IMPORTANT: Stop forwarding your LMS ports to the internet!

[mherger]

I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.

• Set a password on your LMS, actually locking you out of your own music collection.
• Change the skin
• Blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
• Deface your LMS
• Install the Gallery plugin and have it scan all your folder of all your disks, causing a crash sooner or later
• Install any plugin they want, including their own development, doing things we don't even know about

More issues are reported regularly, eg.

• CVE-2017-16567 (https://www.exploit-db.com/exploits/43122/)
• CVE-2017-16568 (https://www.exploit-db.com/exploits/43123/)

On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And then have some fun. NOT!

So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.

[pinkdot]

May be the wiki should be changed accordingly?:
http://wiki.slimdevices.com/index.ph...cting_remotely

[Jeff07971]

I do understand that many like to be able to access their music while on the road, at work, away from home. But please do NOT configure your router to forward those ports to the internet. While this is easy to do, it's dangerous. LMS was not designed to be used this way. Any user out there (incl. me and your neighbor's kids you hate so much) could access your LMS and do all kinds of things.

- blast crazy stupid music at full volume in the middle of the night. And then again five minutes after you turned it off. Repeat.
- install the Gallery plugin and have it scann all your folder of all your disks, causing a crash sooner or later
- install any plugin they want, including their own development, doing things we don't even know about

On systems where LMS is running as root/admin the last one is particularly dangerous. We have evidence of these kinds of "attacks" almost on a daily basis now. See various threads in this forum.

Now you might think "who would be interested in finding my IP address and port used?". Your neighbor's kid. Or some bored soul seeking some kick. Because it's easy. There are search engines who list your computer and port. No need to figure this one out yourself. And the have some fun. NOT!

So please: review your router's settings. Block those ports. Install a VPN if you need access to your music.

+1 !!!!!!!!!!!

I found 4,342 mainly insecure worldwide instances with extreme ease

[drmatt]

Wait till they enforce ipv6, then there will be none.

[Julf]

Wait till they enforce ipv6, then there will be none.

Not sure IPv6 will change anything. Yes, a linear scanning of the address space is not feasible, but scanning routing tables is.

[drmatt]

Just because no-one knows how ipv6 works..

[Julf]

Just because no-one knows how ipv6 works..

[Mnyb]

Is it possible to limit LMS to the local subnet via programming , but have it working via a correctly setup VPN ?

It seems to be a support issues now :/

Wonder why some hacker finds this funny ?

It was that tread on the forum where someone actively asked for open IP's and wanted to share ? Wonder if that one was a cheapskate or a troll ?
That guy got p*** off when mherger told about exactly how bad this idea is ? Sort of guy that can do this ?

More risks someone can actively listen with your accounts on Spotify and your other services.
Ads his players to your mysb.com account via LMS it does that automatically .
Mess up your stats and scrobbling.

[bobertuk]

Hi Michael,

Thank you for reminding me. I had forwarded 4 or 5 ports to trial accessing various things on my server remotely. It's didn't work the way I wanted so I abandoned the trial but of course forgot to delete the port forwarding. They have been removed now though :-)

Thank you

[mherger]

> Is it possible to limit LMS to the local subnet via programming , but
> have it working via a correctly setup VPN ?

If using a VPN you should be fine already. If you feel like tinkering,
check out Settings/Advanced/Security.

> Wonder why some hacker finds this funny ?

Never picked up the phone book to call a random number as a kid?

> More risks someone can actively listen with your accounts on Spotify and
> your other services.
> Ads his players to your mysb.com account via LMS it does that
> automatically .
> Mess up your stats and scrobbling.

Or implement the plugin which will wipe your system. Or encrypt your data.

--

Michael