Can confirm this is a real issue - I ignored the warnings because I couldn't find any decent instructions on how to set up a VPN tunnel (and not knowledgeable about the difference between a commercial VPN provider, such as www.privateinternetaccess.com, which was the only type of VPN I knew about, and confused it with the type of VPN server you need for LMS, on your router for example, I am now using an Asus router with Merlin firmware VPN server, that you need to set up to access LMS remotely and securely). Setting up the VPN server takes five clicks on the router and then you download the OpenVPN Connect Android app on the remote device you wish to use - export an .ovpn configuration file from your router interface - import this into the Android device - and you're done. When I had port forwarding on I got hacked after about a month - woke up at 5am to the sounds of some sweet Cuban music - shut down everything - set up the VPN approach next day.

Thank you

Thanks for the info.

Regards

But why is your nas open to internet, use router vpn!

Synology router configuration

Just a warning to anyone who blocked theses ports in the past. If you get a new router and and use Synology's automatic router configuration, pay a little more attention than I did. I had blocked theses ports years ago on my old router and did not think to tell the server to not open them back up. Of course someone with too much time on there hands found them and locked me out of my LMS.

Of note, I informed Synology that they should not allow the automatic router configuration tool to do this as it is a known exploit. They basically told me it was my fault for using their software . Fair enough, but it is the first time I've had a response from Synology that annoyed me in the 9 years I've been using there servers.

So how to disable this check? I didn't find the answer! I want to disable it. Where is that pref, what should i do to disable it?

Thanks for sharing your thoughts!!

With the above & the seemingly normal outgoing traffic volumes my router is showing, I'm trying to semi-comfort my mind that someone had their fun, looking at family pics or a weekend outing... and browsing the names of my directory structure, leaving the trace of a saved random folder in the settings...

Fingers crossed, but I suppose nothing to actively do to find out if things may have been stolen and where they may have ended up.

Gesendet von meinem HTC U Ultra mit Tapatalk

The Gallery plugin was developed for pictures only. That said I know that some of the attackers did install modified versions of the plugin. They could potentially do anything they want. They could as well just write their own to download all those files, yes. But then I'm not aware of an attack at that level.

The password can be used by anyone knowing it. Most likely this is only being set to annoy the users, and potentially have a bit more time to explore whatever content they got access to.

The thread hasn't been active for a while, I hope some xperts are still reading.

Here's another victim...

LMS 7.9.1 on Synology with open - and now closed - port 9002, username and password were set, Picture Gallery installed, an additional non-music folder added in the general preferences (I could browse the entire folderstricture across the entire Diskstation...)

Reading to the first post here, my stomach turned upside down.

I deinstalled the LMS too quickly to check settings etc. and find out what the installation would have allowed the intruder to do.

Replicating with a fresh LMS installation didn't work, as the Picture Gallery plugin seems offline in the repository.

Assuming, someone 'only' installed the gallery plugin: does this allow reading / downloading also PDFs, excels, docs and so on? Or 'only' shows pictures it finds?

Am I understanding correctly, that once someone accessed the LMS, the user & password had to be set, i.e. max one person can go inside as it's locked afterwards?

Thanks for helping me gain a bit clarity on the dimensions...

Gesendet von meinem HTC U Ultra mit Tapatalk

I backtracked on that thread (should be working instead...) and I want to say having a password protecting settings from remote accesses will be (is?) a great addition.
To those with routed VPNs complaining about the extra password, I say use a bridged network, it makes player discovery work

In passing, I don't know the state of TOTP/QR on perl, but in my opinion a time-based password is a concept end-users grasp easily. Downloading an app and flashing a QR code is somehow an easier proposition than choosing and remembering yet another password, hard to guess please.
It would be probably better to have a short, volatile 6-digit password protect the server rather than the usual "passw0rd" or "lms1234"...
There are plenty of free TOTP clients for mobile, desktop or the command line.

IMPORTANT: Stop forwarding your LMS ports to theinternet!

> what did the clown do?

See the very first posting in this thread.

--

Michael

well, that sucks, some clown taking control of your system.
what did the clown do? was he able to delete anything or mess your LMS completely?
did you have password protection on your lms?

I gave up on remotely accessing my LMS after I inadvertently left the ports open when the vpn no longer worked. I had some clown playing stuff on my system. Nowadays I have a backup on a wifi enabled WD Passport drive that runs its own copy of LMS. I use that to play locally to mobile devices or a Raspberry Pi.

Robert

For mobile use on iphone i use transcoded stream of 192kbit.
For remote use with laptop connected to highend gear or good headphones i rather use flac. its just around 800kbit.
The videos i stream from my sat reciever use a bandwith of 8-14mbit!
No issue so far, even with openvpn. as i said: only the win7 squeezeplay when used via openvpn doesnt do, but streams flac when not using openvpn

Personally I would kill the idea of streaming flac to mobile devices and just bandwidth limit the client in LMS. 320kb MP3 is undoubtedly good enough when out and about. I would guess the limitation is insufficient pre buffering, whereas internet video players would be more aware of the requirements for this.

Flac is as you say about 900kbit, maybe just over 1mbit so shouldn't really be a big issue. Note that HD video can be streamed in about 1.8mbit and still be bearable. Probably less, but still more than a flac stream.



Transcoded from Matt's brain by Tapatalk

Don’t worry I will just use the open ports for squeezeplay. It is working fine with the open ports. But the modification of ovpn conf which you told me to do definitely increased the streaming ability via open VPN for my video from satellite receiver, so thanks again