Discussion:
[slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger
2017-03-22 15:12:16 UTC
Permalink
I do understand that many like to be able to access their music while on
the road, at work, away from home. But please do NOT configure your
router to forward those ports to the internet. While this is easy to do,
it's dangerous. LMS was not designed to be used this way. Any user out
there (incl. me and your neighbor's kids you hate so much) could access
your LMS and do all kinds of things.

- blast crazy stupid music at full volume in the middle of the night.
And then again five minutes after you turned it off. Repeat.
- install the Gallery plugin and have it scann all your folder of all
your disks, causing a crash sooner or later
- install any plugin they want, including their own development, doing
things we don't even know about

On systems where LMS is running as root/admin the last one is
particularly dangerous. We have evidence of these kinds of "attacks"
almost on a daily basis now. See various threads in this forum.

Now you might think "who would be interested in finding my IP address
and port used?". Your neighbor's kid. Or some bored soul seeking some
kick. Because it's easy. There are search engines who list your computer
and port. No need to figure this one out yourself. And the have some
fun. NOT!

So please: review your router's settings. Block those ports. Install a
VPN if you need access to your music.



Michael

http://www.herger.net/slim-plugins - MusicArtistInfo, MusicInfoSCR
------------------------------------------------------------------------
mherger's Profile: http://forums.slimdevices.com/member.php?userid=50
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
pinkdot
2017-03-22 16:08:17 UTC
Permalink
May be the wiki should be changed accordingly?:
http://wiki.slimdevices.com/index.php/Connecting_remotely



-Synology nas DS115 - ('LmsUpdate'
(http://forums.slimdevices.com/showthread.php?103636-Test-Repo-for-LMS-7-9-0-on-Synology-DSM-5-*&p=817970&viewfull=1#post817970))
-RPI 2 ('Moode 3.1' (http://moodeaudio.org/)), IQaudIO Pi-DAC PRO -
Exposure 3010S2 - PMC GB1i
-2x Radio
-Laptop - openSUSE Leap - LMS/Squeezelite
------------------------------------------------------------------------
pinkdot's Profile: http://forums.slimdevices.com/member.php?userid=34644
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2017-03-22 23:23:53 UTC
Permalink
Wait till they enforce ipv6, then there will be none.



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Julf
2017-03-23 09:04:37 UTC
Permalink
drmatt wrote:
> Wait till they enforce ipv6, then there will be none.

Not sure IPv6 will change anything. Yes, a linear scanning of the
address space is not feasible, but scanning routing tables is.



"To try to judge the real from the false will always be hard. In this
fast-growing art of 'high fidelity' the quackery will bear a solid gilt
edge that will fool many people" - Paul W Klipsch, 1953
------------------------------------------------------------------------
Julf's Profile: http://forums.slimdevices.com/member.php?userid=42050
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Jeff07971
2017-03-22 23:22:31 UTC
Permalink
mherger wrote:
> I do understand that many like to be able to access their music while on
> the road, at work, away from home. But please do NOT configure your
> router to forward those ports to the internet. While this is easy to do,
> it's dangerous. LMS was not designed to be used this way. Any user out
> there (incl. me and your neighbor's kids you hate so much) could access
> your LMS and do all kinds of things.
>
> - blast crazy stupid music at full volume in the middle of the night.
> And then again five minutes after you turned it off. Repeat.
> - install the Gallery plugin and have it scann all your folder of all
> your disks, causing a crash sooner or later
> - install any plugin they want, including their own development, doing
> things we don't even know about
>
> On systems where LMS is running as root/admin the last one is
> particularly dangerous. We have evidence of these kinds of "attacks"
> almost on a daily basis now. See various threads in this forum.
>
> Now you might think "who would be interested in finding my IP address
> and port used?". Your neighbor's kid. Or some bored soul seeking some
> kick. Because it's easy. There are search engines who list your computer
> and port. No need to figure this one out yourself. And the have some
> fun. NOT!
>
> So please: review your router's settings. Block those ports. Install a
> VPN if you need access to your music.

+1 !!!!!!!!!!!

I found 4,342 mainly insecure worldwide instances with extreme ease



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: 7.9.0 - 1475786002 on Centos 7 VM on ESXi 6 on
Dell T320
*Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud
*Remotes:* iPeng8/Orangesqueeze/PC/Jivelite
*Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2017-03-23 11:42:47 UTC
Permalink
Just because no-one knows how ipv6 works.. :)



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Julf
2017-03-23 11:47:33 UTC
Permalink
drmatt wrote:
> Just because no-one knows how ipv6 works.. :)

:)



"To try to judge the real from the false will always be hard. In this
fast-growing art of 'high fidelity' the quackery will bear a solid gilt
edge that will fool many people" - Paul W Klipsch, 1953
------------------------------------------------------------------------
Julf's Profile: http://forums.slimdevices.com/member.php?userid=42050
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Mnyb
2017-03-24 08:11:42 UTC
Permalink
Is it possible to limit LMS to the local subnet via programming , but
have it working via a correctly setup VPN ?

It seems to be a support issues now :/

Wonder why some hacker finds this funny ?

It was that tread on the forum where someone actively asked for open
IP's and wanted to share ? Wonder if that one was a cheapskate or a
troll ?
That guy got p*** off when mherger told about exactly how bad this idea
is ? Sort of guy that can do this ?

More risks someone can actively listen with your accounts on Spotify and
your other services.
Ads his players to your mysb.com account via LMS it does that
automatically .
Mess up your stats and scrobbling.



--------------------------------------------------------------------
Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x
MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3
sub.
Bedroom/Office: Boom
Kitchen: Touch + powered Fostex PM0.4
Misc use: Radio (with battery)
iPad1 with iPengHD & SqueezePad
(spares Touch, SB3, reciever ,controller )
server HP proliant micro server N36L with ClearOS Linux

http://people.xiph.org/~xiphmont/demo/neil-young.html
------------------------------------------------------------------------
Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
bobertuk
2017-03-24 08:48:47 UTC
Permalink
Hi Michael,

Thank you for reminding me. I had forwarded 4 or 5 ports to trial
accessing various things on my server remotely. It's didn't work the way
I wanted so I abandoned the trial but of course forgot to delete the
port forwarding. They are removed now thought 😄

Thank you



1 x Touch
1 x Radio
1 x Boom
1 x Cubox-i4 Pro SoA
1 X Odroid-XU4 as main server and player running LMS 7.9
Lavry DA-10 DAC
HP PC as secondary server running LMS 7.9
Starfish Pre-amp : Based on NAIM
Heavily modified NAIM NAP 250 Power-amp
Behringer DEQ2496
Linn Isobarik DMS
------------------------------------------------------------------------
bobertuk's Profile: http://forums.slimdevices.com/member.php?userid=30376
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-03-24 09:11:30 UTC
Permalink
> Is it possible to limit LMS to the local subnet via programming , but
> have it working via a correctly setup VPN ?

If using a VPN you should be fine already. If you feel like tinkering,
check out Settings/Advanced/Security.

> Wonder why some hacker finds this funny ?

Never picked up the phone book to call a random number as a kid?

> More risks someone can actively listen with your accounts on Spotify and
> your other services.
> Ads his players to your mysb.com account via LMS it does that
> automatically .
> Mess up your stats and scrobbling.

Or implement the plugin which will wipe your system. Or encrypt your data.

--

Michael
Mnyb
2017-03-24 09:39:44 UTC
Permalink
mherger wrote:
> > Is it possible to limit LMS to the local subnet via programming , but
> > have it working via a correctly setup VPN ?
>
> If using a VPN you should be fine already. If you feel like tinkering,
> check out Settings/Advanced/Security.
>
> > Wonder why some hacker finds this funny ?
>
> Never picked up the phone book to call a random number as a kid?
>
> > More risks someone can actively listen with your accounts on Spotify
> and
> > your other services.
> > Ads his players to your mysb.com account via LMS it does that
> > automatically .
> > Mess up your stats and scrobbling.
>
> Or implement the plugin which will wipe your system. Or encrypt your
> data.
>
> --
>
> Michael

Oh on open VPN already , just an idea to not make so easy to just open
the ports like apearently >5000 people are doing already ?
If the next upgrade jts blocks this and they have search for info ....

Ransom ware as an lms plugin :)

My LMS machine is only that , another safety measure . Its not running
on my daily use computer no other personal info on than the LMS settings
, no documents no mail .
So I can just delete that VM and reinstall.

And the NAS that keeps the music files is another VM from the NAS that
has my personal backup . So i can deleta that one to , but the music
share its mounted read only and no executing of files to the LMS
machine..
Music is backed up on USB drives .



--------------------------------------------------------------------
Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x
MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3
sub.
Bedroom/Office: Boom
Kitchen: Touch + powered Fostex PM0.4
Misc use: Radio (with battery)
iPad1 with iPengHD & SqueezePad
(spares Touch, SB3, reciever ,controller )
server HP proliant micro server N36L with ClearOS Linux

http://people.xiph.org/~xiphmont/demo/neil-young.html
------------------------------------------------------------------------
Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
doctor_big
2017-03-29 12:54:36 UTC
Permalink
Done. Thanks for the heads-up, Michael.

Interestingly, over the past few months LMS has randomly stopped, with
no info in the logs and only "possible software conflict" in the
diagnostics tray.

Been running and playing on DSTM for three days now without a stoppage.
Could this be related?

Jason


------------------------------------------------------------------------
doctor_big's Profile: http://forums.slimdevices.com/member.php?userid=15196
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
sfraser
2017-03-30 13:42:29 UTC
Permalink
Their are some real A-holes out there. I work for a router vendor, and
we have a non firewalled internet access in our lab. From time to time
we turn it up for deep packet inspection testing, within 30 seconds of
turning it up we get pounded with attacks.



2 CHAN. SYSTEM
SB3->Benchmark DAC-1-> Bryston(BP-25,3B)->PMC TB2
HOME THEATER SYSTEM
SB2-> Bryston(SP1,4B,4B,2B,2B)-> PSB Stratus Goldi
BASEMENT SYSTEM
Duet-> Parasound Preamp (carver M1.0t) ->Klipsch La Scala's
BEDROOM SYSTEM
SB2-> Sony BoomBox
REAR DECK/PATIO
Duet-> Yamaha Reciever-> PSB Mini's,
OFFICE
Squeezebox Boom
KITCHEN
Squeeze Radio
ENSUITE
Squeeze Radio
------------------------------------------------------------------------
sfraser's Profile: http://forums.slimdevices.com/member.php?userid=2026
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
oyvindo
2017-04-01 19:38:19 UTC
Permalink
At least - if you really wish to have remote access to LMS, add a strong
password to log on. This is probably not extremely difficult to hack for
someone that knows how. I guess LMS logon exchange user name+password in
clear text?
Nevertheless, it's better than nothing.
The downside is that there are several client apps out there that don't
support password logon....



QNAP TS-453Mini 4x3TB RAID5 QTS 4.2.4
LMS 7.9.0 running in Docker
Madsonic 6.2 running in Docker
Plex running in Docker

QNAP HS-251 2x2TB RAID0, QTS 4.2.4
Kodi 16.1 Jarvis

QNAP TS-119 1TB Single, QTS 4.2.4
Retired
------------------------------------------------------------------------
oyvindo's Profile: http://forums.slimdevices.com/member.php?userid=19302
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Mnyb
2017-04-01 19:54:51 UTC
Permalink
oyvindo wrote:
> At least - if you really wish to have remote access to LMS, add a strong
> password to log on. This is probably not extremely difficult to hack for
> someone that knows how. I guess LMS logon exchange user name+password in
> clear text?
> Nevertheless, it's better than nothing.
> The downside is that there are several client apps out there that don't
> support password logon....

Yes clear text and not hard to hack .

But social engineering is also a thing , people reuse passwords even if
you should not it's very very likely that someone uses the same
passwords as they always do .



--------------------------------------------------------------------
Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x
MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3
sub.
Bedroom/Office: Boom
Kitchen: Touch + powered Fostex PM0.4
Misc use: Radio (with battery)
iPad1 with iPengHD & SqueezePad
(spares Touch, SB3, reciever ,controller )
server HP proliant micro server N36L with ClearOS Linux

http://people.xiph.org/~xiphmont/demo/neil-young.html
------------------------------------------------------------------------
Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
pippin
2017-04-02 09:48:41 UTC
Permalink
And that's an especially bad idea in this case because it's so easy to
log the clear-text username and password from LMS...



---
learn more about iPeng, the iPhone and iPad remote for the Squeezebox
and
Logitech UE Smart Radio as well as iPeng Party, the free Party-App,
at penguinlovesmusic.com
*New: iPeng 9, the Universal App for iPhone, iPad and Apple Watch*
------------------------------------------------------------------------
pippin's Profile: http://forums.slimdevices.com/member.php?userid=13777
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Squeezemenicely
2017-04-02 10:21:20 UTC
Permalink
I had that problem, where my music player suddenly went whild in the
middle of the night, I had forwarded my LMS ports to the internet. Now I
use VPN and no problems at all anymore.
Shame, it was practical to use LMS on the road that way, but simply to
unsafe.

Absolutely block those ports, this sort of thing does happen!



LMS 7.9.0 - 1470391720 on Pi2 (Max2play)
Synology DS-414 NAS
Squeezebox Touch, Squeezebox Boom, Squeezebox Radio, HifiBerry
PicorePlayer
Schiit - BIFROST AKM 4490 Dac
Spotify Premium
------------------------------------------------------------------------
Squeezemenicely's Profile: http://forums.slimdevices.com/member.php?userid=41812
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2017-04-02 10:43:09 UTC
Permalink
I wonder if anyone has searched the darkwebs for LMS attacks..? There
are probably "slurp all the music and set some annoying alarms" scripts
out there.



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
oyvindo
2017-04-02 11:40:04 UTC
Permalink
You don't need a script for that. All you need is the IP.



QNAP TS-453Mini 4x3TB RAID5 QTS 4.2.4
LMS 7.9.0 running in Docker
Madsonic 6.2 running in Docker
Plex running in Docker

QNAP HS-251 2x2TB RAID0, QTS 4.2.4
Kodi 16.1 Jarvis

QNAP TS-119 1TB Single, QTS 4.2.4
Retired
------------------------------------------------------------------------
oyvindo's Profile: http://forums.slimdevices.com/member.php?userid=19302
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2017-04-02 15:15:05 UTC
Permalink
You do, you know the control protocol. The script kiddies know nothing,
they just run scripts.



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
SamS
2017-04-19 01:41:01 UTC
Permalink
I've been doing this for years (mainly for iPeng playback), with no ill
effects. I was using strong password. However, reading the
recommendations, I just turned it off. Exactly how is an plain-text
password compromised in this scenario?

I get the same functionality by installing the Plex iOS app, and my
lifetime Plexpass subscription.


------------------------------------------------------------------------
SamS's Profile: http://forums.slimdevices.com/member.php?userid=9261
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Mnyb
2017-04-19 04:08:28 UTC
Permalink
SamS wrote:
> I've been doing this for years (mainly for iPeng playback), with no ill
> effects. I was using strong password. However, reading the
> recommendations, I just turned it off. Exactly how is an plain-text
> password compromised in this scenario?
>
> I get the same functionality by installing the Plex iOS app, and my
> lifetime Plexpass subscription.

Exactly as i says ,its sent as plain text from for example a browser on
your phone to your server . To be intercepted by who knows.
And the security in LMS is not the strongest kind anyhow...



--------------------------------------------------------------------
Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x
MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3
sub.
Bedroom/Office: Boom
Kitchen: Touch + powered Fostex PM0.4
Misc use: Radio (with battery)
iPad1 with iPengHD & SqueezePad
(spares Touch, SB3, reciever ,controller )
server HP proliant micro server N36L with ClearOS Linux

http://people.xiph.org/~xiphmont/demo/neil-young.html
------------------------------------------------------------------------
Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
jo-wie
2017-04-25 20:37:50 UTC
Permalink
Please do not ALL disable it, I need some bad examples for security
awareness trainings. (Sorry, only kidding)

22593


+-------------------------------------------------------------------+
|Filename: LMS_Scan.JPG |
|Download: http://forums.slimdevices.com/attachment.php?attachmentid=22593|
+-------------------------------------------------------------------+


2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry
attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880,
LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by
Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD ->
FLAC = dbpoweramp, Router AVM Fritz 7490

last.fm/user/jo-wie
------------------------------------------------------------------------
jo-wie's Profile: http://forums.slimdevices.com/member.php?userid=17952
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-04-26 04:59:20 UTC
Permalink
> Please do not ALL disable it, I need some bad examples for security
> awareness trainings. (Sorry, only kidding)

Are you searching for LMS? Ugh... that's even worse than Squeezebox...

--

Michael
jo-wie
2017-04-26 05:48:01 UTC
Permalink
mherger wrote:
> > Please do not ALL disable it, I need some bad examples for security
> > awareness trainings. (Sorry, only kidding)
>
> Are you searching for LMS? Ugh... that's even worse than Squeezebox...
>
> --
>
> Michael

The interesting point is, that I have the feeling that the number was
falling the last months but now is raising again. I was really using it
as bad example for trainings and so I had several times a look at. But
maybe the search engine simply found more because it was scanning
further areas.



2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry
attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880,
LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by
Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD ->
FLAC = dbpoweramp, Router AVM Fritz 7490

last.fm/user/jo-wie
------------------------------------------------------------------------
jo-wie's Profile: http://forums.slimdevices.com/member.php?userid=17952
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-04-26 10:03:17 UTC
Permalink
> The interesting point is, that I have the feeling that the number was
> falling the last months but now is raising again.

Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
But numbers seemed to grow in the past weeks, and significantly dropped
over the past few days (-15%).

I was wondering how I should handle this situation. These users have a
serious security issue they should know about. But am I allowed to
"hack" their system in order to protect themselves from the bad hacker?

--

Michael
Jeff07971
2017-04-26 10:26:51 UTC
Permalink
mherger wrote:
> > The interesting point is, that I have the feeling that the number was
> > falling the last months but now is raising again.
>
> Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
> But numbers seemed to grow in the past weeks, and significantly dropped
> over the past few days (-15%).
>
> I was wondering how I should handle this situation. These users have a
> serious security issue they should know about. But am I allowed to
> "hack" their system in order to protect themselves from the bad hacker?
>
> --
>
> Michael

I'm afraid the simple answer is NO it would be extremely unwise !! If
you "hacked" (not sure if thats even the right term as these systems are
wide open) I'm very sure it would be seen as illeagal in many countries.

A large and sticky warning on the home page of the forums would be
wiser.

Whilst the situation is quite serious I see noting that can really be
done about it, if the "hacks" are just waking people up at obscene hours
hopefully a message in the forums will get more attention.

I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
list of open LMS's meaning people update (or is done automatically) so a
software change may work to help.
I was thinking that not responding (unless specifically allowed) to the
router address (or gateway) may work. That way those that use VPN can
turn it on but those who forward ports will have to come to the forum to
ask why their forwarding no longer works.

Edit: Nothing much can be done about the 7.7.5's

Jeff



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: 7.9.0 - 1475786002 on Centos 7 VM on ESXi 6 on
Dell T320
*Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud
*Remotes:* iPeng8/Orangesqueeze/PC/Jivelite
*Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Jeff07971
2017-04-26 10:36:47 UTC
Permalink
Hi Michael

Another idea !

Use a list generated by THAT search engine to grab a list of open LMS's
and automatically sent a command to turn all player on and stream a file
from Logitech saying something like "This system is compromised please
see article on forum" repeatedly until stopped.

This idea is more agressive and would need to be run by legal but may
have a better effect

Jeff



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: 7.9.0 - 1475786002 on Centos 7 VM on ESXi 6 on
Dell T320
*Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud
*Remotes:* iPeng8/Orangesqueeze/PC/Jivelite
*Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Paul Webster
2017-04-26 12:10:51 UTC
Permalink
You could change LMS to require a password if the IP address is not
local and have a maximum number of password attempts before suspending
such access for X hours - and a setting to disable all of this for
someone who really insists on taking the risk.
At least those users who have auto-update enabled would have a bit
better protection.



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-04-26 12:31:19 UTC
Permalink
> You could change LMS to require a password if the IP address is not
> local and have a maximum number of password attempts before suspending
> such access for X hours - and a setting to disable all of this for
> someone who really insists on taking the risk.

I can't change the users' LMS. And as said before: most of those
installation aren't up to date, therefore unlikely to see a change in a
new build.

--

Michael
Paul Webster
2017-04-26 12:59:45 UTC
Permalink
mherger wrote:
>
> I can't change the users' LMS. And as said before: most of those
> installation aren't up to date, therefore unlikely to see a change in a
>
> new build.
>
I wasn't suggesting directly changing their systems - but them receiving
updates (if they have automatic update enabled).
If they are very old and not auto-updating then clearly it won't help
them.
However, such a change (or even better ones) would help protect those
who do install new versions in the future.



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2017-04-26 13:12:48 UTC
Permalink
If you can identify their mysb accounts then you could insert a message
on their login banner?

Sent from my ONEPLUS A3003 using Tapatalk



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
StephenC
2017-05-18 15:20:59 UTC
Permalink
I've been running LMS, open to the Internet, for years. Never had an
issue (of which I'm aware, anyway). Until a few weeks ago. Bizarre
alarms in the middle of the night, across a few different players. Then,
1am yesterday, multiple players firing up at full volume. A couple of
these aren't local, and the users were far from impressed.

To avoid the complication of VPN, or passwords (the remote users are
very technologically challenged), is the IP filtering within LMS
considered 'acceptable'? The remote users are all on semi-static IPs
(Virgin Media - IP addresses seem to persist for years, even through
router reboots):
22714

Thanks a lot.

Stephen.


+-------------------------------------------------------------------+
|Filename: Untitled.png |
|Download: http://forums.slimdevices.com/attachment.php?attachmentid=22714|
+-------------------------------------------------------------------+

------------------------------------------------------------------------
StephenC's Profile: http://forums.slimdevices.com/member.php?userid=63278
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-05-18 16:00:37 UTC
Permalink
> To avoid the complication of VPN, or passwords (the remote users are
> very technologically challenged), is the IP filtering within LMS
> considered 'acceptable'? The remote users are all on semi-static IPs

TBH: I don't know what IP address your LMS would see in this case. Give
it a try and let us know.

But then I'd really not expose LMS to the internet. I just wouldn't.

--

Michael
drmatt
2017-05-18 16:12:21 UTC
Permalink
On Linux I would suggest iptables.

Sent from my ONEPLUS A3003 using Tapatalk



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
StephenC
2017-05-18 16:59:08 UTC
Permalink
mherger wrote:
>
> TBH: I don't know what IP address your LMS would see in this case. Give
>
> it a try and let us know.
>
> But then I'd really not expose LMS to the internet. I just wouldn't.
>
> --
>
> Michael

I used to use this function, and everything worked fine. I changed it
only because one user was astonishingly technophobic, whilst at the same
time entirely addicted to BBC iPlayer on the Squeezebox. Their solution
to pretty much every problem in the house was to switch off the router,
and leave it for an hour before turning it on again (I kid you not -
even if their Humax DVR had crashed!) It was an ADSL connection, so the
IP changed regularly. They no longer use Squeezebox, having switched to
a Roberts Stream 93i.

I really would rather not have to implement a VPN client from the remote
user ends, but it might come to that.

But, I'll see how things go with the switch to IP whitelisting, and
maybe also set up some IPTables entries...

Thanks a lot.

Stephen


------------------------------------------------------------------------
StephenC's Profile: http://forums.slimdevices.com/member.php?userid=63278
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
StephenC
2017-05-18 18:42:04 UTC
Permalink
mherger wrote:
>
>
> ... Give it a try and let us know.
>
> ...
>

I gave it a try, and all was fine, except...

*Spotify Protocol Handler* - Booms and SB3s reported *'Bad Player
(Error: -1)'* when I tried to play Spotify tracks. Touches and Radios
were fine.

So, I changed back to 'Do Not Block' (even though the whitelist was
correct, and external Radios were fine with Spotify) and then the Booms
and SB3s were ok again.

Oddly, once the affected players had successfully played Spotify tracks,
re-enabling the 'Block' didn't affect them - they remained working. But,
only until a restart of LMS, when they stopped again.

Have now left the setting as 'Do Not Block', and set some IPTables rules
to achieve the same (probably much better!) security.

Hope this helps someone, some time.

Cheers.

Stephen.


------------------------------------------------------------------------
StephenC's Profile: http://forums.slimdevices.com/member.php?userid=63278
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Peter Galbavy
2017-05-25 12:28:40 UTC
Permalink
At the moment I do have ports 3483 and 9000 open but with a password.
However there is still passwordless access available to support older SB
units (like the SB3 on my desk at work).

Perhaps one step in the right direction to help those of us who run
exposed services would be to add an option to not allow "legacy"
password-less access and make that the default on install? Then, if we
choose to knowingly connect older hardware we have to make a choice to
allow this access?


------------------------------------------------------------------------
Peter Galbavy's Profile: http://forums.slimdevices.com/member.php?userid=32718
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Hip-Priest
2017-07-17 10:25:48 UTC
Permalink
OK - so now that I am completely locked out of LMS, can any one tell a
non-techie how to get into it so that I can disable the password? I am
running LMS on a Synology Diskstation, with a SBTouch as my player. I
have closed the ports on my router, but I still get the password screen
when I try to log in via a Mac or iPeng on an iPhone.


------------------------------------------------------------------------
Hip-Priest's Profile: http://forums.slimdevices.com/member.php?userid=65855
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-07-20 06:17:10 UTC
Permalink
> OK - so now that I am completely locked out of LMS, can any one tell a
> non-techie how to get into it so that I can disable the password? I am
> running LMS on a Synology Diskstation, with a SBTouch as my player. I
> have closed the ports on my router, but I still get the password screen
> when I try to log in via a Mac or iPeng on an iPhone.

You'll have to shut down LMS, and edit its server.prefs file. Where
exactly that file is stored you better ask in a Synology specific
thread. There are prefs for authorize and username. Remove those lines
and restart LMS.

--

Michael
jimzak
2017-07-23 19:09:47 UTC
Permalink
Quick somewhat OT question.

Are other music serves such as Younity, Subsonic, Plex also as easily
susceptible to attack?

I currently have SB for internal use and Plex for external use.



http://zzzone.net
http://have-a-nice-day.org
http://www.last.fm/user/zzzoneDOTnet
http://somethingsomethingsomething.net

SBS 7.9 - i7 nuc - Win 10 64bit
5 Booms, 2 Radio, 3 Touch, 1 Duet, 5 piCorePlayers including 3
touchscreen, 1 Avy
2 controllers, various tablets/phones
Apps including iPeng, Squeeze Ctrl etc.
'Library' (http://zzzone.net/photo/2009/music1.jpg): 349,000+ FLAC/MP3
files - 12 TB HD
------------------------------------------------------------------------
jimzak's Profile: http://forums.slimdevices.com/member.php?userid=17592
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
d6jg
2017-07-23 19:14:11 UTC
Permalink
Anything that is open to the internet must be considered a risk.
You need to check the forums for Plex etc as general advice won't be
good enough. My understanding of subsonic is that it was designed for
remote streaming but I'd still check.
The best solution is a VPN (not pptp) with solid credentials.



*Pi3 with piCoreplayer music on QNAP TS419p via NFS*
iThingys/iPeng/Tablets/Jogglers
*Living Room* - Joggler & SB3 -> Onkyo TS606 - > Celestion Ditton F20s
*Office* - Pi -> Sony TA FE320 -> Celestion F10s / Pi & SB3 -> Onkyo CRN
755 -> Wharfedale Modus Cubes
*Dining Room* -> SB Boom *Kitchen* -> UE Radio (upgraded to SB Radio)
*Bedroom (Bedside)* - SB Touch -> Topping TP21 -> AKG Headphones
------------------------------------------------------------------------
d6jg's Profile: http://forums.slimdevices.com/member.php?userid=44051
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Nonreality
2017-10-18 18:02:23 UTC
Permalink
Paul Webster wrote:
> You could change LMS to require a password if the IP address is not
> local and have a maximum number of password attempts before suspending
> such access for X hours - and a setting to disable all of this for
> someone who really insists on taking the risk.
> At least those users who have auto-update enabled would have a bit
> better protection.So am I understanding that I should not have auto updates turned on in
LMS?

Sent from my SM-G955U using Tapatalk



-IF THE RULE YOU FOLLOWED BROUGHT YOU TO THIS, OF WHAT USE IS THE RULE.-

HTTP://www.last.fm/user/nonreality
------------------------------------------------------------------------
Nonreality's Profile: http://forums.slimdevices.com/member.php?userid=15723
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Paul Webster
2017-10-18 18:05:36 UTC
Permalink
Nonreality wrote:
> So am I understanding that I should not have auto updates turned on in
> LMS?
>

No. The logic was that if an update was made to close the hole in LMS
then those with updates enabled would get it.
However, the world is not that simple.



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
tom6475
2017-11-22 17:41:57 UTC
Permalink
Hello

After your warning (this post), I'm quite sure I've properly closed the
open ports and also disable the port forwarding on the internet. But
issue/ hack stills happen (Actually, I can see this happen because I've
got huge CPU load during many hours as it was scanning hard drive).

Is there any log where we could see the hack happens, what's the source
IP, and also the used ports ?

Thanks

Thomas


------------------------------------------------------------------------
tom6475's Profile: http://forums.slimdevices.com/member.php?userid=62635
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Jeff07971
2017-11-22 22:20:26 UTC
Permalink
tom6475 wrote:
> Hello
>
> After your warning (this post), I'm quite sure I've properly closed the
> open ports and also disable the port forwarding on the internet. But
> issue/ hack stills happen (Actually, I can see this happen because I've
> got huge CPU load during many hours as it was scanning hard drive).
>
> Is there any log where we could see the hack happens, what's the source
> IP, and also the used ports ?
>
> Thanks
>
> Thomas

You could turn "INFO" (Or higher) level logging on for HTTPD under
Settings>Advanced>Logging you'll end up with big logs to grep through.
Alternatively go to "THAT" website and see if your IP address appears.



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: 7.9.1 - 1503129892 on Centos 7 VM on ESXi
6.5.0U1 on Dell T320
*Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud
*Remotes:* iPeng8/Orangesqueeze/PC/Jivelite
*Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-11-23 08:51:22 UTC
Permalink
> After your warning (this post), I'm quite sure I've properly closed the
> open ports and also disable the port forwarding on the internet. But
> issue/ hack stills happen (Actually, I can see this happen because I've
> got huge CPU load during many hours as it was scanning hard drive).

The huge CPU load and potential crashes often were caused by the Picture
Gallery plugin being installed by the intruders. Make sure you remove it
or at least review its settings if you've been using it. It often was
set up to scan all filesystems - causing the high load and crashes.


--

Michael
bambadoo
2017-11-23 17:21:32 UTC
Permalink
Another victim here. Couldn't figure out what happened. Crashed
occasionally. High cpu spikes and gallery plugin was installed. Disabled
it and it kept coming back..
This was on a Netgear NAS and it scanned through everything.
Also additional repos was configured.
Music library is around 160000 songs (13400 albums - flac) så it is
quite big.
Disabled port forwarding, uninstalled everything and installed LMS on 3
different machines.
On win2012, raspberry pi2 and again on the LMS. At least everything
works fine internally on my network again. Would love to be able to
bring the music to my cellphone again. Used squeezeplay and squeezer app
on android.

Before this happened I never had any issues.


------------------------------------------------------------------------
bambadoo's Profile: http://forums.slimdevices.com/member.php?userid=65282
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Jeff07971
2017-11-23 17:25:32 UTC
Permalink
bambadoo wrote:
> Another victim here. Couldn't figure out what happened. Crashed
> occasionally. High cpu spikes and gallery plugin was installed. Disabled
> it and it kept coming back..
> This was on a Netgear NAS and it scanned through everything.
> Also additional repos was configured.
> Music library is around 160000 songs (13400 albums - flac) så it is
> quite big.
> Disabled port forwarding, uninstalled everything and installed LMS on 3
> different machines.
> On win2012, raspberry pi2 and again on the LMS. At least everything
> works fine internally on my network again. Would love to be able to
> bring the music to my cellphone again. Used squeezeplay and squeezer app
> on android.
>
> Before this happened I never had any issues.

It sounds like you know what you're doing so just set up a SSL vpn and
use openvpn app on your phone works great



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: 7.9.1 - 1503129892 on Centos 7 VM on ESXi
6.5.0U1 on Dell T320
*Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud
*Remotes:* iPeng8/Orangesqueeze/PC/Jivelite
*Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
bambadoo
2017-12-04 11:21:05 UTC
Permalink
Yes did that.
Had to do it on a new virtual instance of linux server install. Openvpn.
Everything works out fine.
Gave up on dd-wrt and openvpn server install there. Made it work but the
router became unstable (100%cpu).

Actually a better solution than exposing LMS direct to internett IMO.


------------------------------------------------------------------------
bambadoo's Profile: http://forums.slimdevices.com/member.php?userid=65282
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
PasTim
2017-12-06 18:04:34 UTC
Permalink
I have tested (and occasionally used) LMS remotely on my mobile using an
SSH login with a public/private key arrangement, from mobile and DDNS
(since my IP changes regularly). To enable this I opened port 9 (for
Wake on Wan) and 22 for SSH to my LMS server. I closed the ports after
the test.

Is opening those ports in this way likely to expose me to much risk?



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-12-07 05:02:52 UTC
Permalink
> Is opening those ports in this way likely to expose me to much risk?

SSH should be fine if it's well configured and maintained.

--

Michael
PasTim
2017-12-07 08:36:36 UTC
Permalink
mherger wrote:
> > Is opening those ports in this way likely to expose me to much risk?
>
> SSH should be fine if it's well configured and maintained.
>
> --
>
> Michael
Thanks.



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Paul Webster
2018-01-11 12:41:32 UTC
Permalink
I see some LMS changes being made to try to improve this (password
needed to get to settings from outside).
Of course, it will need people to update their LMS to do it but a good
first step.



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-11 13:05:03 UTC
Permalink
> I see some LMS changes being made to try to improve this (password
> needed to get to settings from outside).
> Of course, it will need people to update their LMS to do it but a good
> first step.

That's correct. I was fighting over this myself. But looking at open
systems there obviously are quite a few who do install updates. I might
actually do a release in the near future to push the changes out to
users of the "stable" release, too.

--

Michael
JJZolx
2018-01-12 06:29:36 UTC
Permalink
How do you require a password if one hasn't been set in the options?


------------------------------------------------------------------------
JJZolx's Profile: http://forums.slimdevices.com/member.php?userid=10
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-12 07:51:09 UTC
Permalink
> How do you require a password if one hasn't been set in the options?

You can't. In order to get access to the settings from the outside you'd
have to set a password. Otherwise you'd simply get blocked (http status
403 - "forbidden"), no questions asked.

--

Michael
DJanGo
2018-01-12 12:29:46 UTC
Permalink
mherger wrote:
> > Is opening those ports in this way likely to expose me to much risk?
>
> SSH should be fine if it's well configured and maintained.
>
> --
>
> Michael

mea culpa Michael,

but thats a little bit tooo short....

Remember under a actual version of Raspbian ssh isnt activated out of
the box any more because of security reasons.

Its not a question of a well configured ssh- its a matter of strong
passwords for users that could access ssh.

Since i am in charge for the computer stuff in my company and should
know some tricks and basics - i cant say ssh from outside is somewhere
near safe.


------------------------------------------------------------------------
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-12 14:03:32 UTC
Permalink
> Since i am in charge for the computer stuff in my company and should
> know some tricks and basics - i cant say ssh from outside is somewhere
> near safe.

We all appreciate your knowledge. But then, please tell Joe Average what
safe method there is to access his network from the outside. If ssh
isn't, then don't even start to type the other three letters starting
with "V".

--

Michael
DJanGo
2018-01-12 16:27:42 UTC
Permalink
mherger wrote:
> But then, please tell Joe Average what safe method there is to access
> his network from the outside.
> If ssh isn't, then don't even start to type the other three letters
> starting
> with "V".
>
> --
>
> Michael

Hi,

whatever Joe uses it must be somewhere up2date. And needs some minimal
security.

Using VPN or not is a big difference.
Cracker Jimboy needs to crack/hack/socialengineering your vpn settings.
Thats a big step for him - unless Joe uses some very old methods for his
vpn.
Simply natting a vpn port to the world - is a bad idea - whatever port
your natting everyone who scans for open ports finds the real service
behind that very soon and very easy.

I dont think any Joe on linux is using tools like faillock or something
else.
Maybe some using something like iptables to only allow ssh from special
ips only.

So what do you expect me to do?
Tell joe what do to on his 512MB NAS ?
Tell joe dont do it unless you really know what your doing?


------------------------------------------------------------------------
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
DJanGo
2018-01-12 16:32:18 UTC
Permalink
since michael didnt see edits.....

just a not so old example
http://www.zdnet.com/article/linux-malware-enslaves-raspberry-pi-to-mine-cryptocurrency/


------------------------------------------------------------------------
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
slartibartfast
2018-01-12 16:47:26 UTC
Permalink
DJanGo wrote:
> since michael didnt see edits.....
>
> just a not so old example
> http://www.zdnet.com/article/linux-malware-enslaves-raspberry-pi-to-mine-cryptocurrency/That does target devices with the default password though. You would
normally change it.

Sent from my SM-G900F using Tapatalk




------------------------------------------------------------------------
slartibartfast's Profile: http://forums.slimdevices.com/member.php?userid=35609
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
DJanGo
2018-01-12 18:14:50 UTC
Permalink
slartibartfast wrote:
> That does target devices with the default password though. -You- would
> normally change it.

Is -You- Average Joe ?
How many additional lines are needed no sending the std. passwort but
prase from a dictionary?
The Answer is: one additional line of source code.


------------------------------------------------------------------------
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-12 20:09:17 UTC
Permalink
> whatever Joe uses it must be somewhere up2date. And needs some minimal
> security.

Fully agreed. Up to date and well configured. Then the difference in
terms of ssh vs. VPN aren't what you think.

> Using VPN or not is a big difference.

As is ssh. But again: only if well configured etc. You mention the
"hacking" of Raspis over ssh which was basically just using the default
password. That's stupid. But if your VPN is configured the same stupid
way, then it's no more secure.

> Cracker Jimboy needs to crack/hack/socialengineering your vpn settings.

No more than your ssh setup.

> I dont think any Joe on linux is using tools like faillock or something
> else.

Unless it's configured by default in your OS (which happened to me, and
I didn't know before being locked out...).

> So what do you expect me to do?

Take a break.

> Tell joe what do to on his 512MB NAS > Tell joe dont do it unless you really know what your doing?

Yes.

--

Michael
drmatt
2018-01-12 18:54:34 UTC
Permalink
Clearly, computers should be licensed only to those who can pass a
test... (and device developers should be forced to use the products they
produce...)

Interested to see how the code can distinguish an external request from
internal though.


-Transcoded from Matt's brain by Tapatalk-



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-12 20:16:23 UTC
Permalink
> Clearly, computers should be licensed only to those who can pass a
> test... (and device developers should be forced to use the products they
> produce...)

Ahm... well, at least for the SB I can assure you, I do use it. But
there clearly are products I've been working on I hardly ever (or never)
use... And this admittedly is a problem for a dev.

> Interested to see how the code can distinguish an external request from
> internal though.

It's not very sophisticated, and not even fully correct: when a request
is coming from the network's default gateway, I'm assuming it's coming
from the outside. I know that this is a rather simplistic approach. But
I thought I'd push it out this way and see whether people run into
issues :-). If they do, then at least they can double check their
network configuration to make sure they really don't open things up.

And then there's that undocumented pref you can set to disable the check
in such an exceptional case.

--

Michael
Jeff07971
2018-01-12 20:30:16 UTC
Permalink
mherger wrote:
> > Clearly, computers should be licensed only to those who can pass a
> > test... (and device developers should be forced to use the products
> they
> > produce...)
>
> Ahm... well, at least for the SB I can assure you, I do use it. But
> there clearly are products I've been working on I hardly ever (or never)
>
> use... And this admittedly is a problem for a dev.
>
> > Interested to see how the code can distinguish an external request
> from
> > internal though.
>
> It's not very sophisticated, and not even fully correct: when a request
>
> is coming from the network's default gateway, I'm assuming it's coming
> from the outside. I know that this is a rather simplistic approach. But
>
> I thought I'd push it out this way and see whether people run into
> issues :-). If they do, then at least they can double check their
> network configuration to make sure they really don't open things up.
>
> And then there's that undocumented pref you can set to disable the check
>
> in such an exceptional case.
>
> --
>
> Michael

This unfortunately might be a very common problem as a VPN server is
often the GW (Mine is both, IPSEC and SSL)



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on
Dell T320
*Plugins:*
AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player
Groups
*Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX
*Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly
FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-13 00:00:46 UTC
Permalink
> This unfortunately might be a very common problem as a VPN server is
> often the GW (Mine is both, IPSEC and SSL)

I doubt it'll be anywhere near "common". Please let me know if it causes
you a problem.

--

Michael
Jeff07971
2018-01-13 00:32:09 UTC
Permalink
mherger wrote:
> > This unfortunately might be a very common problem as a VPN server is
> > often the GW (Mine is both, IPSEC and SSL)
>
> I doubt it'll be anywhere near "common". Please let me know if it causes
>
> you a problem.
>
> --
>
> Michael

Hi Michael

No I don't think it'll be a problem for me, my LMS is via a HTTPs
(pasworded) proxy or by VPN only so don't even need to turn the password
on

Thanks anyway

Jeff



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on
Dell T320
*Plugins:*
AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player
Groups
*Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX
*Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly
FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
PasTim
2018-01-12 20:38:56 UTC
Permalink
I'm not sure whether I'm an 'average joe' or not. However, having spent
a working lifetime in IT (albeit nothing much to do with security) I
suspect not quite (judging by most of my friends). Nonetheless I have
found it pretty hard to work out how to do stuff like use ssh, ddns (my
IP address changes most nights), open selected ports in the router and
so on to make it all work with some semblance of security. I have a
public key exchange set up between my mobile and laptop (using ssh) and
my music server, and don't allow password access. Being retired I have
time to work such things through when I know they must be possible, even
when I can't quite get them to work for quite a while :)

As I understand it from some of the previous discussion, something has
been added to a recent LMS to require a password to change settings if
coming from the router/gateway address. Is that right? If so, which
password is that? I have LMS from yesterday installed.

I may never want to do this, but I'd like to know, just in case....



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-13 00:02:27 UTC
Permalink
> As I understand it from some of the previous discussion, something has
> been added to a recent LMS to require a password to change settings if
> coming from the router/gateway address. Is that right? If so, which
> password is that?

I tried to explain this before... If you have a password set, then
you're all fine. If you haven't, then you won't be able to access the
settings from the outside. LMS won't ask for a password unless you've
set it yourself.

--

Michael
PasTim
2018-01-13 17:48:00 UTC
Permalink
mherger wrote:
> > As I understand it from some of the previous discussion, something
> has
> > been added to a recent LMS to require a password to change settings
> if
> > coming from the router/gateway address. Is that right? If so, which
> > password is that?
>
> I tried to explain this before... If you have a password set, then
> you're all fine. If you haven't, then you won't be able to access the
> settings from the outside. LMS won't ask for a password unless you've
> set it yourself.
>
> --
>
> Michael
I managed to get my remote access working again (a while since I had
used it and some bits and bobs have changed). Using SSH (port 22) and
public key. With Squeeze Commander I could still change the audio
settings of players, even though I have no CLI password set. Is this
what you would expect?

Setting a password would be problematic for some of my plugins, like the
UPnP bridge.



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Paul Webster
2018-01-13 19:48:56 UTC
Permalink
PasTim wrote:
> I managed to get my remote access working again (a while since I had
> used it and some bits and bobs have changed). Using SSH (port 22) and
> public key. With Squeeze Commander I could still change the audio
> settings of players, even though I have no CLI password set. Is this
> what you would expect?
>
What does your LMS system see as your IP address when you connect in via
that route?
I don't remember if LMS logs it ... but you could SSH to the LMS server
and type
set | grep -i ssh
on a pCP server (and I suspect other Linux platforms) you will see the
IP address of this SSH session.



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
PasTim
2018-01-13 20:57:40 UTC
Permalink
Paul Webster wrote:
> What does your LMS system see as your IP address when you connect in via
> that route?
> I don't remember if LMS logs it ... but you could SSH to the LMS server
> and type
> set | grep -i ssh
> on a pCP server (and I suspect other Linux platforms) you will see the
> IP address of this SSH session.
It's an external IP address that I don't recognise - it isn't an
internal one, nor the external IP address of my router/gateway.

I have tried looking at the standard web page in the mobile browser, and
can still see all the settings and have changed one or two advanced
plugin settings.

I'm running Logitech Media Server Version: 7.9.1 - 1515659378 @ Thu Jan
11 09:26:58 UTC 2018



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Paul Webster
2018-01-14 10:34:15 UTC
Permalink
PasTim wrote:
> I'm running Logitech Media Server Version: 7.9.1 - 1515659378 @ Thu Jan
> 11 09:26:58 UTC 2018
I noticed the changes in the secureSettings branch in github.
I don't think it is in the daily build yet.



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
PasTim
2018-01-14 11:59:42 UTC
Permalink
Paul Webster wrote:
> I noticed the changes in the secureSettings branch in github.
> I don't think it is in the daily build yet.
I see. I think I misunderstood 'stable release' to mean beyond the 9.1
beta daily updates, rather than just in github.



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Paul Webster
2018-01-14 15:14:37 UTC
Permalink
Paul Webster wrote:
> I noticed the changes in the secureSettings branch in github.
> I don't think it is in the daily build yet.

Correction - I see it was merged into 7.9 branch 5 days ago.
https://github.com/Logitech/slimserver/tree/public/7.9/Slim/Plugin/CLI

Try turning on Info level logging in "(plugin.cli) - Command Line
Interface (CLI)"

If you have access to the source code then check
Slim/Plugin/CLI/Plugin.pm
to see if it contains

Code:
--------------------

if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
&& $prefsServer->get('protectSettings') && !$prefsServer->get('authorize')
&& Slim::Utils::Network::ip_is_gateway($tmpaddr)
) {
$log->error("Access to CLI is restricted to the local network or localhost: $tmpaddr");
$cli_socket->close;
}
elsif (!($prefsServer->get('filterHosts')) || (Slim::Utils::Network::isAllowedHost($tmpaddr))) {

--------------------



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
PasTim
2018-01-14 15:47:46 UTC
Permalink
Paul Webster wrote:
> Correction - I see it was merged into 7.9 branch 5 days ago.
> https://github.com/Logitech/slimserver/tree/public/7.9/Slim/Plugin/CLI
>
> Try turning on Info level logging in "(plugin.cli) - Command Line
> Interface (CLI)"
>
> If you have access to the source code then check
> Slim/Plugin/CLI/Plugin.pm
> to see if it contains
> >
Code:
--------------------
> >
> if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
> && $prefsServer->get('protectSettings') && !$prefsServer->get('authorize')
> && Slim::Utils::Network::ip_is_gateway($tmpaddr)
> ) {
> $log->error("Access to CLI is restricted to the local network or localhost: $tmpaddr");
> $cli_socket->close;
> }
> elsif (!($prefsServer->get('filterHosts')) || (Slim::Utils::Network::isAllowedHost($tmpaddr))) {
>
--------------------
> >
Yes, I have that code. In my server.prefs 'protectSettings' is set to
1. I don't know how the ip_is_gateway works, but since the IP I see for
ssh is certainly not for my gateway maybe that's why it doesn't get
trapped on my system (which has no password set).



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Paul Webster
2018-01-14 16:02:09 UTC
Permalink
PasTim wrote:
> Yes, I have that code. In my server.prefs 'protectSettings' is set to
> 1. I don't know how the ip_is_gateway works, but since the IP I see for
> ssh is certainly not for my gateway maybe that's why it doesn't get
> trapped on my system (which has no password set).

Try increasing the log level for the module I referred to above.
I think it will log both success and failure with the IP address.



Paul Webster
http://dabdig.blogspot.com
------------------------------------------------------------------------
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
PasTim
2018-01-14 17:29:29 UTC
Permalink
Paul Webster wrote:
> Try increasing the log level for the module I referred to above.
> I think it will log both success and failure with the IP address.
I go no report at all with the plugin.cli info settings.

Maybe I have misunderstood something (wouldn't be the first time!), so I
had better be more precise about what I'm doing.

I am connecting via my mobile, using a data connection, not wifi. I use
an app called ConnectBot to connect with SSH to LMS via a netgear DDNS
service to my router which has port 22 open. I have a public key shared
between my mobile and the music server. ConnectBot has the ability to
listen to local ports on the mobile and forward on the requests to my
music server.

So a local port 9000 is set up in ConnectBot to route to my
home-server-ip-address:9000. I can connect mobile LMS tools (eg Squeeze
Commander and Squeeze Player), or just my web browser connecting to
http://localhost:9000. Using the browser, I can look at LMS settings
and change some (stopping and restarting the UPnP bridge for instance).

I know almost noting about the internals of LMS or its CLI. Does using
a web browser go via CLI and hence get checked when accessing Settings?



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-14 20:48:44 UTC
Permalink
> I go no report at all with the plugin.cli info settings.

plugin.cli is only used by the CLI itself. But network.http=info would
be more helpful.

> So a local port 9000 is set up in ConnectBot to route to my
> home-server-ip-address:9000.

That's a use case I haven't tested yet. Will do. Could you please enable
logging as mentioned above, then see what IP address LMS is seeing? Also
what is your gateway's IP, and your server's?

--

Michael
PasTim
2018-01-14 21:14:00 UTC
Permalink
mherger wrote:
> > I go no report at all with the plugin.cli info settings.
>
> plugin.cli is only used by the CLI itself. But network.http=info would
> be more helpful.
>
> > So a local port 9000 is set up in ConnectBot to route to my
> > home-server-ip-address:9000.
>
> That's a use case I haven't tested yet. Will do. Could you please enable
>
> logging as mentioned above, then see what IP address LMS is seeing? Also
>
> what is your gateway's IP, and your server's?
>
> --
>
> Michael
I turned that info on, and looked at "HTTP request: from " lines. I got
them from my desktop (...2), my Touch (...7), and the music server
itself (...10) when I connected from my mobile. I can see nothing from
my gateway (I searched for it).

I therefore surmise that the SSH server is sending from the music
server's own IP address to the same address.

If you need bits of the log I could pm them (tomorrow) rather than
attach them here (being paranoid, I know....).



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-15 07:29:30 UTC
Permalink
> I therefore surmise that the SSH server is sending from the music
> server's own IP address to the same address.

Hmm... it depends on how your tool is setting up the tunnel. But when I
ssh into my box and forward requests to the internal IP of the LMS
machine, then LMS does see the IP address of the SSH server. If that was
the router itself (which I doubt), then LMS would see the gateway
address. If the router forwarded SSH to some other box, then LMS would
see that other box' IP address.

--

Michael
PasTim
2018-01-15 08:16:45 UTC
Permalink
mherger wrote:
> > I therefore surmise that the SSH server is sending from the music
> > server's own IP address to the same address.
>
> Hmm... it depends on how your tool is setting up the tunnel. But when I
>
> ssh into my box and forward requests to the internal IP of the LMS
> machine, then LMS does see the IP address of the SSH server. If that was
>
> the router itself (which I doubt), then LMS would see the gateway
> address. If the router forwarded SSH to some other box, then LMS would
> see that other box' IP address.
>
> --
>
> Michael
My router is forwarding all incoming on port 22 to the music server
where there is an SSH server, so that matches what you say.



LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
------------------------------------------------------------------------
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
paul-
2018-01-14 17:42:04 UTC
Permalink
PasTim wrote:
> I don't know how the ip_is_gateway works, but since the IP I see for ssh
> is certainly not for my gateway maybe that's why it doesn't get trapped
> on my system (which has no password set).

He is simply using the lms servers routing table to find the gateway
address.

If I read the perl correctly (Which there is a good chance that I am
not)

Allowed Addresses
IP address of the server itself
127.0.0.1
Any Address in the List of permitted IP addresses defined on the
Security page.

Not Allowed Addresses
Gateway address of the LMS server.


However, the gateway is only a hop point. Even in a DNAT network, if
you allow an external device through the firewall, it will not have the
gateways address.


------------------------------------------------------------------------
paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-14 20:53:19 UTC
Permalink
> However, the gateway is only a hop point. Even in a DNAT network, if
> you allow an external device through the firewall, it will not have the
> gateways address.

I guess that most systems which currently are systematically attacked
simply forward port 900x on their router to LMS. In this case the
incoming IP address would be the gateway's.

I know the current code is far from perfect. But it certainly covers
many of the cases I've seen so far. I do know there are already
installations out there which take advantage of this slightly improved
default behaviour.

Please note that I did NOT implement this to make publishing your LMS to
the world more safe. I'm still saying: don't do it. But I know that many
users did it out of some need, or ignorance. And many of them are not
aware of the problem. In these cases new LMS at least does provide a
minimum more protection than before.

--

Michael
paul-
2018-01-15 00:00:40 UTC
Permalink
mherger wrote:
> >
> I guess that most systems which currently are systematically attacked
> simply forward port 900x on their router to LMS. In this case the
> incoming IP address would be the gateway's.
>

Not that I do this, but I opened up the ports to do some testing. On my
netgear router, when it lets the traffic in, the connection at the
server is shown as whatever the external device address.


