PDA

View Full Version : Accessing Slimserver via Squeezebox across internet



faisalm
2006-05-01, 11:30
Hi,

Is there a way for my slimserver to be running on a remote network (for example at my girlfriend's house), and my squeezebox to connect to it while it is running at my place? The documentation says the squeezebox will scan the local network when it starts up. However, I'd like to be able to tell it to go to a URL where I've opened up a port for the slimserver to run on at the remote location.

-Faisal

johnc_22
2006-05-01, 11:36
Hi,

Is there a way for my slimserver to be running on a remote network (for example at my girlfriend's house), and my squeezebox to connect to it while it is running at my place?
-Faisal

I tested this out at work by opening up the appropriate ports on my firewall at home and forwarding the ports to the computer running slimserver. I used the softsqueeze app to test and it did work but my upstream was not enough for my FLAC files so there was massive delay and dropouts. I'm sure with MP3 files and a solid upstream cable or DSL connection it would work just fine but you certainly want to think about security concerns. I believe you can configure the slimserver to only accept connections from certain IPs.

azinck3
2006-05-01, 11:44
Yes, this is possible. It will, however, require some configuration on your part. The simple but unsecure way is to forward ports 3483 and 9000 on your router to the box hosting slimserver.

This, however, leaves your server machine open to potential (but unlikely) exploits. The more secure approach is to use SSH. You'd have to set up SSH on your server machine, but since the squeezebox hardware doesn't support SSH you'd also have to set up an SSH client on your girlfriend's computer, configure it to forward all requests on ports 3483 and 9000 to your remote server computer, then point your SB at her machine.

So the idea is this:

SB -> GF's computer -> your remote server

azinck3
2006-05-01, 11:46
I used the softsqueeze app to test and it did work but my upstream was not enough for my FLAC files so there was massive delay and dropouts.

Slimserver will transcode to a user-selectable mp3 bitrate on the fly to avoid this problem.

mherger
2006-05-01, 11:47
> However, I'd like to be
> able to tell it to go to a URL where I've opened up a port for the
> slimserver to run on at the remote location.

The SB will scan the local network for easy setup. But you can always
manually define a fixed IP address.

--

Michael

-----------------------------------------------------------
Help translate SlimServer by using the
StringEditor Plugin (http://www.herger.net/slim/)

johnc_22
2006-05-01, 11:48
Slimserver will transcode to a user-selectable mp3 bitrate on the fly to avoid this problem.

That is totally cool - doesn't get around my security concerns so I probably won't use that info just yet, but the ability to have my music collection at work (or anywhere I happen to be with my laptop) is just awesome . . . thanks.

azinck3
2006-05-01, 11:49
Oh, and this thread reminds me: is there any way for an SB1 to resolve an ip from a domain name? I use my SB1 remotely sometimes but it's a pain for me to look up my IP on a computer--it'd be nice if I could just give it my dynamic dns name directly.

peter
2006-05-01, 11:58
On Mon, 1 May 2006 11:44:05 -0700, "azinck3"
<azinck3.2756h01146509102 (AT) no-mx (DOT) forums.slimdevices.com> said:
>
> Yes, this is possible. It will, however, require some configuration on
> your part. The simple but unsecure way is to forward ports 3483 and
> 9000 on your router to the box hosting slimserver.
>
> This, however, leaves your server machine open to potential (but
> unlikely) exploits. The more secure approach is to use SSH. You'd
> have to set up SSH on your server machine, but since the squeezebox
> hardware doesn't support SSH you'd also have to set up an SSH client on
> your girlfriend's computer, configure it to forward all requests on
> ports 3483 and 9000 to your remote server computer, then point your SB
> at her machine.

I've said it before and I'll say it again: Provided he restricts
incoming traffic on your router to his GF's IP address it is totally
unnecessary to use VPN or SSH tunneling for this kind of thing. IP
filters are impenetrable without attackers having cracked his (or her)
ISP first and then it's not just you who's in trouble. Tunneling is
alwyas a hassle and makes everything a lot less reliable. If your
routers support router-to-router LAN tunneling it's worth considering,
but else I'd forget it.

Common sense is requirement #1 in security.

Regards,
Peter

azinck3
2006-05-01, 12:11
On Mon, 1 May 2006 11:44:05 -0700, "azinck3"
<azinck3.2756h01146509102 (AT) no-mx (DOT) forums.slimdevices.com> said:
>
> Yes, this is possible. It will, however, require some configuration on
> your part. The simple but unsecure way is to forward ports 3483 and
> 9000 on your router to the box hosting slimserver.
>
> This, however, leaves your server machine open to potential (but
> unlikely) exploits. The more secure approach is to use SSH. You'd
> have to set up SSH on your server machine, but since the squeezebox
> hardware doesn't support SSH you'd also have to set up an SSH client on
> your girlfriend's computer, configure it to forward all requests on
> ports 3483 and 9000 to your remote server computer, then point your SB
> at her machine.

I've said it before and I'll say it again: Provided he restricts
incoming traffic on your router to his GF's IP address it is totally
unnecessary to use VPN or SSH tunneling for this kind of thing. IP
filters are impenetrable without attackers having cracked his (or her)
ISP first and then it's not just you who's in trouble. Tunneling is
alwyas a hassle and makes everything a lot less reliable. If your
routers support router-to-router LAN tunneling it's worth considering,
but else I'd forget it.

Common sense is requirement #1 in security.

Regards,
Peter


I appreciate this feedback and I trust you are correct. Despite being a web programmer in my daily life, I know relatively little about the various attacks that can be mounted so wanted to err on the side of caution in any advice I might give. There seem to be a lot of old-wives tales out there in the network security world, and I have been somewhat baffled by the degrees to which some people will go to "secure" (I use quotes because sometimes the effectiveness of the approach seems questionable) their data. I figure I'm more likely to have my identity stolen by handing my credit card to the waitress at a restaurant than I am by way of having my slimserver hacked. But to each his own.

For me, between not having anything of great value/secrecy on my personal computer and the relative obscurity of slimserver, I've felt no qualms simply using IP filtering. I'm glad to know this is not only convenient, but safe.

radish
2006-05-01, 12:50
IP
filters are impenetrable without attackers having cracked his (or her)
ISP first and then it's not just you who's in trouble.

Could you explain this? I've seen you state it a few times in other threads, and I'm not sure I believe it. I'm not a security expert, but I play one on the weekends.

For those who are interested, this page : http://www.securityfocus.com/infocus/1674 gives a nice overview of IP spoofing. Having some form of "control" of any specific ISP or network is certainly not a pre-requisite.

What I would agree with, however, is that IP spoofing is hard, and to be quite honest the risk of someone taking the trouble to attack your slimserver is pretty remote. I'd still use a tunnel though, as I don't find them hard to setup and it's better to be safe than sorry.

peter
2006-05-01, 12:51
On Mon, 1 May 2006 12:11:54 -0700, "azinck3"
<azinck3.2757uz1146510901 (AT) no-mx (DOT) forums.slimdevices.com> said:
>
> For me, between not having anything of great value/secrecy on my
> personal computer and the relative obscurity of slimserver, I've felt
> no qualms simply using IP filtering. I'm glad to know this is not only
> convenient, but safe.

You shouldn't have anything to worry about. Make sure you check from a
remote IP address to see if your rules are actually doing what they're
supposed. It's too easy to get these things wrong, although I mostly
manage to lock myself out in these cases.

Having nothing of value is no great protection these days. Most
attackers are happy to contend with adding your machine to their army of
well connected zombies. So if you hear stuttering, you know what to look
for ;)

Regards,
Peter

azinck3
2006-05-01, 13:17
After posting I thought maybe I should have rephrased to not sound quite so flippant on the matter. I do understand the importance of take a responsible approach to security. I take reasonable security measures: strong passwords, regular software updates, anecdotal monitoring of my router logs, anti-virus software, and just good common sense. But about anything is hackable so I don't have a lot of interest in overly complicated security approaches to protect my meager data--I just try to avoid being an easy target and maintain a level of security that doesn't allow my machine to be easily leveraged against other folks.

peter
2006-05-01, 14:16
On Mon, 1 May 2006 12:50:04 -0700, "radish"
<radish.2759pn1146513301 (AT) no-mx (DOT) forums.slimdevices.com> said:
>
> peter Wrote:
> > IP
> > filters are impenetrable without attackers having cracked his (or her)
> > ISP first and then it's not just you who's in trouble.
>
> Could you explain this? I've seen you state it a few times in other
> threads, and I'm not sure I believe it. I'm not a security expert, but
> I play one on the weekends.
>
> For those who are interested, this page :
> http://www.securityfocus.com/infocus/1674 gives a nice overview of IP
> spoofing. Having some form of "control" of any specific ISP or network
> is certainly not a pre-requisite.

In practice all ISP routers have (or should very much have)
ingres/egress filtering. This means that incoming packets with an inside
source address and outgoing packets with an inside source address are
blocked omn the routers. This makes spoofing very hard on the attacker,
because the attacker should be able to transmit packets with a source
address outside of his own range (that's the point). So to be able to
send IP packet with a forged source address is already quite hard.

If you manage to do this anyway, you are able to send spoofed IP
packets, spoofed UDP packets to your victim. Just don't expect a reply,
because the reply packets will be returned to the spoofed address over
which you have no control unless you are able to reprogram the routers
on the way which is about as hard as getting on the ISP's 'lan'. It is
possible to use spoofed UDP packets to attack (trigger a buffer
overflow) because the UDP packets are passed on by the TCP stack to the
server software. A malformed UDP packet with a spoofed IP address could
be used to attack a DNS server via a buffer overflow.

As I see it, in the case of a connection oriented protocol like TCP
(which is what we're talking about here) it is impossible to gain access
to the application (slimserver) by just sending packets and ignoring the
replies. For the TCP connection to work the handshake must be completed.
AFAIK there's no way around this. Session hijacking as described in the
article is only possible when you're on the same subnet or somewhere in
the data path. Spoofed TCP setup packets are very popular in DOS attacks
of course, but they work without replies.

Then if (and I don't think that's possible) you get access to
slimserver, you'd have to be able to gain access to the system beyond
slimserver. This is usually done through buffer overflows, which, in the
case of a Perl application are rather unlikely IMO. Perl (as a language)
has dynamic memory allocation, so there'd have to be a bug in the Perl
runtime itself. It's possible I guess...

And of course, we'd need a hacker. One that not only knows you're
running slimserver but also knows on what port (ok, he could just try
all of them) and what IP addresses you have given access. And he'd need
a motive.

> What I would agree with, however, is that IP spoofing is hard, and to
> be quite honest the risk of someone taking the trouble to attack your
> slimserver is pretty remote. I'd still use a tunnel though, as I don't
> find them hard to setup and it's better to be safe than sorry.

I'd like to hear how a spoofing attack against a filtered router TCP
port could work, if you know of a way.

If you do, I'll be glad to open up a port on my router, supply you with
all the necessary info and wait for you to take over control of my
living room Squeezebox. I'll give a Squeezebox to the first person who
manages to do that ;)

Regards,
Peter

Fedder
2006-05-02, 08:26
What I would agree with, however, is that IP spoofing is hard, and to be quite honest the risk of someone taking the trouble to attack your slimserver is pretty remote. I'd still use a tunnel though, as I don't find them hard to setup and it's better to be safe than sorry.

Any decent firewall should not let spoofed packets enter your private LAN. I use the "pf" packet filter as firewall on the FreeBSD box that I use as slimserver, fileserver and NAT router at home.

It is correct that SoftSqueeze can use SSH tunneling, but I guess SSH encryption / decryption will probably put too much stress on the CPU in a hardware Squeezebox. And besides, apart from listening to your music stream what benefit would a hacker gain from sniffing the packets in the first place...

/Fedder

radish
2006-05-02, 08:31
Any decent firewall should not let spoofed packets enter your private LAN. I use the "pf" packet filter as firewall on the FreeBSD box that I use as slimserver, fileserver and NAT router at home.
That can only catch spoofed packets which are obviously wrong, e.g. they're non-routable addresses or are from your internal network. It can't detect spoofed packets appearing to come from a valid external network.



It is correct that SoftSqueeze can use SSH tunneling, but I guess SSH encryption / decryption will probably put too much stress on the CPU in a hardware Squeezebox. And besides, apart from listening to your music stream what benefit would a hacker gain from sniffing the packets in the first place...

We're not talking about sniffing, we're talking about attacking the server to get access to the underlying host.

azinck3
2006-05-02, 12:44
ip spoofing came up today on slashdot:

http://it.slashdot.org/it/06/05/02/1729257.shtml