PDA

View Full Version : Remote Access Security



neilcoburn
2007-11-06, 09:49
I have opened the Squeezecenter ports on my router and have got Softsqueeze working from my work pc. A lot of people seem to be using SSH for security, but none of the posts mention how essential this is - can anyone tell what risk am I exposing myself to by opening the ports? (A general web search just produces a lot of sites trying to sell you secure software). If SSH or other security is essential, what do people recommend, with ease of use being the priority?

Mark Lanctot
2007-11-06, 10:03
Well, with those ports opened, if I was able to find your IP address I could go and turn your Squeezebox on at 4 AM just for kicks. ;-)

The SlimServer title page used to read "Welcome to SlimServer", so a Google search for the title "Welcome to SlimServer" can locate all such pages. Now it just reads "SlimServer" so it's too "diluted" to locate anything. SC 7.0 reads "SqueezeCenter" and Google currently can't locate any open pages for me - the results will be as unspecific as "SlimServer" though.

But still, you are not only leaving ports open, you are leaving control to anyone who can find your IP address. There are currently no known vulnerabilities in SlimServer/SqueezeCenter that would allow access to your OS, but seeing that it's open source, if a hacker was interested enough he might find one. Best not to leave that option.

At the very least, block incoming connections and whitelist your LAN, players and work IP using Server Settings - Security.

mherger
2007-11-06, 10:04
> SSH for security, but none of the posts mention how essential this is -
> can anyone tell what risk am I exposing myself to by opening the ports?

Not only you'll be able to access your SqueezeCenter, but anyone accessing the internet. Don't be surprised when the music is turned on at night.

Michael

peterw
2007-11-06, 13:01
> SSH for security, but none of the posts mention how essential this is -
> can anyone tell what risk am I exposing myself to by opening the ports?

Not only you'll be able to access your SqueezeCenter, but anyone accessing the internet. Don't be surprised when the music is turned on at night.


It shouldn't be to bad to only open port 9000 if you also set SlimServer/SqueezeCenter to require username & password. But if you open access to the Squeeze client protocol port (3483), you're setting yourself up for trouble, as hosts that use the Squeeze client protocol can do some things regardless of the username/password security settings. With a password and only port 9000 open, your biggest concern should be something like a Denial Of Service attack (somebody making so many requests against SlimServer that it spends all your computer's time rejecting those web requests, interfering with legitimate work), which I imagine is very unlikely.
http://wiki.slimdevices.com/index.cgi?RemoteStreaming

-Peter

JJZolx
2007-11-06, 13:53
Beyond just mischief, there's also the possibility that someone could use the web interface of SlimServer to hack into the computer and possibly gain access to your whole home network. SlimServer wasn't designed to be run on a public server, so security may or may not be able to keep someone out. The chances that anyone would go to the trouble to break into your home PC are probably pretty small, but it's something to consider.

Instead of using SSH or a VPN tunnel, and if your router supports it, you can also open the ports, but only from a connection coming from the IP address of your work PC. If at work you share an IP address with everyone in the office, I'd say the security risks of one of them accessing your SlimServer are minimal. If your server runs a software firewall, you could also accomplish this with rules in the firewall.

neilcoburn
2007-11-07, 05:46
That's all clear - thanks for all the advice

sdonham
2007-11-07, 10:44
OK, I might be hijacking this thread, but I suppose it's somewhat of a similar topic...
I've toyed with the idea of running Slimserver on the same machine I use as my firewall and proxy to the outside world. Having read this thread, I think I should probably DMZ the slimserver on another machine behind the firewall which brings me to my question...

My existing home firewall is an old Redhat 5 machine (circa 1998) running iptables with NAT and some port forwarding to other servers. I need to retire this monolithic beast because it consumes a ton of electricity for a simple firewall. Does anyone know of a small, cheap, off-the-shelf, linux firewall that runs iptables or is at least as simple to configure and change as iptables? I frequently SSH to my current setup to change a few ports, which I like because it's easy. I would love to do that same, just with a smaller more efficient firewall. An ideas? Thoughts?

peterw
2007-11-07, 12:18
My existing home firewall is an old Redhat 5 machine (circa 1998) running iptables with NAT and some port forwarding to other servers. I need to retire this monolithic beast because it consumes a ton of electricity for a simple firewall. Does anyone know of a small, cheap, off-the-shelf, linux firewall that runs iptables or is at least as simple to configure and change as iptables? I frequently SSH to my current setup to change a few ports, which I like because it's easy. I would love to do that same, just with a smaller more efficient firewall. An ideas? Thoughts?

If not retire it, at least move to a distro that's had security updates this century. :-)

I don't know what all you might need to do beyond what you've described, but there are a number of alternate firmwares for wireless access points that give you relatively recent Linux kernels, netfilter, sshd, etc. DD-WRT, OpenWRT, etc. Search these forums or the web. I think I measured my Linksys AP at about 7 watts -- twice the demands of a Squeezebox, but a small fraction of my MythTV/SlimServer host. Yes, I think you can disable the wireless radio if you want. And an access point box will give you several ethernet ports to work with. Most AP firwares default to bridging those together, but give you the option of treating them separately as I expect you would might want to for better separating the Slimserver host from the rest of your network.