IMPORTANT: Stop forwarding your LMS ports to the internet!

**pinkdot** · 2017-03-22, 17:08

May be the wiki should be changed accordingly?:

http://wiki.slimdevices.com/index.php/Connecting_remotely

**Jeff07971** · 2017-03-23, 00:22

Originally posted by mherger

I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.

- blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
- install the Gallery plugin and have it scann all your folder of all your disks, causing a crash sooner or later
- install any plugin they want, including their own development, doing things we don't even know about

On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And the have some fun. NOT!

So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.

+1 !!!!!!!!!!!

I found 4,342 mainly insecure worldwide instances with extreme ease

**drmatt** · 2017-03-23, 00:23

Wait till they enforce ipv6, then there will be none.

**Julf** · 2017-03-23, 10:04

Originally posted by drmatt

Wait till they enforce ipv6, then there will be none.

Not sure IPv6 will change anything. Yes, a linear scanning of the address space is not feasible, but scanning routing tables is.

**drmatt** · 2017-03-23, 12:42

Just because no-one knows how ipv6 works..

**Julf** · 2017-03-23, 12:47

Originally posted by drmatt

Just because no-one knows how ipv6 works..

**Mnyb** · 2017-03-24, 09:11

Is it possible to limit LMS to the local subnet via programming , but have it working via a correctly setup VPN ?

It seems to be a support issues now :/

Wonder why some hacker finds this funny ?

It was that tread on the forum where someone actively asked for open IP's and wanted to share ? Wonder if that one was a cheapskate or a troll ?
That guy got p*** off when mherger told about exactly how bad this idea is ? Sort of guy that can do this ?

More risks someone can actively listen with your accounts on Spotify and your other services.
Ads his players to your mysb.com account via LMS it does that automatically .
Mess up your stats and scrobbling.

**bobertuk** · 2017-03-24, 09:48

Hi Michael,

Thank you for reminding me. I had forwarded 4 or 5 ports to trial accessing various things on my server remotely. It's didn't work the way I wanted so I abandoned the trial but of course forgot to delete the port forwarding. They have been removed now though :-)

Thank you

**mherger** · 2017-03-24, 10:11

IMPORTANT: Stop forwarding your LMS ports to theinternet!

> Is it possible to limit LMS to the local subnet via programming , but
> have it working via a correctly setup VPN ?

If using a VPN you should be fine already. If you feel like tinkering,
check out Settings/Advanced/Security.

> Wonder why some hacker finds this funny ?

Never picked up the phone book to call a random number as a kid?

> More risks someone can actively listen with your accounts on Spotify and
> your other services.
> Ads his players to your mysb.com account via LMS it does that
> automatically .
> Mess up your stats and scrobbling.

Or implement the plugin which will wipe your system. Or encrypt your data.

--

Michael

**Mnyb** · 2017-03-24, 10:39

Originally posted by mherger

> Is it possible to limit LMS to the local subnet via programming , but
> have it working via a correctly setup VPN ?

If using a VPN you should be fine already. If you feel like tinkering,
check out Settings/Advanced/Security.

> Wonder why some hacker finds this funny ?

Never picked up the phone book to call a random number as a kid?

> More risks someone can actively listen with your accounts on Spotify and
> your other services.
> Ads his players to your mysb.com account via LMS it does that
> automatically .
> Mess up your stats and scrobbling.

Or implement the plugin which will wipe your system. Or encrypt your data.

--

Michael

Oh on open VPN already , just an idea to not make so easy to just open the ports like apearently >5000 people are doing already ?
If the next upgrade jts blocks this and they have search for info ....

Ransom ware as an lms plugin

My LMS machine is only that , another safety measure . Its not running on my daily use computer no other personal info on than the LMS settings , no documents no mail .
So I can just delete that VM and reinstall.

And the NAS that keeps the music files is another VM from the NAS that has my personal backup . So i can deleta that one to , but the music share its mounted read only and no executing of files to the LMS machine..
Music is backed up on USB drives .

**doctor_big** · 2017-03-29, 13:54

Done. Thanks for the heads-up, Michael.

Interestingly, over the past few months LMS has randomly stopped, with no info in the logs and only "possible software conflict" in the diagnostics tray.

Been running and playing on DSTM for three days now without a stoppage. Could this be related?

Jason

**sfraser** · 2017-03-30, 14:42

Their are some real A-holes out there. I work for a router vendor, and we have a non firewalled internet access in our lab. From time to time we turn it up for deep packet inspection testing, within 30 seconds of turning it up we get pounded with attacks.

**oyvindo** · 2017-04-01, 20:38

At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
Nevertheless, it's better than nothing.
The downside is that there are several client apps out there that don't support password logon....

**Mnyb** · 2017-04-01, 20:54

Originally posted by oyvindo

At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
Nevertheless, it's better than nothing.
The downside is that there are several client apps out there that don't support password logon....

Yes clear text and not hard to hack .

But social engineering is also a thing , people reuse passwords even if you should not it's very very likely that someone uses the same passwords as they always do .

QNAP TS-453Be 4x3TB RAID5	QNAP TS-251 2x3TB RAID0	QNAP HS-251 2x2TB RAID0	QNAP TS-453Mini 2x1TB Raid 10
LMS running in Docker	Madsonic running in Docker	Guacamole QPGK	R&D and Test server
Home Assistant running in Docker	Node-Red running in Docker	RainLoop QPKG
Pi-Hole running in Docker	Bastillion running in Docker	DeConz running in Docker w/ConBee II
Mosquitto MQTT running in Docker

IMPORTANT: Stop forwarding your LMS ports to the internet!

IMPORTANT: Stop forwarding your LMS ports to the internet!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment