PDA

View Full Version : Open Ports ... Security Issue?



jonheal
2006-12-12, 15:07
I've read through a number of posts that vaguely hint at the security risks of opening ports 3483 and 9000 on your firewall so that you can access your music from outside your local network.

My question is what are the REAL risk(s) of doing so? I'm not a networking expert, but I don't see how someone is going to be able to browse my hard drives (Windows) unless I have ports 137, 138, 139 and/or 445 open. What can a nefarious person really do with port 3483? It seems that I actually don't even need 9000 open to use SoftSqueeze.

Gregory Hamilton
2006-12-12, 15:15
They can control your squeezboxes. Think of sudden loud music in the middle
of the night!
They can download music from your server. There is a download link for each
song.
They can display text messages on your Squeezeboxes.

byKnight
2006-12-12, 15:20
The risk is that someone finds a weakness in the way SlimServer is implemented that they can use to comandeer it for purposes nefarious.

jonheal
2006-12-12, 15:21
They can control your squeezboxes. Think of sudden loud music in the middle
of the night!
They can download music from your server. There is a download link for each
song.
They can display text messages on your Squeezeboxes.

But not if 9000 is closed, right?

jonheal
2006-12-12, 15:22
The risk is that someone finds a weakness in the way SlimServer is implemented that they can use to comandeer it for purposes nefarious.

I'll accept that risk if there are no KNOWN issues.

Mark Lanctot
2006-12-12, 15:23
SlimServer was not really designed for high security. With its ports wide open, who knows what a determined hacker can do with it?

Plus an open port puts up a red flag to all the bots out there looking for interesting IPs. A hacker may come back and do some further investigation - finding other things that may be much more dangerous and that he can exploit immediately.

Browny
2006-12-12, 15:23
My take on this has always been that opening a port is not the issue its the confidence you have in the software thats listening on that port....

The questions should really be:

- 'how resilient is Slimserver' to attacks (e.g. Buffer Overruns)

I guess thats one for the developers to answer.

- 'is Slimserver a target for hackers'

Probably not at the moment - security through obscurity and all that....although as Mac owners are learning sooner or later that wil disappear..

jonheal
2006-12-12, 15:26
SlimServer was not really designed for high security. With its ports wide open, who knows what a determined hacker can do with it?

Plus an open port puts up a red flag to all the bots out there looking for interesting IPs. A hacker may come back and do some further investigation - finding other things that may be much more dangerous and that he can exploit immediately.

Now, here's where my lack of networking expertise comes into play ... if a port is open, but nothing's listening on it, or in this case, only SlimServer, is the only way into the network through that port, THROUGH Slimserver?

Mitch Harding
2006-12-12, 15:32
>From what I understand, something has to be listening on a port in order for
there to be a security vulnerability. So I think in this case, yes,
SlimServer is the only possible security hole. AFAIK.

On 12/12/06, jonheal <jonheal.2iq4vz1165962601 (AT) no-mx (DOT) forums.slimdevices.com>
wrote:
>
>
> Mark Lanctot;161935 Wrote:
> > SlimServer was not really designed for high security. With its ports
> > wide open, who knows what a determined hacker can do with it?
> >
> > Plus an open port puts up a red flag to all the bots out there looking
> > for interesting IPs. A hacker may come back and do some further
> > investigation - finding other things that may be much more dangerous
> > and that he can exploit immediately.
>
> Now, here's where my lack of networking expertise comes into play ...
> if a port is open, but nothing's listening on it, or in this case, only
> SlimServer, is the only way into the network through that port, THROUGH
> Slimserver?
>
>
> --
> jonheal
>
> Jon Heal says:
> Have a nice day!
> http://www.theheals.org/
> ------------------------------------------------------------------------
> jonheal's Profile: http://forums.slimdevices.com/member.php?userid=2133
> View this thread: http://forums.slimdevices.com/showthread.php?t=30564
>
>

MrC
2006-12-12, 15:38
Now, here's where my lack of networking expertise comes into play ... if a port is open, but nothing's listening on it, or in this case, only SlimServer, is the only way into the network through that port, THROUGH Slimserver?

Ports are opened to allow access to the services behind the port. What the service actually does with input is entirely up to the service itself. If the service is not well designed to prevent various forms of attack (buffer overflows, etc.), the service can be used as a vector of attack through unforeseen and unintended ways.

There have been far too many real cases where this happens - in fact, dozens of new holes are discovered in various pieces of software on a daily basis. Furthermore, the exploits to take advantage of these holes become available almost immediately. The bot networks are enormous now from (owned) insecure, openly accessible systems.

Do not become a victim through ignorance - there is simply no reason to allow worldwide access to unproven services, when simple, effective security measures are available.

Mark Lanctot
2006-12-12, 15:46
Now, here's where my lack of networking expertise comes into play ... if a port is open, but nothing's listening on it, or in this case, only SlimServer, is the only way into the network through that port, THROUGH Slimserver?

Perhaps I typed out of turn here as I can't answer that question.

However installing SmoothWall (http://www.smoothwall.org/) on an old PC (too slow to run SlimServer) really opened my eyes. There are constant connection attempts from rogue IPs. My SmoothWall has been "modded" to submit reports to http://www.mynetwatchman.com/ and often sends over 100 reports an hour. I think the most it ever sent was over 150 an hour.

Every IP is being positively bombarded. These are mostly bots, no one has the time to do all this manually. But when the bots find something interesting they report the results back to the people who run them, who then do some follow-up.

Woe be unto you who gets a bored hacker interested in what this open port 9000 is all about...

Since I'm not a hacker, I'm not sure exactly what they could do - but I have some idea. They would check what protocol is valid on that port and discover that HTTP seems to be valid. They would then see your SlimServer page, lots of fun stuff to do there but nothing to turn your computer into part of their zombie network. But hey, there's a link to Slim Devices on that page, and whoa, SlimServer's code is freely available! So he could then have a look at the code and see how it can be bent to his will.

This seems unlikely as a lot of hacking activity is by organized crime that focus on the low-hanging fruit first. However there are some out there who hack just for fun - and I would think hacking SlimServer would be fun and interesting for a hacker who knows a bit of Perl.

jonheal
2006-12-12, 16:03
Well, I closed 9000 because it's just plain unecessary. I also disabled 3483 on the router for the time being, mostly because I was afraid that one of the guardian angels posting on this thread might decide to teach me a lesson somehow!

;-)

Although now that I think about it, come on in ... if you can. I would rather learn from a friendly source about breaches in our little mote.

www.theheals.net ... your passport straight into our basement.

Mark Lanctot
2006-12-12, 16:20
Well, I closed 9000 because it's just plain unecessary. I also disabled 3483 on the router for the time being, mostly because I was afraid that one of the guardian angels posting on this thread might decide to teach me a lesson somehow!

;-)

Although now that I think about it, come on in ... if you can. I would rather learn from a friendly source about breaches in our little mote.

www.theheals.net ... your passport straight into our basement.

"But I'm not sure if I really belong in your basement!" :-D Love the guard dog...

You obviously have a web server running - suffice it to say that's more complex than 99% of home users out there. It suggests your network is well secured - you probably know your stuff.

However http://www.dnsstuff.com/ locates an IP using an "A" record DNS lookup which is probably correct (or at least it's the IP of your webserver) and your location, which is wrong if your Slim Devices profile is correct. That seems to imply a network location resolution error, which is common - it either thinks I'm in "Lobo Township", Kingston, 5 hours away, or Hamilton, 1-1/2 hours away. Right now it thinks I'm in Edmonton, probably 1000 miles or more away! Or it could imply that you're running an offsite server. The text on your webpage doesn't suggest this, however.

Just an interesting find. I lack the skills to do anything else with it.

Since you closed your ports 9000 and 3483, I can't browse your music collection to find an apropos song, add it to your playlist, and start it playing. I'm not mean enough to run a portscan, but who knows what it might locate.

jonheal
2006-12-12, 16:27
"But I'm not sure if I really belong in your basement!" :-D Love the guard dog...

You obviously have a web server running - suffice it to say that's more complex than 99% of home users out there. It suggests your network is well secured - you probably know your stuff.

However http://www.dnsstuff.com/ locates an IP using an "A" record DNS lookup which is probably correct (or at least it's the IP of your webserver) and your location, which is wrong if your Slim Devices profile is correct. That seems to imply a network location resolution error, which is common - it either thinks I'm in "Lobo Township", Kingston, 5 hours away, or Hamilton, 1-1/2 hours away. Right now it thinks I'm in Edmonton, probably 1000 miles or more away! Or it could imply that you're running an offsite server. The text on your webpage doesn't suggest this, however.

Just an interesting find. I lack the skills to do anything else with it.

Since you closed your ports 9000 and 3483, I can't browse your music collection to find an apropos song, add it to your playlist, and start it playing. I'm not mean enough to run a portscan, but who knows what it might locate.

Mark,

I thought it might have been you that was visiting as I reverse DNSed one of the IPs in the web server log and it pointed to a particular cable company in a particular country somewhat to the north of me, which is where I think you reside. :-)

I'm in suburban Washington, DC ... once and future GROUND ZERO!

Mark Lanctot
2006-12-12, 16:49
Mark,

I thought it might have been you that was visiting as I reverse DNSed one of the IPs in the web server log and it pointed to a particular cable company in a particular country somewhat to the north of me, which is where I think you reside. :-)

I'm in suburban Washington, DC ... once and future GROUND ZERO!

The reverse DNS lookup by location shows you're in Las Vegas. LOL!

Almost as inaccurate as what you probably found. I'm in a hotel now who I believe have service through "Shaw Cable". For some reason its location resolves to Edmonton, which is home to a lot of Shaw operations but not even CLOSE to where I am right now. I'm in Marathon, Ontario right now, probably more than 1000 miles away from Edmonton. Less than the distance between Washington to Las Vegas, but still woefully inaccurate.

The hacker wannabe in me is seeing that you have things under control here - webserver, IP logging, etc. The "social engineering" we're doing here indicates you have some surprises up your sleeve and I wouldn't want to go much further. I would think you have an additional layer or two of protection most home users don't even think about.

P.S. the hacker wannabe in me likes to try to bring up the router admin pages in the hotels he connects. You'd be surprised what he finds. Interesting link: http://www.phenoelit.de/dpl/dpl.html I also managed to do this for an unsecured wireless network viewable from my brother's place. I never did anything, but it was tempting.

JJZolx
2006-12-12, 16:54
What I'd worry about: SlimServer is the single easiest application to crash that I've ever seen. Transpose a single letter in the query string and it's history.

Try this link from a browswer running on your server:

http://localhost:9000/browsedb.html?hierarchy=album,tracc

I suppose someone may play Metallica at full volume at 3 AM, but if they wanted to be particularly evil, they could crash your server whenever they like.

snarlydwarf
2006-12-12, 18:55
The reverse DNS lookup by location shows you're in Las Vegas. LOL!


Ah, but my rdns is more amusing: depending on how the roundrobin record works, I move around from OR to WA or MN... methinks comcast is very confused.

NET-24-20-0-0-1 is very odd. This isnt my IP, but it is someone in the same huge network:

[narvi:~] 5:53:43pm 22 % host 24.21.24.21
Name: c-24-21-24-21.hsd1.mn.comcast.net
Address: 24.21.24.21

[narvi:~] 5:53:44pm 23 % host 24.21.24.21
Name: c-24-21-24-21.hsd1.or.comcast.net
Address: 24.21.24.21

Maybe I am in MN and just didnt notice... (notanathiest probably has the same thing if he's on comcast here).

jonheal
2006-12-12, 19:22
What I'd worry about: SlimServer is the single easiest application to crash that I've ever seen. Transpose a single letter in the query string and it's history.

Try this link from a browswer running on your server:

http://localhost:9000/browsedb.html?hierarchy=album,tracc

I suppose someone may play Metallica at full volume at 3 AM, but if they wanted to be particularly evil, they could crash your server whenever they like.

You gotta move back to 6.3.1! The URL didn't crash for me:

peter
2006-12-12, 23:49
Mark Lanctot wrote:
> Plus an open port puts up a red flag to all the bots out there looking
> for interesting IPs. A hacker may come back and do some further
> investigation - finding other things that may be much more dangerous
> and that he can exploit immediately
This makes no sense IMHO.

Regards,
Peter

peter
2006-12-12, 23:55
MrC wrote:
> jonheal;161938 Wrote:
>
>> Now, here's where my lack of networking expertise comes into play ... if
>> a port is open, but nothing's listening on it, or in this case, only
>> SlimServer, is the only way into the network through that port, THROUGH
>> Slimserver?
>>
>
> Ports are opened to allow access to the services behind the port. What
> the service actually does with input is entirely up to the service
> itself. If the service is not well designed to prevent various forms
> of attack (buffer overflows, etc.), the service can be used as a vector
> of attack through unforeseen and unintended ways.
>
Buffer overflows are mostly a result of things being written in the C
language. Perl does automatic memory allocation for scalars (strings)
and should be safe from buffer overflows. Of course, some modules may be
written in C and be vulnerable to overflows if you pass large enough
strings to them, but in general Perl services are much safer this way.
> There have been far too many real cases where this happens - in fact,
> dozens of new holes are discovered in various pieces of software on a
> daily basis. Furthermore, the exploits to take advantage of these
> holes become available almost immediately. The bot networks are
> enormous now from (owned) insecure, openly accessible systems.
>
Those are mostly buffer overflows they're exploiting and holes in web
browsers which allow hackers to execute code remotely.
> Do not become a victim through ignorance - there is simply no reason to
> allow worldwide access to unproven services, when simple, effective
> security measures are available

Jus put up an IP filter in your router. Slimserver is not a target to
these people, but it's quite conceivable that there are bugs that allow
people more access than you'd like to give them. No reason to run
unnecessary risks.

Regards,
Peter

peter
2006-12-12, 23:58
jonheal wrote:
> Well, I closed 9000 because it's just plain unecessary. I also disabled
> 3483 on the router for the time being, mostly because I was afraid that
> one of the guardian angels posting on this thread might decide to teach
> me a lesson somehow!
>
> ;-)
>
> Although now that I think about it, come on in ... if you can. I would
> rather learn from a friendly source about breaches in our little mote.
>
> www.theheals.net ... your passport straight into our basement.
>
Better yet, if the services are only for your own use, close them all
and install Hamachi or OpenVPN so that you may access are your services
remotely & securely.

Regards,
Peter

radish
2006-12-13, 07:58
If there's one lesson to take away from this thread it's that IP->location mapping services are largely useless :) They're based primarily on ARIN lookups, and the ISP which owns theheals.net is based on Las Vegas - whilst they obviously provide service all over the country/world.

Paul_B
2006-12-13, 08:00
Agree with Peter go with a VPN it possible. If not then limit the source address range that you are opening the port to on your firewall. You can always look at your firewall log to see what IP address you came in on at what time.

As for buffer overflows it seems to be the easiest method to find an exploit. I have seen security guys pass a string of characters that are unique. The oveflowing buffer then passes on the remainder of the string and so you can work out at what point the buffer oveflows. Also web servers may have exploits that allow foreseen access; in the old days you could navigate a computer hosting Windows IIS4 by passing directory commands in http and as most installs were in the default c:\inetsrv you could do what you liked

jonheal
2006-12-13, 09:48
If there's one lesson to take away from this thread it's that IP->location mapping services are largely useless :) They're based primarily on ARIN lookups, and the ISP which owns theheals.net is based on Las Vegas - whilst they obviously provide service all over the country/world.

Well, I own the domain name, but no-ip.com is doing the dynamic dns for me and they're based in Las Vegas, so that's where that comes from.

chiphart
2006-12-13, 11:02
Mark Lanctot wrote:
> P.S. the hacker wannabe in me likes to try to bring up the router admin
> pages in the hotels he connects. You'd be surprised what he finds.
> Interesting link: http://www.phenoelit.de/dpl/dpl.html I also managed
> to do this for an unsecured wireless network viewable from my brother's
> place. I never did anything, but it was tempting.

This list (and its friends) are well known to many support techs
around the world. "I can't log into the Interweb!" often
requires access to a router whose information is otherwise
unknown. Get a customer to read you a model number and you
might be able to save the day.

I've done it myself more than once.

--
Chip Hart - Pediatric Solutions * Physician's Computer Company
chip @ pcc.com * 1 Main St. #7, Winooski, VT 05404
800-722-7708 * http://www.pcc.com/~chip
f.802-846-8178 * Pediatric Software Just Got Smarter.
Your Practice Just Got Healthier.

radish
2006-12-13, 11:59
Well, I own the domain name, but no-ip.com is doing the dynamic dns for me and they're based in Las Vegas, so that's where that comes from.

Sure - I meant they own the IP currently assigned to it rather than the domain...but you knew that :)

Mark Lanctot
2006-12-13, 14:40
Mark Lanctot wrote:
> Plus an open port puts up a red flag to all the bots out there looking
> for interesting IPs. A hacker may come back and do some further
> investigation - finding other things that may be much more dangerous
> and that he can exploit immediately
This makes no sense IMHO.

Regards,
Peter

Hmm? These are bots out there scanning ports. They are looking for open ports. If they find one, they log it for further investigation.

Pale Blue Ego
2006-12-13, 19:14
Why would these ports be open to the world in the first place? You can limit the address range.

jonheal
2006-12-14, 03:34
Why would these ports be open to the world in the first place? You can limit the address range.

Not practical, in this case. I plan on taking the SB to my mother-in-law's for Christmas. She has Verizon DSL, but gets a dynamic IP just like 99% of everybody with high-speed access.

peter
2006-12-14, 11:49
Mark Lanctot wrote:
> Peter;162026 Wrote:
>
>> Mark Lanctot wrote:
>>
>>> Plus an open port puts up a red flag to all the bots out there
>>>
>> looking
>>
>>> for interesting IPs. A hacker may come back and do some further
>>> investigation - finding other things that may be much more dangerous
>>> and that he can exploit immediately
>>>
>> This makes no sense IMHO.
>>
>> Regards,
>> Peter
>>
>
> Hmm? These are bots out there scanning ports. They are looking for
> open ports. If they find one, they log it for further investigation.
>

These bots aren't scanning all 65535 TCP & 55535 UDP ports for each
system. They're looking for ports with software with known
vulnerabilities. The people who operate them don't go looking at
interesting ports, their aim is to harvest bots by the thousands or
hundred thousands. The people who find the vulnerabilities in software
do so with the software installed locally. They don't attack remote
systems at random, if they want to attack a system they look for
services that have known vulnerabilities.

If a hacker (yeah I know, cracker) would be interested in hacking
slimserver installs, he would download it, istall it, look at the code,
flood it with
unexpected input and see if it crashes or does something it shouldn't.
If so, see if it's exploitable. If it's exploitable, *then* start
scanning the net for the SS ports and take over the machines.

Regards,
Peter

Paul_B
2006-12-14, 14:52
Jon,

You are right most providers give out dynamic IP addresses rather than static. But it is very likely you will maintain the same IP address time after time, unless you turn off your Broadband connection for a long period.

Even if the IP address changes you could still only allow the IP range in use my your mother-in-laws ISP as opposed to the entire internet

peter
2006-12-15, 01:11
jonheal wrote:
> Pale Blue Ego;162253 Wrote:
>
>> Why would these ports be open to the world in the first place? You can
>> limit the address range.
>>
>
> Not practical, in this case. I plan on taking the SB to my
> mother-in-law's for Christmas. She has Verizon DSL, but gets a dynamic
> IP just like 99% of everybody with high-speed access.
>

In that case Hamachi seems to be the best solution if you and your
mum-in-law are running a supported OS.

Regards,
Peter

jonheal
2006-12-15, 05:25
At first I thought it didn't need to be, but it appears that port 9000 must also be open to play remotely with SoftSqueeze. You can browse your collection in SoftSqueeze with 9000 closed but hit the play button, and it makey no sound.

Drag. :-(

kefa
2006-12-17, 08:11
this is part of the reason I uninstalled slimserver from my normal user account (not an administrator, but plenty of personal information), and reinstalled it under a dedicated slimserver user account. I then gave the new slimserver user read-only access to my music library and read-write to the playlists folder.

if someone exploits a buffer overflow in the slimserver software they won't get very far. okay they could trash my slimserver installation and copy all my music, but they wouldn't able to access any of my other files or delete any music.

renaissanceboy
2006-12-17, 18:47
hi there, i'm a new member of slimserver (i do not have a squeezebox), and i'm working on accessing my music library over the internet using softsqueeze.
i've been corresponding with a few people in the beginners forum on the non-static ip thread, but i still have a few unanswered questions, and as someone pointed me to this thread, i thought this might be the right place to ask them, as it seems like you guys know what you're talking about, much better than i do, at least.
first of all: if i forward ports 9000 and 3843 (or whatever they are), what real-life security risks does that pose?
second: if i use slimserver's password protection (which i do), does that offer a significant amount of protection?
third: is it a good idea, as i saw that someone has done, to create a separate user account for slimserver that only has access to my music folder?

thanks a lot-

Mark Lanctot
2006-12-17, 18:57
first of all: if i forward ports 9000 and 3843 (or whatever they are), what real-life security risks does that pose?

Anyone and their dog can access your SlimServer. I think to find these in Google you do this:

http://www.google.com/search?as_q=&hl=en&num=10&btnG=Google+Search&as_epq=Welcome+to+SlimServer&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=title&as_dt=i&as_sitesearch=&as_rights=&safe=off

Superficially they can do fun things like start your player at 3 AM :-), disable your alarms or delete all your player preferences.

It's more serious if the hacker can manage to crash your SlimServer or cause a buffer overflow as explained in this thread.


second: if i use slimserver's password protection (which i do), does that offer a significant amount of protection?

Some, but it's inconvenient for you and the password is transmitted over the Internet "in the clear", not encrypted. It's probably more secure to whitelist an IP address - see Server Settings - Security - Block Incoming Connections.


third: is it a good idea, as i saw that someone has done, to create a separate user account for slimserver that only has access to my music folder?

That sounds like a good idea, but I'm wondering how easy it would be. It might also create complications in the future regarding file permissions.

renaissanceboy
2006-12-17, 19:00
so if i don't have any slim devices hardware (which i don't) the only security risk is that someone could listen to/download my music? i'm all right with that risk as long as there's no (or no significant) danger of my files or network in general being accessed.

Mark Lanctot
2006-12-17, 19:08
so if i don't have any slim devices hardware (which i don't) the only security risk is that someone could listen to/download my music?

They could still delete your player preferences or crash your SlimServer.


i'm all right with that risk as long as there's no (or no significant) danger of my files or network in general being accessed.

So far no one's been able to do this, but as outlined in this thread, SlimServer wasn't designed for security and if someone really works on it, they will probably find holes that allow for buffer overflows and execution of arbitrary code outside of SlimServer.

It's best to use some kind of protection. The password protection you've set is better than nothing.

renaissanceboy
2006-12-17, 19:14
thank you very much. this has been very helpful.
it looks like the best thing for me to do is to create a separate user account for slimserver, with read-only access to my music, and keep the password protection on.
again, thanks a lot everyone.

pfarrell
2006-12-17, 19:17
renaissanceboy wrote:
> first of all: if i forward ports 9000 and 3843 (or whatever they are),
> what real-life security risks does that pose?
> second: if i use slimserver's password protection (which i do), does
> that offer a significant amount of protection?
> third: is it a good idea, as i saw that someone has done, to create a
> separate user account for slimserver that only has access to my music
> folder?

Do you mean forward without any security? or forward with SSL or equivalent?

In general, IMHO, it is a really bad idea to propagate open ports
in the wild.

What do you mean by "separate user account"? The default setup on Linux
slimserver distos is to use a limited 'slimserver' user for exactly the
kinds of basic security you are talking about. But it is by no means
'secure' in any serious sense.

> so if i don't have any slim devices hardware (which i don't) the only
> security risk is that someone could listen to/download my music? i'm
> all right with that risk as long as there's no (or no significant)
> danger of my files or network in general being accessed.

You can't say this.

You don't know that some bad person won't access your machine over say
9000 and feed bad commands that cause the SlimServer to react in weird
and bad ways. It is unlikely, at least if you aren't using Windows, but
you can't know. No one can know.

There are some advantages to the SlimServer being written in Perl, it
is less likely to have the kinds of buffer overflow problems that
other languages can have,but that doesn't mean it is 'safe'.
There is no such thing as a safe language in widespread use.

Why not just use putty or other SSL tool to forward the ports under SSL?
Its a ton safer.

IANAL, but the RIAA and others may have differing views on your
liability if you allow other folks to listen to your music.

--
Pat
http://www.pfarrell.com/music/slimserver/slimsoftware.html

renaissanceboy
2006-12-17, 19:28
as someone who is not a networking expert, i don't know enough about forwarding procedures to say for sure, but if i have the option to use any sort of security, i will (obviously) take it. perhaps you can offer some advice on setting this up?
i'm running mac os x 10.4.8, so by separate user account i mean a separate account (called slimserver or something) which is the only one that has slimserver running, and has only read access to my music files, and no access to anything else. thus, if someone atacks my computer through port 9000, and slimserver, they will have an extremely limited scope, because they can't get to anything other than my music (and they can only read that).
i also am not allowing other people to listen to my music. if i do the best i can to secure my network, and someone pirates my music anyway, i cannot be held legally liable for this.

AndrueC
2006-12-18, 01:28
Opening a port on your firewall is like unlocking a door on your house. The security implications depend on who or what is waiting behind that door. As long as the software that answers the "door" is robust and can't be duped there is no problem.

Unfortunately it is very difficult to write software that meets those requirements. Even people trying to write the kind of the software that should expect to come under attack often don't get it right (think of all the IE, FF etc. patches that have to be issued). I don't want to cast aspersions but I'd be very surprised if SlimServer had been written with that level of security in mind.

As for what might happen if someone breaks in using Slimserver:The worst case scenario is that they take control over the machine that SlimServer is running on without you knowing. From there they have full access to your network and can browse all the storage attached to it. They can also use that machine to send and receive emails. Basically it gives them as much control over your machines when they are powered on and connected as you have..apart from the fact that they can't stop you turning them off.

peter
2006-12-18, 07:46
renaissanceboy wrote:
> as someone who is not a networking expert, i don't know enough about
> forwarding procedures to say for sure, but if i have the option to use
> any sort of security, i will (obviously) take it. perhaps you can
> offer some advice on setting this up?
>

The best thing to handle this, the option that solves all your security,
open ports and dynamic ip issues is to install hamachi.

http://hamachi.cc


> i'm running mac os x 10.4.8, so by separate user account i mean a
>
Well, yeah, installing hamachi under OS/X is not as convenient as under
Windows, sorry, but there's an OS/X version available.

