Announcement

Collapse
No announcement yet.

Ethernet Security tips ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Ethernet Security tips ?

    Hello,

    I’m using RPi4 and Pcp and LMS with wired Ethernet. Could you give me some additional security advices.

    There is already:

    - Change Pcp password.

    Into LMS advanced security enable:
    - Password protection
    - Block incoming connection
    - CSRF protection level HIGH
    - CORS ??


    Is it possible to allow only one IP computer to connect it ?


    Any other ideas ?

    Thanks

    #2
    Originally posted by PaulH View Post
    I’m using RPi4 and Pcp and LMS with wired Ethernet. Could you give me some additional security advices.

    Is it possible to allow only one IP computer to connect it ?
    Yes, by using (linux) firewall rules. Does pcp support ufw (uncomplicated firewall)?
    "To try to judge the real from the false will always be hard. In this fast-growing art of 'high fidelity' the quackery will bear a solid gilt edge that will fool many people" - Paul W Klipsch, 1953

    Comment


      #3
      Detach all cables, encase it in concrete and drop it in the ocean right on top of a tectonic plate boundary.

      Comment


        #4
        Assuming you are using an external firewall and non routable IP addresses, the question is, what are you trying to protect against? Limiting user access on your internal network?
        Server: LMS 8.3 on Windows 10 Computer with Synology DS920+ music stored in FLAC or DSF
        Living Room: PicorePlayer 8.2 on Raspberry Pi4 USB > Musetec 005 > Krell Digital Vanguard > Dynaudio Focus 360
        Outside: PicorePlayer 8.2 on Raspberry Pi4 USB > Gustard X26 Pro > NAD 325BEE > Dynaudio OW-8 & SVS SB3000 Micro
        Home Theater: PicorePlayer 8.2 on Raspberry Pi4 w/Pi2AES Coax > Denon AVR-6700h > Dynaudio Focus 220 MkII, Dynaudio Focus 200C, Dynaudio Audience 42, Definitive Technology Di 8r

        Comment


          #5
          Originally posted by Bscott View Post
          Assuming you are using an external firewall and non routable IP addresses, the question is, what are you trying to protect against? Limiting user access on your internal network?
          My thoughts exactly.
          I seriously would not attempt to lock down to just one IP address as you could easily lock yourself out and not be able to get back in without a lot of hassle.
          Jim
          https://jukeradio.double6.net


          VB2.4 storage QNAP TS419p (NFS)
          Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
          Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
          Dining Room SB Radio
          Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
          Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
          Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

          Comment


            #6
            Originally posted by d6jg View Post
            My thoughts exactly.
            I seriously would not attempt to lock down to just one IP address as you could easily lock yourself out and not be able to get back in without a lot of hassle.
            I did that once [emoji1787]

            Sent from my Pixel 3a using Tapatalk
            Living Room: Touch or Squeezelite (Pi3B) > Topping E30 > Audiolab 8000A > Monitor Audio S5 + BK200-XLS DF
            Bedroom: Radio
            Bathroom: Radio

            Comment


              #7
              Originally posted by Bscott View Post
              Assuming you are using an external firewall
              No external FW


              Originally posted by Bscott View Post
              Limiting user access on your internal network?
              Yes, avoid unwanted external access on my internal network.

              Maybe the Pi with Pcp and LMS is only slightly vulnerable ???

              Comment


                #8
                Originally posted by gordonb3 View Post
                Detach all cables, encase it in concrete and drop it in the ocean right on top of a tectonic plate boundary.
                I just want to avoid "exaggerations" and try to configure this with the maximum common sense...

                Comment


                  #9
                  Originally posted by Julf View Post
                  Yes, by using (linux) firewall rules. Does pcp support ufw (uncomplicated firewall)?
                  It could be great idea, but I'm not sure ufw could works with Tiny Core Linux

                  Comment


                    #10
                    Originally posted by PaulH View Post
                    No external FW


                    Yes, avoid unwanted external access on my internal network.

                    Maybe the Pi with Pcp and LMS is only slightly vulnerable ???
                    Are you sure you have no external firewall? Modem/Routers normally have them built in.

                    Sent from my Pixel 3a using Tapatalk
                    Living Room: Touch or Squeezelite (Pi3B) > Topping E30 > Audiolab 8000A > Monitor Audio S5 + BK200-XLS DF
                    Bedroom: Radio
                    Bathroom: Radio

                    Comment


                      #11
                      Originally posted by PaulH View Post
                      No external FW


                      Yes, avoid unwanted external access on my internal network.

                      Maybe the Pi with Pcp and LMS is only slightly vulnerable ???
                      Okay. If you have an internal network that implies that you have a (masquerading) router that allows you access to the internet. I'll give it a 99% chance that you are using an internal address range reading 192.168.x.x, just like 99% of the other home users and the address 192.168.0.1 probably exists more than 1 million times which means that it is impossible to access (or reply to) any specific machine with that address from any random location on the internet, except within that same local network or as a response to the masquerading firewall. In theory IPV6 changes this, but just like IPV4 the extended protocol lacks autodiscovery and thus if your router would even be bidirectional then a perpetrator would have to know both your external address and your internal address range to set up his own routing rules because no public system will provide these routes.

                      In other words, if someone on the outside would be able to gain access to your LMS then you will have a much bigger problem because all your Windows machines will have been compromised already.

                      Comment


                        #12
                        Originally posted by gordonb3 View Post
                        Okay. If you have an internal network that implies that you have a (masquerading) router that allows you access to the internet. I'll give it a 99% chance that you are using an internal address range reading 192.168.x.x, just like 99% of the other home users and the address 192.168.0.1 probably exists more than 1 million times which means that it is impossible to access (or reply to) any specific machine with that address from any random location on the internet, except within that same local network or as a response to the masquerading firewall. In theory IPV6 changes this, but just like IPV4 the extended protocol lacks autodiscovery and thus if your router would even be bidirectional then a perpetrator would have to know both your external address and your internal address range to set up his own routing rules because no public system will provide these routes.

                        In other words, if someone on the outside would be able to gain access to your LMS then you will have a much bigger problem because all your Windows machines will have been compromised already.
                        I suggest 1 million is a very significant underestimate!
                        I think this is a case of “a little knowledge…..”
                        Jim
                        https://jukeradio.double6.net


                        VB2.4 storage QNAP TS419p (NFS)
                        Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
                        Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
                        Dining Room SB Radio
                        Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
                        Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
                        Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

                        Comment


                          #13
                          I mean PaulH doesn't specify, but generally speaking, there may be some situations where you don't have control of a network that you use which is also shared with people you don't necessarily "trust". Maybe a dorm or some other kind of shared living arrangement where it's a big flat internal network. Maybe they aren't malicious insiders but maybe you don't want them dicking with your LMS either.

                          In which case, I'd probably try to setup my own router that connects to the shared wifi and hide everything behind that.

                          //edit, OP says he's using wired lan so my scenario and solution probably doesn't apply... but who knows
                          Last edited by sodface; 2022-02-25, 23:14.

                          Comment


                            #14
                            Originally posted by sodface View Post
                            //edit, OP says he's using wired lan so my scenario and solution probably doesn't apply... but who knows
                            Indeed it's not the case !

                            Comment


                              #15
                              Originally posted by slartibartfast View Post
                              Are you sure you have no external firewall? Modem/Routers normally have them built in.
                              I found some information and indeed, the router of the internet provider has a firewall. However it is preconfigured (how??) and we can not make any changes.
                              I think it must be a general rule.
                              It's probably better than nothing!

                              Comment

                              Working...
                              X