. I'm not sure if VPN surpasses SSH protection or if it
> can be used to supplement it.

SSH is not bad for SoftSqueeze, but very cumbersome if used for
connecting real SB hardware to servers on another location. Same with
VPN. They're both unnecessary unless you're the Bank Of America, but you
probably shouldn't be running slimserver in that case anyway.

My preference would be to:

- Use filtering on the router (port forwarding with ip filter)
- Use filtering in the software firewall on the server machine
- Use filtering in the application

But definitely don't leave the server open on a publically accessible
(standard) port. If a bug becomes known and the script kiddies get wind
of it, they'll start scanning and the dominoes will start falling. As
will the SB's image ;)

Test your setup from a remote machine.

Regards,
Peter