And that's an especially bad idea in this case because it's so easy to log the clear-text username and password from LMS...
-
---
learn more about iPeng, the iPhone and iPad remote for the Squeezebox and
Logitech UE Smart Radio as well as iPeng Party, the free Party-App,
at penguinlovesmusic.com
New: iPeng 9, the Universal App for iPhone, iPad and Apple Watch -
I had that problem, where my music player suddenly went whild in the middle of the night, I had forwarded my LMS ports to the internet. Now I use VPN and no problems at all anymore.
Shame, it was practical to use LMS on the road that way, but simply to unsafe.
Absolutely block those ports, this sort of thing does happen!LMS 7.9.0 - 1470391720 on Pi2 (Max2play)
Synology DS-414 NAS
Squeezebox Touch, Squeezebox Boom, Squeezebox Radio, HifiBerry PicorePlayer
Schiit - BIFROST AKM 4490 Dac
Spotify PremiumComment
-
I wonder if anyone has searched the darkwebs for LMS attacks..? There are probably "slurp all the music and set some annoying alarms" scripts out there.--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..Comment
-
You don't need a script for that. All you need is the IP.QNAP TS-453Be 4x3TB RAID5 QNAP TS-251 2x3TB RAID0 QNAP HS-251 2x2TB RAID0 QNAP TS-453Mini 2x1TB Raid 10 LMS running in Docker Madsonic running in Docker Guacamole QPGK R&D and Test server Home Assistant running in Docker Node-Red running in Docker RainLoop QPKG Pi-Hole running in Docker Bastillion running in Docker DeConz running in Docker w/ConBee II Mosquitto MQTT running in Docker Comment
-
You do, you know the control protocol. The script kiddies know nothing, they just run scripts.--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums..Comment
-
I've been doing this for years (mainly for iPeng playback), with no ill effects. I was using strong password. However, reading the recommendations, I just turned it off. Exactly how is an plain-text password compromised in this scenario?
I get the same functionality by installing the Plex iOS app, and my lifetime Plexpass subscription.Comment
-
--------------------------------------------------------------------
Main hifi: Rasbery PI digi+ MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
Bedroom/Office: Boom
Loggia: Raspi hifiberry dac + Adams
Bathroom : Radio (with battery)
iPad with iPengHD & SqueezePad
(spares Touch, SB3, reciever ,controller )
server Intel NUC Esxi VM Linux mint 18 LMS 7.9.2
http://people.xiph.org/~xiphmont/demo/neil-young.htmlComment
-
Quick search for LMS
Please do not ALL disable it, I need some bad examples for security awareness trainings. (Sorry, only kidding)
2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880, LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD -> FLAC = dbpoweramp, Router AVM Fritz 7490
last.fm/user/jo-wieComment
-
IMPORTANT: Stop forwarding your LMS ports to theinternet!
> Please do not ALL disable it, I need some bad examples for security
> awareness trainings. (Sorry, only kidding)
Are you searching for LMS? Ugh... that's even worse than Squeezebox...
--
Michael
Michael
"It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
(LMS: Settings/Information)Comment
-
The interesting point is, that I have the feeling that the number was falling the last months but now is raising again. I was really using it as bad example for trainings and so I had several times a look at. But maybe the search engine simply found more because it was scanning further areas.2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880, LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD -> FLAC = dbpoweramp, Router AVM Fritz 7490
last.fm/user/jo-wieComment
-
IMPORTANT: Stop forwarding your LMS ports to theinternet!
> The interesting point is, that I have the feeling that the number was
> falling the last months but now is raising again.
Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
But numbers seemed to grow in the past weeks, and significantly dropped
over the past few days (-15%).
I was wondering how I should handle this situation. These users have a
serious security issue they should know about. But am I allowed to
"hack" their system in order to protect themselves from the bad hacker?
--
Michael
Michael
"It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
(LMS: Settings/Information)Comment
-
I'm afraid the simple answer is NO it would be extremely unwise !! If you "hacked" (not sure if thats even the right term as these systems are wide open) I'm very sure it would be seen as illeagal in many countries.
A large and sticky warning on the home page of the forums would be wiser.
Whilst the situation is quite serious I see noting that can really be done about it, if the "hacks" are just waking people up at obscene hours hopefully a message in the forums will get more attention.
I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the list of open LMS's meaning people update (or is done automatically) so a software change may work to help.
I was thinking that not responding (unless specifically allowed) to the router address (or gateway) may work. That way those that use VPN can turn it on but those who forward ports will have to come to the forum to ask why their forwarding no longer works.
Edit: Nothing much can be done about the 7.7.5's
Jeffsigpic
Want a webapp ? Get SqueezeLite-X ! https://forums.slimdevices.com/showt...l=1#post903953Comment
-
Hi Michael
Another idea !
Use a list generated by THAT search engine to grab a list of open LMS's and automatically sent a command to turn all player on and stream a file from Logitech saying something like "This system is compromised please see article on forum" repeatedly until stopped.
This idea is more agressive and would need to be run by legal but may have a better effect
Jeffsigpic
Want a webapp ? Get SqueezeLite-X ! https://forums.slimdevices.com/showt...l=1#post903953Comment
-
You could change LMS to require a password if the IP address is not local and have a maximum number of password attempts before suspending such access for X hours - and a setting to disable all of this for someone who really insists on taking the risk.
At least those users who have auto-update enabled would have a bit better protection.Paul Webster
Author of "Now Playing" plugins covering Radio France (FIP etc), PlanetRadio (Bauer - Kiss, Absolute, Scala, JazzFM etc), KCRW, ABC Australia and CBC/Radio-Canada
and, via the extra "Radio Now Playing" plugin lots more - see https://forums.slimdevices.com/showt...Playing-pluginComment
-
IMPORTANT: Stop forwarding your LMS ports to theinternet!
> A large and sticky warning on the home page of the forums would be
> wiser.
Unfortunately only a very small percentage of the SB community is
regularly visiting these forums. Even I wouldn't get to see that message!
> I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
> list of open LMS's meaning people update (or is done automatically) so a
> software change may work to help.
Interesting. In my list there are far more 7.7.x installations than
7.9.x. And many are really old, like 7.7.2/3.
> Use a list generated by THAT search engine to grab a list of open LMS's
> and automatically sent a command to turn all player on and stream a file
> from Logitech saying something like "This system is compromised please
> see article on forum" repeatedly until stopped.
This is about as far as my "hacking" would go: interact with LMS.
--
Michael
Michael
"It doesn't work - what shall I do?" - "Please check your server.log and/or scanner.log file!"
(LMS: Settings/Information)Comment
Comment