IMPORTANT: Stop forwarding your LMS ports to the internet!

[Mnyb]

> Is it possible to limit LMS to the local subnet via programming , but
> have it working via a correctly setup VPN ?

If using a VPN you should be fine already. If you feel like tinkering,
check out Settings/Advanced/Security.

> Wonder why some hacker finds this funny ?

Never picked up the phone book to call a random number as a kid?

> More risks someone can actively listen with your accounts on Spotify and
> your other services.
> Ads his players to your mysb.com account via LMS it does that
> automatically .
> Mess up your stats and scrobbling.

Or implement the plugin which will wipe your system. Or encrypt your data.

--

Michael

Oh on open VPN already , just an idea to not make so easy to just open the ports like apearently >5000 people are doing already ?
If the next upgrade jts blocks this and they have search for info ....

Ransom ware as an lms plugin

My LMS machine is only that , another safety measure . Its not running on my daily use computer no other personal info on than the LMS settings , no documents no mail .
So I can just delete that VM and reinstall.

And the NAS that keeps the music files is another VM from the NAS that has my personal backup . So i can deleta that one to , but the music share its mounted read only and no executing of files to the LMS machine..
Music is backed up on USB drives .

[doctor_big]

Done. Thanks for the heads-up, Michael.

Interestingly, over the past few months LMS has randomly stopped, with no info in the logs and only "possible software conflict" in the diagnostics tray.

Been running and playing on DSTM for three days now without a stoppage. Could this be related?

Jason

[sfraser]

Their are some real A-holes out there. I work for a router vendor, and we have a non firewalled internet access in our lab. From time to time we turn it up for deep packet inspection testing, within 30 seconds of turning it up we get pounded with attacks.

[oyvindo]

At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
Nevertheless, it's better than nothing.
The downside is that there are several client apps out there that don't support password logon....

[Mnyb]

At least - if you really wish to have remote access to LMS, add a strong password to log on. This is probably not extremely difficult to hack for someone that knows how. I guess LMS logon exchange user name+password in clear text?
Nevertheless, it's better than nothing.
The downside is that there are several client apps out there that don't support password logon....

Yes clear text and not hard to hack .

But social engineering is also a thing , people reuse passwords even if you should not it's very very likely that someone uses the same passwords as they always do .

[pippin]

And that's an especially bad idea in this case because it's so easy to log the clear-text username and password from LMS...

[Squeezemenicely]

I had that problem, where my music player suddenly went whild in the middle of the night, I had forwarded my LMS ports to the internet. Now I use VPN and no problems at all anymore.
Shame, it was practical to use LMS on the road that way, but simply to unsafe.

Absolutely block those ports, this sort of thing does happen!

[drmatt]

I wonder if anyone has searched the darkwebs for LMS attacks..? There are probably "slurp all the music and set some annoying alarms" scripts out there.

[oyvindo]

You don't need a script for that. All you need is the IP.

[drmatt]

You do, you know the control protocol. The script kiddies know nothing, they just run scripts.