Announcement

Collapse
No announcement yet.

IMPORTANT: Stop forwarding your LMS ports to the internet!

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    And that's an especially bad idea in this case because it's so easy to log the clear-text username and password from LMS...
    ---
    learn more about iPeng, the iPhone and iPad remote for the Squeezebox and
    Logitech UE Smart Radio as well as iPeng Party, the free Party-App,
    at penguinlovesmusic.com
    New: iPeng 9, the Universal App for iPhone, iPad and Apple Watch

    Comment


      #17
      I had that problem, where my music player suddenly went whild in the middle of the night, I had forwarded my LMS ports to the internet. Now I use VPN and no problems at all anymore.
      Shame, it was practical to use LMS on the road that way, but simply to unsafe.

      Absolutely block those ports, this sort of thing does happen!
      LMS 7.9.0 - 1470391720 on Pi2 (Max2play)
      Synology DS-414 NAS
      Squeezebox Touch, Squeezebox Boom, Squeezebox Radio, HifiBerry PicorePlayer
      Schiit - BIFROST AKM 4490 Dac
      Spotify Premium

      Comment


        #18
        I wonder if anyone has searched the darkwebs for LMS attacks..? There are probably "slurp all the music and set some annoying alarms" scripts out there.
        --
        Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
        Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

        Comment


          #19
          You don't need a script for that. All you need is the IP.
          QNAP TS-453Be 4x3TB RAID5 QNAP TS-251 2x3TB RAID0 QNAP HS-251 2x2TB RAID0 QNAP TS-453Mini 2x1TB Raid 10
          LMS running in Docker Madsonic running in Docker Guacamole QPGK R&D and Test server
          Home Assistant running in Docker Node-Red running in Docker RainLoop QPKG
          Pi-Hole running in Docker Bastillion running in Docker DeConz running in Docker w/ConBee II
          Mosquitto MQTT running in Docker

          Comment


            #20
            You do, you know the control protocol. The script kiddies know nothing, they just run scripts.
            --
            Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
            Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

            Comment


              #21
              I've been doing this for years (mainly for iPeng playback), with no ill effects. I was using strong password. However, reading the recommendations, I just turned it off. Exactly how is an plain-text password compromised in this scenario?

              I get the same functionality by installing the Plex iOS app, and my lifetime Plexpass subscription.

              Comment


                #22
                Originally posted by SamS View Post
                I've been doing this for years (mainly for iPeng playback), with no ill effects. I was using strong password. However, reading the recommendations, I just turned it off. Exactly how is an plain-text password compromised in this scenario?

                I get the same functionality by installing the Plex iOS app, and my lifetime Plexpass subscription.
                Exactly as i says ,its sent as plain text from for example a browser on your phone to your server . To be intercepted by who knows.
                And the security in LMS is not the strongest kind anyhow...
                --------------------------------------------------------------------
                Main hifi: Rasbery PI digi+ MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
                Bedroom/Office: Boom
                Loggia: Raspi hifiberry dac + Adams
                Bathroom : Radio (with battery)
                iPad with iPengHD & SqueezePad
                (spares Touch, SB3, reciever ,controller )
                server Intel NUC Esxi VM Linux mint 18 LMS 7.9.2

                http://people.xiph.org/~xiphmont/demo/neil-young.html

                Comment


                  #23
                  Quick search for LMS

                  Please do not ALL disable it, I need some bad examples for security awareness trainings. (Sorry, only kidding)

                  Click image for larger version

Name:	LMS_Scan.JPG
Views:	1
Size:	39.3 KB
ID:	1562495
                  2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880, LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD -> FLAC = dbpoweramp, Router AVM Fritz 7490

                  last.fm/user/jo-wie

                  Comment


                    #24
                    IMPORTANT: Stop forwarding your LMS ports to theinternet!

                    > Please do not ALL disable it, I need some bad examples for security
                    > awareness trainings. (Sorry, only kidding)


                    Are you searching for LMS? Ugh... that's even worse than Squeezebox...

                    --

                    Michael
                    Michael

                    "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
                    (LMS: Settings/Information)

                    Comment


                      #25
                      Originally posted by mherger View Post
                      > Please do not ALL disable it, I need some bad examples for security
                      > awareness trainings. (Sorry, only kidding)


                      Are you searching for LMS? Ugh... that's even worse than Squeezebox...

                      --

                      Michael
                      The interesting point is, that I have the feeling that the number was falling the last months but now is raising again. I was really using it as bad example for trainings and so I had several times a look at. But maybe the search engine simply found more because it was scanning further areas.
                      2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880, LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD -> FLAC = dbpoweramp, Router AVM Fritz 7490

                      last.fm/user/jo-wie

                      Comment


                        #26
                        IMPORTANT: Stop forwarding your LMS ports to theinternet!

                        > The interesting point is, that I have the feeling that the number was
                        > falling the last months but now is raising again.


                        Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
                        But numbers seemed to grow in the past weeks, and significantly dropped
                        over the past few days (-15%).

                        I was wondering how I should handle this situation. These users have a
                        serious security issue they should know about. But am I allowed to
                        "hack" their system in order to protect themselves from the bad hacker?

                        --

                        Michael
                        Michael

                        "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
                        (LMS: Settings/Information)

                        Comment


                          #27
                          Originally posted by mherger View Post
                          > The interesting point is, that I have the feeling that the number was
                          > falling the last months but now is raising again.


                          Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
                          But numbers seemed to grow in the past weeks, and significantly dropped
                          over the past few days (-15%).

                          I was wondering how I should handle this situation. These users have a
                          serious security issue they should know about. But am I allowed to
                          "hack" their system in order to protect themselves from the bad hacker?

                          --

                          Michael
                          I'm afraid the simple answer is NO it would be extremely unwise !! If you "hacked" (not sure if thats even the right term as these systems are wide open) I'm very sure it would be seen as illeagal in many countries.

                          A large and sticky warning on the home page of the forums would be wiser.

                          Whilst the situation is quite serious I see noting that can really be done about it, if the "hacks" are just waking people up at obscene hours hopefully a message in the forums will get more attention.

                          I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the list of open LMS's meaning people update (or is done automatically) so a software change may work to help.
                          I was thinking that not responding (unless specifically allowed) to the router address (or gateway) may work. That way those that use VPN can turn it on but those who forward ports will have to come to the forum to ask why their forwarding no longer works.

                          Edit: Nothing much can be done about the 7.7.5's

                          Jeff
                          sigpic
                          Want a webapp ? Get SqueezeLite-X ! https://forums.slimdevices.com/showt...l=1#post903953

                          Comment


                            #28
                            Hi Michael

                            Another idea !

                            Use a list generated by THAT search engine to grab a list of open LMS's and automatically sent a command to turn all player on and stream a file from Logitech saying something like "This system is compromised please see article on forum" repeatedly until stopped.

                            This idea is more agressive and would need to be run by legal but may have a better effect

                            Jeff
                            sigpic
                            Want a webapp ? Get SqueezeLite-X ! https://forums.slimdevices.com/showt...l=1#post903953

                            Comment


                              #29
                              You could change LMS to require a password if the IP address is not local and have a maximum number of password attempts before suspending such access for X hours - and a setting to disable all of this for someone who really insists on taking the risk.
                              At least those users who have auto-update enabled would have a bit better protection.
                              Paul Webster
                              Author of "Now Playing" plugins covering Radio France (FIP etc), PlanetRadio (Bauer - Kiss, Absolute, Scala, JazzFM etc), KCRW, ABC Australia and CBC/Radio-Canada
                              and, via the extra "Radio Now Playing" plugin lots more - see https://forums.slimdevices.com/showt...Playing-plugin

                              Comment


                                #30
                                IMPORTANT: Stop forwarding your LMS ports to theinternet!

                                > A large and sticky warning on the home page of the forums would be
                                > wiser.


                                Unfortunately only a very small percentage of the SB community is
                                regularly visiting these forums. Even I wouldn't get to see that message!

                                > I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
                                > list of open LMS's meaning people update (or is done automatically) so a
                                > software change may work to help.


                                Interesting. In my list there are far more 7.7.x installations than
                                7.9.x. And many are really old, like 7.7.2/3.

                                > Use a list generated by THAT search engine to grab a list of open LMS's
                                > and automatically sent a command to turn all player on and stream a file
                                > from Logitech saying something like "This system is compromised please
                                > see article on forum" repeatedly until stopped.


                                This is about as far as my "hacking" would go: interact with LMS.

                                --

                                Michael
                                Michael

                                "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
                                (LMS: Settings/Information)

                                Comment

                                Working...
                                X