Home of the Squeezebox™ & Transporter® network music players.
Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Junior Member
    Join Date
    Sep 2018
    Posts
    2

    piCorePlayer: security

    Hello,

    I am a new and happy user of piCorePlayer running its LMS on a Raspberry PI 3B+. LMS was previously running on an old and struggling ReadyNAS NV+ where the music is still stored. piCorePlayer gave a second life to my much loved Squeezebox platform: faster, more syncable players, Spotty plugin, reduced workload on the NAS, etc. Thank you pCP team !

    Before moving to my next project, ie building a Touch-like RPi-based player, I would like to finalize the security part.
    Are there recommendations or best practices to secure piCorePlayer? I started to look at iptables, but have not even found a way to install it from the Tiny Core forum as my experience of Linux is very limited. Has anyone already managed that part or is it considered risk-free?

    Thanks in advance,




    Squeezebox Touch, Radio x2, Receiver
    piCorePlayer 3.5.0 | Raspberry PI 3B+
    LMS 7.9.2 | Spotty
    Netgear ReadyNAS NV+
    iPeng9, Squeezer, Squeezebox Controller
    9,228 FLAC songs from 733 Albums and 327 artists

  2. #2
    Senior Member paul-'s Avatar
    Join Date
    Jan 2013
    Posts
    1,560
    Yes you can install iptables on pCP, but it’s really not neccessary. You can shut down all services, so only squeezelite/jivelite is running.

    LMS itself is not designed to be ran accessible from the internet. LMS and associated devices should only be on your local network. If you want remote access to your music, use a VPN.
    piCorePlayer a small player for the Raspberry Pi in RAM.
    Homepage: https://www.picoreplayer.org

    Please donate if you like the piCorePlayer

  3. #3
    Junior Member
    Join Date
    Sep 2018
    Posts
    2
    Nothing to worry then. Thanks a lot!

  4. #4
    Senior Member
    Join Date
    Sep 2009
    Location
    Denmark
    Posts
    131
    I'm intersted in this topic. Just installed a RPi w. piCorePlayer + JiveLite on my network.

    Bluetooth and WiFi is disabled, only using Ethernet. I changed the password for tc (tiny-core, I hope it was saved).

    Is there some way in which a hacker could potentially get access to tc and manipulate the system to serve a hackers purpose?

    Just wondering.

    Also I wonder if piCorePlayer could be setup to accept interaction with a specific IP address only (my NAS running LMS has fixed IP) and/or MAC address?

    Cheers,
    Claus

  5. #5
    Senior Member Greg Erskine's Avatar
    Join Date
    Sep 2006
    Location
    Sydney, Australia
    Posts
    1,546
    Hi cfuttrup,

    If you are "super paranoid" about security issues I would not have a Raspberry Pi on my network.

    One of the advantages of piCore is it is in RAM. The system is a clean rebuild on each boot. So a hacker, unless they were TinyCore savvy, could do their thing, but after a reboot it would be clean again.

    You could schedule a reboot every 5 minutes!

    regards
    Greg

  6. #6
    Senior Member paul-'s Avatar
    Join Date
    Jan 2013
    Posts
    1,560
    Quote Originally Posted by cfuttrup View Post
    Also I wonder if piCorePlayer could be setup to accept interaction with a specific IP address only (my NAS running LMS has fixed IP) and/or MAC address?
    That would be iptables role.
    piCorePlayer a small player for the Raspberry Pi in RAM.
    Homepage: https://www.picoreplayer.org

    Please donate if you like the piCorePlayer

  7. #7
    Senior Member
    Join Date
    Feb 2011
    Location
    Cheshire, UK
    Posts
    3,324
    Sensible password. Internal network only no port forwarding etc
    Other than that why?
    VB2.4 storage QNAP TS419p (NFS)
    Living Room - Joggler & SB3 -> Onkyo TS606 -> Celestion F20s
    Office - Pi3+Sreen -> Sony TAFE320 -> Celestion F10s / Pi2+DAC & SB3 -> Onkyo CRN755 -> Wharfedale Modus Cubes
    Dining Room -> SB Boom
    Kitchen -> UE Radio (upgraded to SB Radio)
    Bedroom (Bedside) - Pi2+DAC ->ToppingTP21 ->AKG Headphones
    Bedroom (TV) - SB Touch ->Sherwood AVR ->Mordaunt Short M10s
    Everything controlled by iPeng

  8. #8
    Senior Member
    Join Date
    Sep 2005
    Posts
    2,751
    Quote Originally Posted by Gaffophone View Post
    Are there recommendations or best practices to secure piCorePlayer?
    There are many improvements on the security but most of them are on the other side - not yours and they are not RPI / Picore related.

    How does a Hacker / Cracker gets his way into the IOT Devices like a lms?

    First they would use a already implemented update scenario like lms update or the pluginsupdate mechanism.
    One hack -> many devices with many ips makes a perfect botnet.
    Mostly the dont hack a single IOT device.

    Unless the updates arent digital certified and the internal update mechanism first checks the updates for their certificates you always have to trust these updates with your brain instead of the update routine.

    In case of LMS updates thats a easy procedure because there is a single contributor for these updates.
    In case of the plugin side the whole idea is getting worse because there is no manpower to check all plugins and sign them and there a more than one plugin repository.

    That means be aware what plugins you install and check the forum for some warnings.
    Last edited by DJanGo; 2018-12-22 at 05:13. Reason: typo

  9. #9
    Senior Member
    Join Date
    Sep 2009
    Location
    Denmark
    Posts
    131
    Quote Originally Posted by paul- View Post
    That would be iptables role.
    Hi paul - I'ts a firewall, sounds like an idea i'd like to try.

    I've never setup iptables in the past, is there any tips that someone can provide, for example with the classical LAN 192.168.n.xyz ??

    Best regards,
    Claus

  10. #10
    Senior Member
    Join Date
    Sep 2009
    Location
    Denmark
    Posts
    131
    Quote Originally Posted by d6jg View Post
    Sensible password. Internal network only no port forwarding etc
    Other than that why?
    Hi d6jg

    Internal only ... is that something I'd do with iptables?

    Is iptables already there on the piCorePlayer, and do I have to edit a text file on the system, to accomplish this?

    Sorry for really not knowing much about this. I ask because I'm afraid I'll do something wrong and/or stupid, like for example make it impossible for the Tiny Core Linux to fetch packages and stay up-to-date.

    /Claus

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •