Announcement

Collapse
No announcement yet.

IMPORTANT: Stop forwarding your LMS ports to the internet!

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    IMPORTANT: Stop forwarding your LMS ports to the internet!

    I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.
    • Set a password on your LMS, actually locking you out of your own music collection.
    • Change the skin
    • Blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
    • Deface your LMS
    • Install the Gallery plugin and have it scan all your folder of all your disks, causing a crash sooner or later
    • Install any plugin they want, including their own development, doing things we don't even know about


    More issues are reported regularly, eg.

    On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

    Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And then have some fun. NOT!

    So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.
    Last edited by mherger; 2017-12-16, 06:16.
    Michael

    "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
    (LMS: Settings/Information)

    #2
    May be the wiki should be changed accordingly?:

    Comment


      #3
      Originally posted by mherger View Post
      I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.

      - blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
      - install the Gallery plugin and have it scann all your folder of all your disks, causing a crash sooner or later
      - install any plugin they want, including their own development, doing things we don't even know about

      On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

      Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And the have some fun. NOT!

      So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.
      +1 !!!!!!!!!!!

      I found 4,342 mainly insecure worldwide instances with extreme ease
      sigpic
      Want a webapp ? Get SqueezeLite-X ! https://forums.slimdevices.com/showt...l=1#post903953

      Comment


        #4
        Wait till they enforce ipv6, then there will be none.
        --
        Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
        Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

        Comment


          #5
          Originally posted by drmatt View Post
          Wait till they enforce ipv6, then there will be none.
          Not sure IPv6 will change anything. Yes, a linear scanning of the address space is not feasible, but scanning routing tables is.
          "To try to judge the real from the false will always be hard. In this fast-growing art of 'high fidelity' the quackery will bear a solid gilt edge that will fool many people" - Paul W Klipsch, 1953

          Comment


            #6
            Just because no-one knows how ipv6 works..
            --
            Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
            Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

            Comment


              #7
              Originally posted by drmatt View Post
              Just because no-one knows how ipv6 works..
              "To try to judge the real from the false will always be hard. In this fast-growing art of 'high fidelity' the quackery will bear a solid gilt edge that will fool many people" - Paul W Klipsch, 1953

              Comment


                #8
                Is it possible to limit LMS to the local subnet via programming , but have it working via a correctly setup VPN ?

                It seems to be a support issues now :/

                Wonder why some hacker finds this funny ?

                It was that tread on the forum where someone actively asked for open IP's and wanted to share ? Wonder if that one was a cheapskate or a troll ?
                That guy got p*** off when mherger told about exactly how bad this idea is ? Sort of guy that can do this ?

                More risks someone can actively listen with your accounts on Spotify and your other services.
                Ads his players to your mysb.com account via LMS it does that automatically .
                Mess up your stats and scrobbling.
                --------------------------------------------------------------------
                Main hifi: Rasbery PI digi+ MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
                Bedroom/Office: Boom
                Loggia: Raspi hifiberry dac + Adams
                Bathroom : Radio (with battery)
                iPad with iPengHD & SqueezePad
                (spares Touch, SB3, reciever ,controller )
                server Intel NUC Esxi VM Linux mint 18 LMS 7.9.2

                http://people.xiph.org/~xiphmont/demo/neil-young.html

                Comment


                  #9
                  Hi Michael,

                  Thank you for reminding me. I had forwarded 4 or 5 ports to trial accessing various things on my server remotely. It's didn't work the way I wanted so I abandoned the trial but of course forgot to delete the port forwarding. They have been removed now though :-)

                  Thank you
                  Last edited by bobertuk; 2017-03-24, 11:18.
                  2 x Touch
                  2 x Radio
                  2 x Boom
                  1 x Intel-NUC server/squeezelite running LMS 8.20 (from nightlies) on Windows 10
                  1 X Odroid-XU4 server/squeezelite running LMS 7.91 on Ubuntu 16.04
                  1 x iMac server running macOS Big Sur
                  WaveIO USB into Lavry DA-10 DAC
                  Starfish Pre-amp : Based on NAIM NAC 72
                  Heavily modified NAIM NAP 250 Power-amp
                  Focal Electra 1027 Be II Speakers

                  Comment


                    #10
                    IMPORTANT: Stop forwarding your LMS ports to theinternet!

                    > Is it possible to limit LMS to the local subnet via programming , but
                    > have it working via a correctly setup VPN ?


                    If using a VPN you should be fine already. If you feel like tinkering,
                    check out Settings/Advanced/Security.

                    > Wonder why some hacker finds this funny ?


                    Never picked up the phone book to call a random number as a kid?

                    > More risks someone can actively listen with your accounts on Spotify and
                    > your other services.
                    > Ads his players to your mysb.com account via LMS it does that
                    > automatically .
                    > Mess up your stats and scrobbling.


                    Or implement the plugin which will wipe your system. Or encrypt your data.

                    --

                    Michael
                    Michael

                    "It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
                    (LMS: Settings/Information)

                    Comment


                      #11
                      Originally posted by mherger View Post
                      > Is it possible to limit LMS to the local subnet via programming , but
                      > have it working via a correctly setup VPN ?


                      If using a VPN you should be fine already. If you feel like tinkering,
                      check out Settings/Advanced/Security.

                      > Wonder why some hacker finds this funny ?


                      Never picked up the phone book to call a random number as a kid?

                      > More risks someone can actively listen with your accounts on Spotify and
                      > your other services.
                      > Ads his players to your mysb.com account via LMS it does that
                      > automatically .
                      > Mess up your stats and scrobbling.


                      Or implement the plugin which will wipe your system. Or encrypt your data.

                      --

                      Michael
                      Oh on open VPN already , just an idea to not make so easy to just open the ports like apearently >5000 people are doing already ?
                      If the next upgrade jts blocks this and they have search for info ....

                      Ransom ware as an lms plugin

                      My LMS machine is only that , another safety measure . Its not running on my daily use computer no other personal info on than the LMS settings , no documents no mail .
                      So I can just delete that VM and reinstall.

                      And the NAS that keeps the music files is another VM from the NAS that has my personal backup . So i can deleta that one to , but the music share its mounted read only and no executing of files to the LMS machine..
                      Music is backed up on USB drives .
                      --------------------------------------------------------------------
                      Main hifi: Rasbery PI digi+ MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
                      Bedroom/Office: Boom
                      Loggia: Raspi hifiberry dac + Adams
                      Bathroom : Radio (with battery)
                      iPad with iPengHD & SqueezePad
                      (spares Touch, SB3, reciever ,controller )
                      server Intel NUC Esxi VM Linux mint 18 LMS 7.9.2

                      http://people.xiph.org/~xiphmont/demo/neil-young.html

                      Comment


                        #12
                        Done. Thanks for the heads-up, Michael.

                        Interestingly, over the past few months LMS has randomly stopped, with no info in the logs and only "possible software conflict" in the diagnostics tray.

                        Been running and playing on DSTM for three days now without a stoppage. Could this be related?

                        Jason

                        Comment


                          #13
                          Their are some real A-holes out there. I work for a router vendor, and we have a non firewalled internet access in our lab. From time to time we turn it up for deep packet inspection testing, within 30 seconds of turning it up we get pounded with attacks.
                          Home Office
                          SB2->Benchmark DAC-1-> Bryston P-25, preamp -> Carver M1.0t Amp->PMC TB2
                          Home Theater System#1
                          SB2->Anthem AVM60->Bryston 9B ST -> PSB Stratus Goldi
                          /Home Theater System #2/ LazyEye Bar
                          Pi3 w/7" screen/HiFiBerry DAC>Outlaw 976-> Bryston 3B ->Klipsch La Scala's, 2x Bryston 4B (mono) EV 18" subwoofers
                          Bedroom System
                          SB2-> Sony BoomBox
                          Rear Deck/Patio
                          Pi3 HiFiBerry DAC --> Crown XLS 1500-> PSB Mini's,
                          Kitchen
                          Pi3 HifiBerry DAC --> Crown XLS 2502-> Polk Ceiling Speakers

                          Comment


                            #14
                            At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
                            Nevertheless, it's better than nothing.
                            The downside is that there are several client apps out there that don't support password logon....
                            QNAP TS-453Be 4x3TB RAID5 QNAP TS-251 2x3TB RAID0 QNAP HS-251 2x2TB RAID0 QNAP TS-453Mini 2x1TB Raid 10
                            LMS running in Docker Madsonic running in Docker Guacamole QPGK R&D and Test server
                            Home Assistant running in Docker Node-Red running in Docker RainLoop QPKG
                            Pi-Hole running in Docker Bastillion running in Docker DeConz running in Docker w/ConBee II
                            Mosquitto MQTT running in Docker

                            Comment


                              #15
                              Originally posted by oyvindo View Post
                              At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
                              Nevertheless, it's better than nothing.
                              The downside is that there are several client apps out there that don't support password logon....
                              Yes clear text and not hard to hack .

                              But social engineering is also a thing , people reuse passwords even if you should not it's very very likely that someone uses the same passwords as they always do .
                              --------------------------------------------------------------------
                              Main hifi: Rasbery PI digi+ MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
                              Bedroom/Office: Boom
                              Loggia: Raspi hifiberry dac + Adams
                              Bathroom : Radio (with battery)
                              iPad with iPengHD & SqueezePad
                              (spares Touch, SB3, reciever ,controller )
                              server Intel NUC Esxi VM Linux mint 18 LMS 7.9.2

                              http://people.xiph.org/~xiphmont/demo/neil-young.html

                              Comment

                              Working...
                              X