Home of the Squeezebox™ & Transporter® network music players.
Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1

    Blocking Incoming Connections...

    Hi,
    I've set up a remote SB3 to access my server over the net. I've opened up the ports and forwarded them on my router. All works OK.

    I now want to secure the system a bit and am trying to use the "block incoming connections" feature in squeezecenter but can't get it to work.

    My understanding is that I check the box to say block incoming connections and then add a list of allowed IPs in the following box.

    In the box I have:

    127.0.0.1,192.168.0.*,xxx.yyy.zzz.aaa

    The 127.0.0.1 is the local host I think, the 192.168.0 allows the local players on my NW to connect and the final address should allow the remote SB3 to connect, right?

    But if I check the tick box I can connect locally from the players on my NW, but the remote player hangs saying "connecting to server..." and never does.

    Unchecking the box and all works again but obviously with no security.

    Am I missing something out or misunderstanding how this works?

    Thanks,
    DrS

  2. #2
    pski
    Guest
    Quote Originally Posted by staresy View Post
    Hi,
    I've set up a remote SB3 to access my server over the net. I've opened up the ports and forwarded them on my router. All works OK.

    I now want to secure the system a bit and am trying to use the "block incoming connections" feature in squeezecenter but can't get it to work.

    My understanding is that I check the box to say block incoming connections and then add a list of allowed IPs in the following box.

    In the box I have:

    127.0.0.1,192.168.0.*,xxx.yyy.zzz.aaa

    The 127.0.0.1 is the local host I think, the 192.168.0 allows the local players on my NW to connect and the final address should allow the remote SB3 to connect, right?

    But if I check the tick box I can connect locally from the players on my NW, but the remote player hangs saying "connecting to server..." and never does.

    Unchecking the box and all works again but obviously with no security.

    Am I missing something out or misunderstanding how this works?

    Thanks,
    DrS
    On the remote computer, go to whatismyip.com to get your "remote" ip. Then the box should say (if whatismyip says you are at 111.222.333.444)

    127.0.0.1, 192.168.0.*, 111.222.333.444

    Each "remote" location will have it's own ip you will need to add.

    P

  3. #3
    Hi thanks for the reply. That's exactly how I set it up but I notice that the ip address of the remote location has change - probably because it's a dynamic address allocated by the isp and the remote rouuter has been rebooted.

    Any easy way around this? My thought is to open up the remote address to zzz.xxx.yyy.* to allow a range of address in - this would work on the assumption that the ISP would only ever allocate an IP address within a fixed range.

    Is that a reasonable assumption? If not what are my other options...?

    Thanks,
    DrS

  4. #4
    pski
    Guest
    Quote Originally Posted by staresy View Post
    Hi thanks for the reply. That's exactly how I set it up but I notice that the ip address of the remote location has change - probably because it's a dynamic address allocated by the isp and the remote rouuter has been rebooted.

    Any easy way around this? My thought is to open up the remote address to zzz.xxx.yyy.* to allow a range of address in - this would work on the assumption that the ISP would only ever allocate an IP address within a fixed range.

    Is that a reasonable assumption? If not what are my other options...?

    Thanks,
    DrS
    Since the * there only allows for 256 different addresses, you might have to use zzz.xxx.* You can also turn-on user/password.

    What OS/version is the SBS host? I use remote desktop (securely) to let me get remote control of the SBS host so I can unblock addresses remotely. If you have Windows Home versions, you can use VNC to do the same thing. (There are also patches that add RDP to Home versions- no warranty expressed or implied.) <"Home" versions contain the program to "take over" a remote machine but they do not include being remotely controlled- VNC is a free program that provides this function to/from any Windows/Mac/Unix/Linux systems.) In either of these cases you'll also open ports on your modem/router and the SBS host would absolutely have to have a user (as opposed to a SBS) password.

    If you are into programming you can google "dynamic IP notify" for some free programs that can run on the remote system. They monitor the IP and send an email when it changes.



    p

  5. #5
    Senior Member pallfreeman's Avatar
    Join Date
    Apr 2010
    Location
    Squeezebox Graveyard
    Posts
    500
    Quote Originally Posted by staresy View Post
    Is that a reasonable assumption? If not what are my other options...?
    It's a reasonable assumption, although it will allow about 250 other people to connect.

    SBS tells me that Block Incoming Connections only applies to HTTP and CLI connections. It may not work for players, only for browsers. It only seems to want addresses, and not names.

    If it works with names, you could register the remote player with a DDNS provider.
    Don't push your love too far
    Your wounds won't leave a scar
    Right now is where you are
    In a broken dream.

  6. #6
    OK my cunning plan didn't work as the ISP seems to allocate completley random public ip addresses.

    So, after a bit of reading it seems that SSH might be the way to go but I haven't got a clue how to set this up or, indeed, if it is possible with my set up. Can anyone offer any advise here?

    My setup is:

    - remote SB3, no PC, just connected to a wireless router and the internet
    - dynamic public IP address on this router
    - at home, Windows Home Server running SC, connected to router and internet
    - again, dydnamic IP at this end

    If this isn't poossble, what are the worst consequences of leaving the two ports for remote access unprotected?

    Thanks for your help.
    DrS

  7. #7
    Senior Member pallfreeman's Avatar
    Join Date
    Apr 2010
    Location
    Squeezebox Graveyard
    Posts
    500
    Your ISP is assigning a random address. At both ends. Without some third party to keep track of these addresses, neither end of your setup knows which address to use to get to the other.

    Dynamic DNS solves these problems to some extent. Check if your DSL routers have the ability to register with a Dynamic DNS provider. You might be able to get hold of some little utility to do this from your PC, but it's the other end which really needs it.

    I'm not sure why you think SSH can help. Surely it would have the same problem, not knowing the addresses, as SBS has?

    Probably, though, the worst that could happen is that someone who knows what you're up to could get access to your SBS and loudly play you Merzbow's greatest hits.
    Don't push your love too far
    Your wounds won't leave a scar
    Right now is where you are
    In a broken dream.

  8. #8
    Senior Member Mnyb's Avatar
    Join Date
    Feb 2006
    Location
    Vństerňs Sweden
    Posts
    16,525
    i thinkhe intends to use SSH for security, the built in security in SBS in not very good.

    On ocasion i stream remotely, but i'm closing the router ports after i'm done and turn off the server.
    the beytu of routher fw that lets you boot things frommthe internet, turn of is done bybthe servers normal web-UI

    I have nothing but music on my server, no personal information that matters not even pictures.
    so security is no concern, if the mob installs a warez website on it I can trow it into a lake and buIld a new one :-) and restore my music from the backups.
    --------------------------------------------------------------------
    Main hifi: Rasbery PI digi+ MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
    Bedroom/Office: Boom
    Loggia: Raspi hifiberry dac + Adams
    Bathroom : Radio (with battery)
    iPad with iPengHD & SqueezePad
    (spares Touch, SB3, reciever ,controller )
    server Intel NUC Esxi VM Linux mint 18 LMS 7.9.2

    http://people.xiph.org/~xiphmont/demo/neil-young.html

  9. #9
    pski
    Guest
    Quote Originally Posted by pallfreeman View Post
    It's a reasonable assumption, although it will allow about 250 other people to connect.

    SBS tells me that Block Incoming Connections only applies to HTTP and CLI connections. It may not work for players, only for browsers. It only seems to want addresses, and not names.

    If it works with names, you could register the remote player with a DDNS provider.
    Block does prevent/allow player connections.

  10. #10
    pski
    Guest
    Quote Originally Posted by staresy View Post
    OK my cunning plan didn't work as the ISP seems to allocate completley random public ip addresses.

    So, after a bit of reading it seems that SSH might be the way to go but I haven't got a clue how to set this up or, indeed, if it is possible with my set up. Can anyone offer any advise here?

    My setup is:

    - remote SB3, no PC, just connected to a wireless router and the internet
    - dynamic public IP address on this router
    - at home, Windows Home Server running SC, connected to router and internet
    - again, dydnamic IP at this end

    If this isn't poossble, what are the worst consequences of leaving the two ports for remote access unprotected?

    Thanks for your help.
    DrS
    You would at least want to enable the user/password feature. As I typed earlier, you would do better to enable remote access to your WHS and install a notifier on each end. That way, you would always know the IPs at each end and you would be able to access the settings of the webUI to get to the list of allowed addresses. This way, you would also be able to completely disable remote access by remotely using the web browser on your WHS machine to change the router settings.

    Note that the "default" port for RDP is 3389. When you make your router rule, you can 'redirect' that:

    For example direct port 5557 <any "wild" number will do> to port 3389 on your WHS. This will keep people who snoop your address on port 3389 from getting a "logon" from RDP. Then on the remote machine, you direct RDP to connect to

    xxx.yyy.zzz.aaa:5557

    Your router follows the rule and sends the traffic to your WHS and you're in.

    SSH <google putty for the windows version> would be more secure but you will still have to know the addresses...
    P

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •