PDA

View Full Version : Blocking Incoming Connections...



staresy
2011-08-26, 10:43
Hi,
I've set up a remote SB3 to access my server over the net. I've opened up the ports and forwarded them on my router. All works OK.

I now want to secure the system a bit and am trying to use the "block incoming connections" feature in squeezecenter but can't get it to work.

My understanding is that I check the box to say block incoming connections and then add a list of allowed IPs in the following box.

In the box I have:

127.0.0.1,192.168.0.*,xxx.yyy.zzz.aaa

The 127.0.0.1 is the local host I think, the 192.168.0 allows the local players on my NW to connect and the final address should allow the remote SB3 to connect, right?

But if I check the tick box I can connect locally from the players on my NW, but the remote player hangs saying "connecting to server..." and never does.

Unchecking the box and all works again but obviously with no security.

Am I missing something out or misunderstanding how this works?

Thanks,
DrS

pski
2011-08-26, 11:39
Hi,
I've set up a remote SB3 to access my server over the net. I've opened up the ports and forwarded them on my router. All works OK.

I now want to secure the system a bit and am trying to use the "block incoming connections" feature in squeezecenter but can't get it to work.

My understanding is that I check the box to say block incoming connections and then add a list of allowed IPs in the following box.

In the box I have:

127.0.0.1,192.168.0.*,xxx.yyy.zzz.aaa

The 127.0.0.1 is the local host I think, the 192.168.0 allows the local players on my NW to connect and the final address should allow the remote SB3 to connect, right?

But if I check the tick box I can connect locally from the players on my NW, but the remote player hangs saying "connecting to server..." and never does.

Unchecking the box and all works again but obviously with no security.

Am I missing something out or misunderstanding how this works?

Thanks,
DrS

On the remote computer, go to whatismyip.com to get your "remote" ip. Then the box should say (if whatismyip says you are at 111.222.333.444)

127.0.0.1, 192.168.0.*, 111.222.333.444

Each "remote" location will have it's own ip you will need to add.

P

staresy
2011-08-27, 02:16
Hi thanks for the reply. That's exactly how I set it up but I notice that the ip address of the remote location has change - probably because it's a dynamic address allocated by the isp and the remote rouuter has been rebooted.

Any easy way around this? My thought is to open up the remote address to zzz.xxx.yyy.* to allow a range of address in - this would work on the assumption that the ISP would only ever allocate an IP address within a fixed range.

Is that a reasonable assumption? If not what are my other options...?

Thanks,
DrS

pski
2011-08-27, 09:56
Hi thanks for the reply. That's exactly how I set it up but I notice that the ip address of the remote location has change - probably because it's a dynamic address allocated by the isp and the remote rouuter has been rebooted.

Any easy way around this? My thought is to open up the remote address to zzz.xxx.yyy.* to allow a range of address in - this would work on the assumption that the ISP would only ever allocate an IP address within a fixed range.

Is that a reasonable assumption? If not what are my other options...?

Thanks,
DrS

Since the * there only allows for 256 different addresses, you might have to use zzz.xxx.* You can also turn-on user/password.

What OS/version is the SBS host? I use remote desktop (securely) to let me get remote control of the SBS host so I can unblock addresses remotely. If you have Windows Home versions, you can use VNC to do the same thing. (There are also patches that add RDP to Home versions- no warranty expressed or implied.) <"Home" versions contain the program to "take over" a remote machine but they do not include being remotely controlled- VNC is a free program that provides this function to/from any Windows/Mac/Unix/Linux systems.) In either of these cases you'll also open ports on your modem/router and the SBS host would absolutely have to have a user (as opposed to a SBS) password.

If you are into programming you can google "dynamic IP notify" for some free programs that can run on the remote system. They monitor the IP and send an email when it changes.



p

pallfreeman
2011-08-27, 15:53
Is that a reasonable assumption? If not what are my other options...?


It's a reasonable assumption, although it will allow about 250 other people to connect. :)

SBS tells me that Block Incoming Connections only applies to HTTP and CLI connections. It may not work for players, only for browsers. It only seems to want addresses, and not names.

If it works with names, you could register the remote player with a DDNS provider.

staresy
2011-08-28, 05:14
OK my cunning plan didn't work as the ISP seems to allocate completley random public ip addresses.

So, after a bit of reading it seems that SSH might be the way to go but I haven't got a clue how to set this up or, indeed, if it is possible with my set up. Can anyone offer any advise here?

My setup is:

- remote SB3, no PC, just connected to a wireless router and the internet
- dynamic public IP address on this router
- at home, Windows Home Server running SC, connected to router and internet
- again, dydnamic IP at this end

If this isn't poossble, what are the worst consequences of leaving the two ports for remote access unprotected?

Thanks for your help.
DrS

pallfreeman
2011-08-28, 08:16
Your ISP is assigning a random address. At both ends. Without some third party to keep track of these addresses, neither end of your setup knows which address to use to get to the other.

Dynamic DNS solves these problems to some extent. Check if your DSL routers have the ability to register with a Dynamic DNS provider. You might be able to get hold of some little utility to do this from your PC, but it's the other end which really needs it.

I'm not sure why you think SSH can help. Surely it would have the same problem, not knowing the addresses, as SBS has?

Probably, though, the worst that could happen is that someone who knows what you're up to could get access to your SBS and loudly play you Merzbow's greatest hits.

Mnyb
2011-08-28, 09:26
i thinkhe intends to use SSH for security, the built in security in SBS in not very good.

On ocasion i stream remotely, but i'm closing the router ports after i'm done and turn off the server.
the beytu of routher fw that lets you boot things frommthe internet, turn of is done bybthe servers normal web-UI

I have nothing but music on my server, no personal information that matters not even pictures.
so security is no concern, if the mob installs a warez website on it I can trow it into a lake and buIld a new one :-) and restore my music from the backups.

pski
2011-08-28, 11:03
It's a reasonable assumption, although it will allow about 250 other people to connect. :)

SBS tells me that Block Incoming Connections only applies to HTTP and CLI connections. It may not work for players, only for browsers. It only seems to want addresses, and not names.

If it works with names, you could register the remote player with a DDNS provider.

Block does prevent/allow player connections.

pski
2011-08-28, 11:23
OK my cunning plan didn't work as the ISP seems to allocate completley random public ip addresses.

So, after a bit of reading it seems that SSH might be the way to go but I haven't got a clue how to set this up or, indeed, if it is possible with my set up. Can anyone offer any advise here?

My setup is:

- remote SB3, no PC, just connected to a wireless router and the internet
- dynamic public IP address on this router
- at home, Windows Home Server running SC, connected to router and internet
- again, dydnamic IP at this end

If this isn't poossble, what are the worst consequences of leaving the two ports for remote access unprotected?

Thanks for your help.
DrS

You would at least want to enable the user/password feature. As I typed earlier, you would do better to enable remote access to your WHS and install a notifier on each end. That way, you would always know the IPs at each end and you would be able to access the settings of the webUI to get to the list of allowed addresses. This way, you would also be able to completely disable remote access by remotely using the web browser on your WHS machine to change the router settings.

Note that the "default" port for RDP is 3389. When you make your router rule, you can 'redirect' that:

For example direct port 5557 <any "wild" number will do> to port 3389 on your WHS. This will keep people who snoop your address on port 3389 from getting a "logon" from RDP. Then on the remote machine, you direct RDP to connect to

xxx.yyy.zzz.aaa:5557

Your router follows the rule and sends the traffic to your WHS and you're in.

SSH <google putty for the windows version> would be more secure but you will still have to know the addresses...
P

epoch1970
2011-08-28, 11:27
OK my cunning plan didn't work as the ISP seems to allocate completley random public ip addresses.

So, after a bit of reading it seems that SSH might be the way to go but I haven't got a clue how to set this up or, indeed, if it is possible with my set up. Can anyone offer any advise here?

My setup is:

- remote SB3, no PC, just connected to a wireless router and the internet
- dynamic public IP address on this router
- at home, Windows Home Server running SC, connected to router and internet
- again, dydnamic IP at this end

If this isn't poossble, what are the worst consequences of leaving the two ports for remote access unprotected?

Thanks for your help.
DrS
Perhaps your router on the SB3 end can run openvpn ?
In this case, set it up as an openvpn "client", and have it try connect continuously to somesuch.dyndns.com (the PC or the router at home)
On the PC or router at home run both openvpn and dyndns DNS daemon to refresh the IP pointer to somesuch.dyndns.com.
On the openvpn "server" instance use bridged mode to extend your home network to the remote router and SB3. Player/server discovery will work, playing FLAC files without rebuffering will probably be a bit difficult, but everything else should work perfect. DHCP too if this is what your SB3 uses.
On both sides use certificates to identify both ends and allow connection. You may want to use a cipher for the tunnel (which will hammer the router a bit) but if you don't the effect is that someone listening on the connection will be able to read the data stream. In this specific case I don't see this is an issue. Handshake always stays secure by use of certificate/private key.
Openvpn is an ssl VPN, it is very robust and resilent to NAT.

I guess you can do about the same using ssh, certificates, map ports and somehow use a daemon on the router to reconnect. But all this looks so much like openvpn…

pallfreeman
2011-08-28, 16:42
Right, that's that sorted, then.

pski
2011-08-28, 20:54
Perhaps your router on the SB3 end can run openvpn ?
In this case, set it up as an openvpn "client", and have it try connect continuously to somesuch.dyndns.com (the PC or the router at home)
On the PC or router at home run both openvpn and dyndns DNS daemon to refresh the IP pointer to somesuch.dyndns.com.
On the openvpn "server" instance use bridged mode to extend your home network to the remote router and SB3. Player/server discovery will work, playing FLAC files without rebuffering will probably be a bit difficult, but everything else should work perfect. DHCP too if this is what your SB3 uses.
On both sides use certificates to identify both ends and allow connection. You may want to use a cipher for the tunnel (which will hammer the router a bit) but if you don't the effect is that someone listening on the connection will be able to read the data stream. In this specific case I don't see this is an issue. Handshake always stays secure by use of certificate/private key.
Openvpn is an ssl VPN, it is very robust and resilent to NAT.

I guess you can do about the same using ssh, certificates, map ports and somehow use a daemon on the router to reconnect. But all this looks so much like openvpn…

How nice of you to be so specific and instructional !

epoch1970
2011-08-29, 02:27
Well I think I've been using it since 2003 or so, almost every time in "true" bridged mode. If you throw a pair of config files at me I may even be of help.

Specifically I recently bridged my parents LAN to my site to allow generalized access for maintenance (over 2 DSL links). I can start their SB players, add one of mine to their SB server (no prob with firmware update --they're still running SC 7.3.4), or serve music from my site. My desktop is a Mac, as their computers, and when I switch to their LAN I see in the Finder all the shares and services broadcasted by Bonjour/zeroconf. I can use WOL and all. Very comfy.

Over the VPN, I found 320kbs mp3 streams are fine, and FLAC is rebuffering. They are using wifi for their players. Their router instance is an old PC Engines Wrap platform, that's a 266MHz Geode without crypto acceleration so not much oomph, and I use a Blowfish cipher over the link. Any reasonable consumer router will do, if the binary openvpn package is available.

My side uses a fixed address, their IP floats. On my side there is a router in front of the router that holds openvpn and the split LAN. Connection takes some time to come up, because the WRAP comes to life on Jan 1st 1970, takes some time to NTP sync, and before the system date is correct the server certificate is rejected for having validity dates ahead in the future. Once the date issue is sorted, their router bites to my openvpn instance like a bulldog.

Their setup is a "split VPN", that is the router keeps its default route to the internet, but channels 192.168.1.X through the VPN link. This way they have "normal" internet all the time, and when the VPN link is up their LAN includes some resources on my side. My setup is a "full VPN" i.e. it takes over the default route and reroutes everything through the VPN tunnel, so I can check via their router why some random site on the internet is "not working". Of course I have no business being on their LAN except for maintenance; the part of their LAN that resides on my machines is insulated from the rest of my network.
I opted for using DHCP on both sides. Since I needed different default routes for each location I am running 2 DHCP servers, one on each router. So each router is configured to filter UDP traffic on ports 67 and 68 coming into each end of the VPN tunnel to make sure only local DHCP servers give leases to local machines. I have set apart 5 addresses for my side, I don't need much, and the bulk of the DHCP range is on their side.
(the router I use on both sides is an old beta build of m0n0wall that included openVPN, FWIW)

OpenVPN is a real gem, IMHO.