------------------------------------------------------------------------
paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
DJanGo
2018-01-15 00:43:29 UTC
Permalink
paul- wrote:
> Not that I do this, but I opened up the ports to do some testing. On my
> netgear router, when it lets the traffic in, the connection at the
> server is shown as whatever the external device address.

And thats exactly how it works.

own PC -> private IP Adress -> Router ISP official IP Adress ->
{Internet} <- Router external IP <- foreign private IP.

Its the MAC Adress thats changed to the router not the IP.


------------------------------------------------------------------------
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
DJanGo
2018-01-15 01:00:11 UTC
Permalink
DJanGo wrote:
> And thats exactly how it works.
>
> own PC -> private IP Adress -> Router ISP official IP Adress ->
> {Internet} <- Router external IP <- foreign private IP.
>
> Its the MAC Adress thats changed to the router not the IP.

mea culpa i just forget the NAT/Routing Mode from some devices....

There is the transparent Mode and the NAT/Routing Mode thats the one
Michael is using. That Mode really translates the external IP from
sender/receiver to the router.....


------------------------------------------------------------------------
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-15 05:45:40 UTC
Permalink
> mea culpa i just forget the NAT/Routing Mode from some devices....
>
> There is the transparent Mode and the NAT/Routing Mode thats the one
> Michael is using. That Mode really translates the external IP from
> sender/receiver to the router.....

Oh, good point. Thanks for the hint. I did have a check for non-local
addresses in that code at some point. Should have left it in.

--

Michael
Michael Herger
2018-01-16 09:43:53 UTC
Permalink
> mea culpa i just forget the NAT/Routing Mode from some devices....
>
> There is the transparent Mode and the NAT/Routing Mode thats the one
> Michael is using. That Mode really translates the external IP from
> sender/receiver to the router.....

Both modes now should be covered.

--

Michael
JJZolx
2018-01-14 14:34:00 UTC
Permalink
mherger wrote:
> > As I understand it from some of the previous discussion, something
> has
> > been added to a recent LMS to require a password to change settings
> if
> > coming from the router/gateway address. Is that right? If so, which
> > password is that?
>
> I tried to explain this before... If you have a password set, then
> you're all fine. If you haven't, then you won't be able to access the
> settings from the outside. LMS won't ask for a password unless you've
> set it yourself.

How do you determine that the connection is coming from "outside"? If
someone is doing port forwarding in order to make the LMS server
available to the internet, wouldn't the connection appear to come from
the router on the same subnet?


------------------------------------------------------------------------
JJZolx's Profile: http://forums.slimdevices.com/member.php?userid=10
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2018-01-14 14:42:44 UTC
Permalink
JJZolx wrote:
> How do you determine that the connection is coming from "outside"? If
> someone is doing port forwarding in order to make the LMS server
> available to the internet, wouldn't the connection appear to come from
> the router on the same subnet?I think you answered your own question, read back up the thread.


-Transcoded from Matt's brain by Tapatalk-



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
JJZolx
2018-01-14 14:45:23 UTC
Permalink
Ok, I see it. Thanks.


------------------------------------------------------------------------
JJZolx's Profile: http://forums.slimdevices.com/member.php?userid=10
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2018-01-12 20:58:00 UTC
Permalink
mherger wrote:
> >
> > Interested to see how the code can distinguish an external request
> from
> > internal though.[/color]
>
> It's not very sophisticated, and not even fully correct: when a request
> is coming from the network's default gateway, I'm assuming it's coming
> from the outside. I know that this is a rather simplistic approach. But
> I thought I'd push it out this way and see whether people run into
> issues :-). If they do, then at least they can double check their
> network configuration to make sure they really don't open things up.
>
> And then there's that undocumented pref you can set to disable the check
> in such an exceptional case.
>

Ok, figured it might be something like that. Not an easy problem to
solve. In this circumstance it would be better to receive a page back
that says *why* the request was blocked and where to look to allow it
rather than a 403. Anonymise the hell out of the response of course so
people can't reasonably guess it's an LMS instance.


-Transcoded from Matt's brain by Tapatalk-



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2018-01-13 00:03:36 UTC
Permalink
> Ok, figured it might be something like that. Not an easy problem to
> solve. In this circumstance it would be better to receive a page back
> that says *why* the request was blocked and where to look to allow it
> rather than a 403. Anonymise the hell out of the response of course so
> people can't reasonably guess it's an LMS instance.

That's kind of an oxymoron, isn't it? Tell the user what to do to open
the door, but not tell the attacker what system it is?...

--

Michael
drmatt
2018-01-13 10:07:00 UTC
Permalink
mherger wrote:
> > Ok, figured it might be something like that. Not an easy problem to
> > solve. In this circumstance it would be better to receive a page back
> > that says *why* the request was blocked and where to look to allow it
> > rather than a 403. Anonymise the hell out of the response of course so
> > people can't reasonably guess it's an LMS instance.
>
> That's kind of an oxymoron, isn't it? Tell the user what to do to open
> the door, but not tell the attacker what system it is?...
>
> --
>
> MichaelYes, I know. Thought that as I wrote it. But a change to default
behaviour really should be documented.


-Transcoded from Matt's brain by Tapatalk-



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Michael Herger
2017-04-26 12:30:30 UTC
Permalink
> A large and sticky warning on the home page of the forums would be
> wiser.

Unfortunately only a very small percentage of the SB community is
regularly visiting these forums. Even I wouldn't get to see that message!

> I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
> list of open LMS's meaning people update (or is done automatically) so a
> software change may work to help.

Interesting. In my list there are far more 7.7.x installations than
7.9.x. And many are really old, like 7.7.2/3.

> Use a list generated by THAT search engine to grab a list of open LMS's
> and automatically sent a command to turn all player on and stream a file
> from Logitech saying something like "This system is compromised please
> see article on forum" repeatedly until stopped.

This is about as far as my "hacking" would go: interact with LMS.

--

Michael
Jeff07971
2017-04-26 12:46:01 UTC
Permalink
mherger wrote:
> > A large and sticky warning on the home page of the forums would be
> > wiser.
>
> Unfortunately only a very small percentage of the SB community is
> regularly visiting these forums. Even I wouldn't get to see that
> message!
>
> > I note that there are a lot of v7.9.0 and more than a few v7.9.1 in
> the
> > list of open LMS's meaning people update (or is done automatically) so
> a
> > software change may work to help.
>
> Interesting. In my list there are far more 7.7.x installations than
> 7.9.x. And many are really old, like 7.7.2/3.
>
> > Use a list generated by THAT search engine to grab a list of open
> LMS's
> > and automatically sent a command to turn all player on and stream a
> file
> > from Logitech saying something like "This system is compromised
> please
> > see article on forum" repeatedly until stopped.
>
> This is about as far as my "hacking" would go: interact with LMS.
>
> --
>
> Michael

Yes I see your point I make it about 25% are 7.9.0 - 7.9.1 (BTW I
searched "logitech media server" or "logitech media server 7.9.0" or
"logitech media server 7.9.1")

Still removing 25% would be a start !

Jeff



*Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer
x3,Wandboard
*Server:* LMS Version: 7.9.0 - 1475786002 on Centos 7 VM on ESXi 6 on
Dell T320
*Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud
*Remotes:* iPeng8/Orangesqueeze/PC/Jivelite
*Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs

*Want a webapp ?* See
http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS
------------------------------------------------------------------------
Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
drmatt
2017-11-23 07:04:49 UTC
Permalink
If you're still being hacked after genuinely disabling the port from
internet access that means the hackers are already inside your
network... Suggest you look at intrusion detection software.


-Transcoded from Matt's brain by Tapatalk-



--
Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with
Debian+LMS 7.9.0
Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k
albums..
------------------------------------------------------------------------
drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
Loading...