> separate account (called slimserver or something) which is the only one
> that has slimserver running, and has only read access to my music files,
> and no access to anything else. thus, if someone atacks my computer
> through port 9000, and slimserver, they will have an extremely limited
> scope, because they can't get to anything other than my music (and they
> can only read that).
>
Configure IP filters on your router and only allow certain IP addresses
in. That's perfectly secure and fairly easy to set up, provided your
'clients' have static ip's.
> i also am not allowing other people to listen to my music. if i do the
> best i can to secure my network, and someone pirates my music anyway, i
> cannot be held legally liable for this.
>
Good for you!

Regards,
Peter

jonheal
2006-12-22, 12:41
I sort of hijacked another thread with this topic, so I'm moving back to my own...


I'm working on the Reverse Proxy approach right now. I'm far from a networking expert, so it's all pretty much Greek to me, but I downloaded a free reverse proxy server for Windows called at32 Reverse Proxy.

So far, I've set it up in it's most primitive state.

On our router, public port 9000 is forwarded to private port 9001. at32 is listening to 9001 and forwarding everything (supposedly) to and from private 9000. From the outside, I can browse to SlimServer, and the web pages function normally. But I can't yet get music to play through SoftSqueeze. The menus draw properly -- I can browse the music -- but I can't actually play anything yet.

at32 has a web interface for setting rules and modifying headers, so I'm sure that there is some small adjustment I need to make to get streaming working, but I have no idea what it is right now.

Assuming I do get streaming working, I will work on some rules to limit access to particular URLs (those involving setup).

Well, I'm at a bit of a loss with the whole Reverse Proxy thing. It definitely is prohibiting play (but allowing everything else) at this point. I reckon I've got a http header problem somewhere, but where?? (Rhetorical question.)

shadowboxer
2006-12-22, 13:25
no, no, jonheal,
come back to my thread! ;-))

Mark Lanctot
2007-01-09, 12:55
I sort of hijacked another thread with this topic, so I'm moving back to my own...



Well, I'm at a bit of a loss with the whole Reverse Proxy thing. It definitely is prohibiting play (but allowing everything else) at this point. I reckon I've got a http header problem somewhere, but where?? (Rhetorical question.)

This is going to sound simplistic, but don't you have to forward port 3483 as well?

lemmy999
2007-01-10, 07:49
Configure IP filters on your router and only allow certain IP addresses
in. That's perfectly secure and fairly easy to set up, provided your
'clients' have static ip's.

Regards,
Peter

I have had 3 different routers (Linksys, Netgear and now a US Robotics) and I don't believe any of them have had the ability to do IP filtering. Is this only on high end routers or do I just have the few routers that do not have this ability?

peter
2007-01-11, 02:14
lemmy999 wrote:
> Peter;163189 Wrote:
>
>> Configure IP filters on your router and only allow certain IP addresses
>>
>> in. That's perfectly secure and fairly easy to set up, provided your
>> 'clients' have static ip's.
>>
> I have had 3 different routers (Linksys, Netgear and now a US Robotics)
> and I don't believe any of them have had the ability to do IP filtering.
> Is this only on high end routers or do I just have the few routers that
> do not have this ability?
>

Hi Lemmy,

All the home routers I've owned had this ability, but that may well be
because I chose them for their feature richness. In fact I've only had
Drayteks so they may well be a-typical. I do consider this sort of
functionality pretty basic for any router that claims 'firewall'
functionality (and don't they all?).

Anyway, I believe the recent versions of slimserver have IP access
restrictions built in, so you could just use those. Since IP
restrictions come before any command processing they're usually pretty
secure.

And then there's the built in firewalls in XP & other OS-es. I assume
it's possible to whitelist certain IP's for slimserver access in the
Windows firewall. That should be pretty safe too. In fact my slimserver
runs on Linux and I restrict access with iptables when necessary (my
preference is to use openvpn) so I may well have unrealistic
expectations of other systems ( o well, perhaps Vista... )

Regards,
Peter