Home of the Squeezebox™ & Transporter® network music players.
Page 7 of 13 FirstFirst ... 56789 ... LastLast
Results 61 to 70 of 129
  1. #61
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,986

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > Since i am in charge for the computer stuff in my company and should
    > know some tricks and basics - i cant say ssh from outside is somewhere
    > near safe.


    We all appreciate your knowledge. But then, please tell Joe Average what
    safe method there is to access his network from the outside. If ssh
    isn't, then don't even start to type the other three letters starting
    with "V".

    --

    Michael

  2. #62
    Senior Member
    Join Date
    Jan 2010
    Location
    Hertfordshire
    Posts
    1,550
    Quote Originally Posted by DJanGo View Post
    since michael didnt see edits.....

    just a not so old example
    http://www.zdnet.com/article/linux-m...ryptocurrency/
    That does target devices with the default password though. You would normally change it.

    Sent from my SM-G900F using Tapatalk

  3. #63
    Senior Member
    Join Date
    Apr 2013
    Location
    UK
    Posts
    1,195
    Clearly, computers should be licensed only to those who can pass a test... (and device developers should be forced to use the products they produce...)

    Interested to see how the code can distinguish an external request from internal though.


    Transcoded from Matt's brain by Tapatalk
    --
    Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
    Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

  4. #64
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,986

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > whatever Joe uses it must be somewhere up2date. And needs some minimal
    > security.


    Fully agreed. Up to date and well configured. Then the difference in
    terms of ssh vs. VPN aren't what you think.

    > Using VPN or not is a big difference.


    As is ssh. But again: only if well configured etc. You mention the
    "hacking" of Raspis over ssh which was basically just using the default
    password. That's stupid. But if your VPN is configured the same stupid
    way, then it's no more secure.

    > Cracker Jimboy needs to crack/hack/socialengineering your vpn settings.


    No more than your ssh setup.

    > I dont think any Joe on linux is using tools like faillock or something
    > else.


    Unless it's configured by default in your OS (which happened to me, and
    I didn't know before being locked out...).

    > So what do you expect me to do?


    Take a break.

    > Tell joe what do to on his 512MB NAS > Tell joe dont do it unless you really know what your doing?


    Yes.

    --

    Michael

  5. #65
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,986

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > Clearly, computers should be licensed only to those who can pass a
    > test... (and device developers should be forced to use the products they
    > produce...)


    Ahm... well, at least for the SB I can assure you, I do use it. But
    there clearly are products I've been working on I hardly ever (or never)
    use... And this admittedly is a problem for a dev.

    > Interested to see how the code can distinguish an external request from
    > internal though.


    It's not very sophisticated, and not even fully correct: when a request
    is coming from the network's default gateway, I'm assuming it's coming
    from the outside. I know that this is a rather simplistic approach. But
    I thought I'd push it out this way and see whether people run into
    issues :-). If they do, then at least they can double check their
    network configuration to make sure they really don't open things up.

    And then there's that undocumented pref you can set to disable the check
    in such an exceptional case.

    --

    Michael

  6. #66
    Senior Member Jeff07971's Avatar
    Join Date
    Aug 2011
    Location
    London, England
    Posts
    1,034
    Quote Originally Posted by mherger View Post
    > Clearly, computers should be licensed only to those who can pass a
    > test... (and device developers should be forced to use the products they
    > produce...)


    Ahm... well, at least for the SB I can assure you, I do use it. But
    there clearly are products I've been working on I hardly ever (or never)
    use... And this admittedly is a problem for a dev.

    > Interested to see how the code can distinguish an external request from
    > internal though.


    It's not very sophisticated, and not even fully correct: when a request
    is coming from the network's default gateway, I'm assuming it's coming
    from the outside. I know that this is a rather simplistic approach. But
    I thought I'd push it out this way and see whether people run into
    issues :-). If they do, then at least they can double check their
    network configuration to make sure they really don't open things up.

    And then there's that undocumented pref you can set to disable the check
    in such an exceptional case.

    --

    Michael
    This unfortunately might be a very common problem as a VPN server is often the GW (Mine is both, IPSEC and SSL)

    EDIT: I take it that blocking must be turned on ? My LMS does accept connections from my GW
    Last edited by Jeff07971; 2018-01-12 at 13:51.
    Players: SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard
    Server: LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320
    Plugins: AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups
    Remotes: iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX
    Music: 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs

    Want a webapp ? See http://forums.slimdevices.com/showth...Webapp-for-LMS

  7. #67
    Senior Member
    Join Date
    Nov 2010
    Location
    Hertfordshire, UK
    Posts
    2,703
    I'm not sure whether I'm an 'average joe' or not. However, having spent a working lifetime in IT (albeit nothing much to do with security) I suspect not quite (judging by most of my friends). Nonetheless I have found it pretty hard to work out how to do stuff like use ssh, ddns (my IP address changes most nights), open selected ports in the router and so on to make it all work with some semblance of security. I have a public key exchange set up between my mobile and laptop (using ssh) and my music server, and don't allow password access. Being retired I have time to work such things through when I know they must be possible, even when I can't quite get them to work for quite a while

    As I understand it from some of the previous discussion, something has been added to a recent LMS to require a password to change settings if coming from the router/gateway address. Is that right? If so, which password is that? I have LMS from yesterday installed.

    I may never want to do this, but I'd like to know, just in case....
    LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard.
    LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers.
    Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers.
    Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
    Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.

  8. #68
    Senior Member
    Join Date
    Apr 2013
    Location
    UK
    Posts
    1,195
    Quote Originally Posted by mherger View Post
    >
    > Interested to see how the code can distinguish an external request from
    > internal though.[/color]

    It's not very sophisticated, and not even fully correct: when a request is coming from the network's default gateway, I'm assuming it's coming from the outside. I know that this is a rather simplistic approach. But I thought I'd push it out this way and see whether people run into issues :-). If they do, then at least they can double check their network configuration to make sure they really don't open things up.

    And then there's that undocumented pref you can set to disable the check in such an exceptional case.
    Ok, figured it might be something like that. Not an easy problem to solve. In this circumstance it would be better to receive a page back that says *why* the request was blocked and where to look to allow it rather than a 403. Anonymise the hell out of the response of course so people can't reasonably guess it's an LMS instance.


    Transcoded from Matt's brain by Tapatalk
    --
    Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
    Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..

  9. #69
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,986

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > This unfortunately might be a very common problem as a VPN server is
    > often the GW (Mine is both, IPSEC and SSL)


    I doubt it'll be anywhere near "common". Please let me know if it causes
    you a problem.

    --

    Michael

  10. #70
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,986

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > As I understand it from some of the previous discussion, something has
    > been added to a recent LMS to require a password to change settings if
    > coming from the router/gateway address. Is that right? If so, which
    > password is that?


    I tried to explain this before... If you have a password set, then
    you're all fine. If you haven't, then you won't be able to access the
    settings from the outside. LMS won't ask for a password unless you've
    set it yourself.

    --

    Michael

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •