Announcement

Collapse
No announcement yet.

IMPORTANT: Stop forwarding your LMS ports to the internet!

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > You could change LMS to require a password if the IP address is not
    > local and have a maximum number of password attempts before suspending
    > such access for X hours - and a setting to disable all of this for
    > someone who really insists on taking the risk.


    I can't change the users' LMS. And as said before: most of those
    installation aren't up to date, therefore unlikely to see a change in a
    new build.

    --

    Michael
    Michael

    "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
    (LMS: Settings/Information)

    Comment


      #32
      Originally posted by mherger View Post
      > A large and sticky warning on the home page of the forums would be
      > wiser.


      Unfortunately only a very small percentage of the SB community is
      regularly visiting these forums. Even I wouldn't get to see that message!

      > I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
      > list of open LMS's meaning people update (or is done automatically) so a
      > software change may work to help.


      Interesting. In my list there are far more 7.7.x installations than
      7.9.x. And many are really old, like 7.7.2/3.

      > Use a list generated by THAT search engine to grab a list of open LMS's
      > and automatically sent a command to turn all player on and stream a file
      > from Logitech saying something like "This system is compromised please
      > see article on forum" repeatedly until stopped.


      This is about as far as my "hacking" would go: interact with LMS.

      --

      Michael
      Yes I see your point I make it about 25% are 7.9.0 - 7.9.1 (BTW I searched "logitech media server" or "logitech media server 7.9.0" or "logitech media server 7.9.1")

      Still removing 25% would be a start !

      Jeff
      sigpic
      Want a webapp ? Get SqueezeLite-X ! https://forums.slimdevices.com/showt...l=1#post903953

      Comment


        #33
        Originally posted by mherger View Post
        I can't change the users' LMS. And as said before: most of those
        installation aren't up to date, therefore unlikely to see a change in a
        new build.
        I wasn't suggesting directly changing their systems - but them receiving updates (if they have automatic update enabled).
        If they are very old and not auto-updating then clearly it won't help them.
        However, such a change (or even better ones) would help protect those who do install new versions in the future.
        Paul Webster
        Author of "Now Playing" plugins covering Radio France (FIP etc), PlanetRadio (Bauer - Kiss, Absolute, Scala, JazzFM etc), KCRW, ABC Australia and CBC/Radio-Canada
        and, via the extra "Radio Now Playing" plugin lots more - see https://forums.slimdevices.com/showt...Playing-plugin

        Comment


          #34
          If you can identify their mysb accounts then you could insert a message on their login banner?

          Sent from my ONEPLUS A3003 using Tapatalk
          --
          Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
          Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

          Comment


            #35
            I've been running LMS, open to the Internet, for years. Never had an issue (of which I'm aware, anyway). Until a few weeks ago. Bizarre alarms in the middle of the night, across a few different players. Then, 1am yesterday, multiple players firing up at full volume. A couple of these aren't local, and the users were far from impressed.

            To avoid the complication of VPN, or passwords (the remote users are very technologically challenged), is the IP filtering within LMS considered 'acceptable'? The remote users are all on semi-static IPs (Virgin Media - IP addresses seem to persist for years, even through router reboots):
            Click image for larger version

Name:	Untitled.png
Views:	1
Size:	17.7 KB
ID:	1562594

            Thanks a lot.

            Stephen.

            Comment


              #36
              IMPORTANT: Stop forwarding your LMS ports to theinternet!

              > To avoid the complication of VPN, or passwords (the remote users are
              > very technologically challenged), is the IP filtering within LMS
              > considered 'acceptable'? The remote users are all on semi-static IPs


              TBH: I don't know what IP address your LMS would see in this case. Give
              it a try and let us know.

              But then I'd really not expose LMS to the internet. I just wouldn't.

              --

              Michael
              Michael

              "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
              (LMS: Settings/Information)

              Comment


                #37
                On Linux I would suggest iptables.

                Sent from my ONEPLUS A3003 using Tapatalk
                --
                Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
                Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

                Comment


                  #38
                  Originally posted by mherger View Post
                  TBH: I don't know what IP address your LMS would see in this case. Give
                  it a try and let us know.

                  But then I'd really not expose LMS to the internet. I just wouldn't.

                  --

                  Michael
                  I used to use this function, and everything worked fine. I changed it only because one user was astonishingly technophobic, whilst at the same time entirely addicted to BBC iPlayer on the Squeezebox. Their solution to pretty much every problem in the house was to switch off the router, and leave it for an hour before turning it on again (I kid you not - even if their Humax DVR had crashed!) It was an ADSL connection, so the IP changed regularly. They no longer use Squeezebox, having switched to a Roberts Stream 93i.

                  I really would rather not have to implement a VPN client from the remote user ends, but it might come to that.

                  But, I'll see how things go with the switch to IP whitelisting, and maybe also set up some iptables entries...

                  Thanks a lot.

                  Stephen
                  Last edited by StephenC; 2017-05-18, 21:02.

                  Comment


                    #39
                    Originally posted by mherger View Post

                    ... Give it a try and let us know.

                    ...
                    I gave it a try, and all was fine, except...

                    Spotify Protocol Handler - Booms and SB3s reported 'Bad Player (Error: -1)' when I tried to play Spotify tracks. Touches and Radios were fine.

                    So, I changed back to 'Do Not Block' (even though the whitelist was correct, and external Radios were fine with Spotify) and then the Booms and SB3s were ok again.

                    Oddly, once the affected players had successfully played Spotify tracks, re-enabling the 'Block' didn't affect them - they remained working. But, only until a restart of LMS, when they stopped again.

                    Have now left the setting as 'Do Not Block', and set some iptables rules to achieve the same (probably much better!) security. Here are the ufw commands (I cheated a bit - ufw is much nicer to work with than iptables):

                    Code:
                    ufw allow 22/tcp
                    ufw allow from 192.168.1.0/24 to any port 9000 proto tcp
                    ufw allow from 82.27.???.??? to any port 9000 proto tcp
                    ufw allow from 90.204.???.??? to any port 9000 proto tcp
                    ufw allow from 192.168.1.0/24 to any port 9005 proto tcp
                    ufw allow from 90.204.???.??? to any port 9005 proto tcp
                    ufw allow from 82.27.???.??? to any port 9005 proto tcp
                    ufw allow from 192.168.1.0/24 to any port 3483
                    ufw allow from 82.27.???.??? to any port 3483
                    ufw allow from 90.204.???.??? to any port 3483

                    My LAN is on the 192.168.1.0 subnet - If yours differs then you'll need to change to suit.
                    The 82.27.???.??? and 90.204.???.??? are the IPs of my remote users.

                    Hope this helps someone, some time.

                    Cheers.

                    Stephen.
                    Last edited by StephenC; 2017-05-18, 22:48. Reason: Added ufw entries

                    Comment


                      #40
                      At the moment I do have ports 3483 and 9000 open but with a password. However there is still passwordless access available to support older SB units (like the SB3 on my desk at work).

                      Perhaps one step in the right direction to help those of us who run exposed services would be to add an option to not allow "legacy" password-less access and make that the default on install? Then, if we choose to knowingly connect older hardware we have to make a choice to allow this access?

                      Comment


                        #41
                        OK - so now that I am completely locked out of LMS, can any one tell a non-techie how to get into it so that I can disable the password? I am running LMS on a Synology Diskstation, with a SBTouch/iPeng/Macbook as my player. I have closed the relevant ports on my router, but I still get the password screen when I try to log in via a my Mac.
                        Last edited by Hip-Priest; 2017-07-17, 12:52.

                        Comment


                          #42
                          IMPORTANT: Stop forwarding your LMS ports to theinternet!

                          > OK - so now that I am completely locked out of LMS, can any one tell a
                          > non-techie how to get into it so that I can disable the password? I am
                          > running LMS on a Synology Diskstation, with a SBTouch as my player. I
                          > have closed the ports on my router, but I still get the password screen
                          > when I try to log in via a Mac or iPeng on an iPhone.


                          You'll have to shut down LMS, and edit its server.prefs file. Where
                          exactly that file is stored you better ask in a Synology specific
                          thread. There are prefs for authorize and username. Remove those lines
                          and restart LMS.

                          --

                          Michael
                          Michael

                          "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
                          (LMS: Settings/Information)

                          Comment


                            #43
                            Other server options for external access of music.

                            Quick somewhat OT question.

                            Are other music serves such as Younity, Subsonic, Plex also as easily susceptible to attack?

                            I currently have SB for internal use and Plex for external use.
                            http://zzzzone.net
                            http://have-a-nice-day.org
                            http://www.last.fm/user/zzzoneDOTnet
                            http://somethingsomethingsomething.net

                            SBS 8.3 - i7 nuc - Win 10 64bit
                            2 Booms,,2 Radio, 1 Touch, 5 Yamaha MusicCast speakers
                            Apps including iSqueeze Ctrl etc.
                            Library: 425,000+ FLAC/MP3 files - 16 TB HD

                            Comment


                              #44
                              Anything that is open to the internet must be considered a risk.
                              You need to check the forums for Plex etc as general advice won't be good enough. My understanding of subsonic is that it was designed for remote streaming but I'd still check.
                              The best solution is a VPN (not pptp) with solid credentials.
                              Jim
                              https://jukeradio.double6.net


                              VB2.4 storage QNAP TS419p (NFS)
                              Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
                              Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
                              Dining Room SB Radio
                              Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
                              Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
                              Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

                              Comment


                                #45
                                Originally posted by Paul Webster View Post
                                You could change LMS to require a password if the IP address is not local and have a maximum number of password attempts before suspending such access for X hours - and a setting to disable all of this for someone who really insists on taking the risk.
                                At least those users who have auto-update enabled would have a bit better protection.
                                So am I understanding that I should not have auto updates turned on in LMS?

                                Sent from my SM-G955U using Tapatalk
                                If the rule you followed brought you to this, of what use is the rule.

                                HTTP://www.last.fm/user/nonreality

                                Comment

                                Working...
                                X