Home of the Squeezebox™ & Transporter® network music players.
Page 9 of 13 FirstFirst ... 7891011 ... LastLast
Results 81 to 90 of 129
  1. #81
    Senior Member JJZolx's Avatar
    Join Date
    Apr 2005
    Location
    Colorado
    Posts
    11,483
    Ok, I see it. Thanks.

  2. #82
    Senior Member
    Join Date
    Apr 2005
    Location
    UK/London
    Posts
    907
    Quote Originally Posted by Paul Webster View Post
    I noticed the changes in the secureSettings branch in github.
    I don't think it is in the daily build yet.
    Correction - I see it was merged into 7.9 branch 5 days ago.
    https://github.com/Logitech/slimserv...lim/Plugin/CLI

    Try turning on Info level logging in "(plugin.cli) - Command Line Interface (CLI)"

    If you have access to the source code then check
    Slim/Plugin/CLI/Plugin.pm
    to see if it contains
    Code:
    	if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
    		&& $prefsServer->get('protectSettings') && !$prefsServer->get('authorize')
    		&& Slim::Utils::Network::ip_is_gateway($tmpaddr)
    	) {
    		$log->error("Access to CLI is restricted to the local network or localhost: $tmpaddr");
    		$cli_socket->close;
    	}
    	elsif (!($prefsServer->get('filterHosts')) || (Slim::Utils::Network::isAllowedHost($tmpaddr))) {
    Paul Webster
    http://dabdig.blogspot.com
    Author Radio France (FIP etc) plugin

  3. #83
    Senior Member
    Join Date
    Nov 2010
    Location
    Hertfordshire, UK
    Posts
    2,703
    Quote Originally Posted by Paul Webster View Post
    Correction - I see it was merged into 7.9 branch 5 days ago.
    https://github.com/Logitech/slimserv...lim/Plugin/CLI

    Try turning on Info level logging in "(plugin.cli) - Command Line Interface (CLI)"

    If you have access to the source code then check
    Slim/Plugin/CLI/Plugin.pm
    to see if it contains
    Code:
    	if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
    		&& $prefsServer->get('protectSettings') && !$prefsServer->get('authorize')
    		&& Slim::Utils::Network::ip_is_gateway($tmpaddr)
    	) {
    		$log->error("Access to CLI is restricted to the local network or localhost: $tmpaddr");
    		$cli_socket->close;
    	}
    	elsif (!($prefsServer->get('filterHosts')) || (Slim::Utils::Network::isAllowedHost($tmpaddr))) {
    Yes, I have that code. In my server.prefs 'protectSettings' is set to 1. I don't know how the ip_is_gateway works, but since the IP I see for ssh is certainly not for my gateway maybe that's why it doesn't get trapped on my system (which has no password set).
    LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard.
    LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers.
    Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers.
    Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
    Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.

  4. #84
    Senior Member
    Join Date
    Apr 2005
    Location
    UK/London
    Posts
    907
    Quote Originally Posted by PasTim View Post
    Yes, I have that code. In my server.prefs 'protectSettings' is set to 1. I don't know how the ip_is_gateway works, but since the IP I see for ssh is certainly not for my gateway maybe that's why it doesn't get trapped on my system (which has no password set).
    Try increasing the log level for the module I referred to above.
    I think it will log both success and failure with the IP address.
    Paul Webster
    http://dabdig.blogspot.com
    Author Radio France (FIP etc) plugin

  5. #85
    Senior Member
    Join Date
    Nov 2010
    Location
    Hertfordshire, UK
    Posts
    2,703
    Quote Originally Posted by Paul Webster View Post
    Try increasing the log level for the module I referred to above.
    I think it will log both success and failure with the IP address.
    I go no report at all with the plugin.cli info settings.

    Maybe I have misunderstood something (wouldn't be the first time!), so I had better be more precise about what I'm doing.

    I am connecting via my mobile, using a data connection, not wifi. I use an app called ConnectBot to connect with SSH to LMS via a netgear DDNS service to my router which has port 22 open. I have a public key shared between my mobile and the music server. ConnectBot has the ability to listen to local ports on the mobile and forward on the requests to my music server.

    So a local port 9000 is set up in ConnectBot to route to my home-server-ip-address:9000. I can connect mobile LMS tools (eg Squeeze Commander and Squeeze Player), or just my web browser connecting to http://localhost:9000. Using the browser, I can look at LMS settings and change some (stopping and restarting the UPnP bridge for instance).

    I know almost noting about the internals of LMS or its CLI. Does using a web browser go via CLI and hence get checked when accessing Settings?
    LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard.
    LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers.
    Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers.
    Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
    Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.

  6. #86
    Senior Member paul-'s Avatar
    Join Date
    Jan 2013
    Posts
    1,171
    Quote Originally Posted by PasTim View Post
    I don't know how the ip_is_gateway works, but since the IP I see for ssh is certainly not for my gateway maybe that's why it doesn't get trapped on my system (which has no password set).
    He is simply using the lms servers routing table to find the gateway address.

    If I read the perl correctly (Which there is a good chance that I am not)

    Allowed Addresses
    IP address of the server itself
    127.0.0.1
    Any Address in the List of permitted IP addresses defined on the Security page.

    Not Allowed Addresses
    Gateway address of the LMS server.


    However, the gateway is only a hop point. Even in a DNAT network, if you allow an external device through the firewall, it will not have the gateways address.

  7. #87
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,987

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > I go no report at all with the plugin.cli info settings.

    plugin.cli is only used by the CLI itself. But network.http=info would
    be more helpful.

    > So a local port 9000 is set up in ConnectBot to route to my
    > home-server-ip-address:9000.


    That's a use case I haven't tested yet. Will do. Could you please enable
    logging as mentioned above, then see what IP address LMS is seeing? Also
    what is your gateway's IP, and your server's?

    --

    Michael

  8. #88
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,987

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > However, the gateway is only a hop point. Even in a DNAT network, if
    > you allow an external device through the firewall, it will not have the
    > gateways address.


    I guess that most systems which currently are systematically attacked
    simply forward port 900x on their router to LMS. In this case the
    incoming IP address would be the gateway's.

    I know the current code is far from perfect. But it certainly covers
    many of the cases I've seen so far. I do know there are already
    installations out there which take advantage of this slightly improved
    default behaviour.

    Please note that I did NOT implement this to make publishing your LMS to
    the world more safe. I'm still saying: don't do it. But I know that many
    users did it out of some need, or ignorance. And many of them are not
    aware of the problem. In these cases new LMS at least does provide a
    minimum more protection than before.

    --

    Michael

  9. #89
    Senior Member
    Join Date
    Nov 2010
    Location
    Hertfordshire, UK
    Posts
    2,703
    Quote Originally Posted by mherger View Post
    > I go no report at all with the plugin.cli info settings.

    plugin.cli is only used by the CLI itself. But network.http=info would
    be more helpful.

    > So a local port 9000 is set up in ConnectBot to route to my
    > home-server-ip-address:9000.


    That's a use case I haven't tested yet. Will do. Could you please enable
    logging as mentioned above, then see what IP address LMS is seeing? Also
    what is your gateway's IP, and your server's?

    --

    Michael
    I turned that info on, and looked at "HTTP request: from " lines. I got them from my desktop (...2), my Touch (...7), and the music server itself (...10) when I connected from my mobile. I can see nothing from my gateway (I searched for it).

    I therefore surmise that the SSH server is sending from the music server's own IP address to the same address.

    If you need bits of the log I could pm them (tomorrow) rather than attach them here (being paranoid, I know....).
    LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard.
    LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers.
    Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers.
    Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
    Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.

  10. #90
    Senior Member paul-'s Avatar
    Join Date
    Jan 2013
    Posts
    1,171
    Quote Originally Posted by mherger View Post
    >
    I guess that most systems which currently are systematically attacked
    simply forward port 900x on their router to LMS. In this case the
    incoming IP address would be the gateway's.
    Not that I do this, but I opened up the ports to do some testing. On my netgear router, when it lets the traffic in, the connection at the server is shown as whatever the external device address.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •