Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Can confirm this is a real issue - I ignored the warnings because I couldn't find any decent instructions on how to set up a VPN tunnel (and not knowledgeable about the difference between a commercial VPN provider, such as www.privateinternetaccess.com, which was the only type of VPN I knew about, and confused it with the type of VPN server you need for LMS, on your router for example, I am now using an Asus router with Merlin firmware VPN server, that you need to set up to access LMS remotely and securely). Setting up the VPN server takes five clicks on the router and then you download the OpenVPN Connect Android app on the remote device you wish to use - export an .ovpn configuration file from your router interface - import this into the Android device - and you're done. When I had port forwarding on I got hacked after about a month - woke up at 5am to the sounds of some sweet Cuban music :) - shut down everything - set up the VPN approach next day. echable's Profile: http://forums.slimdevices.com/member.php?userid=69542 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Thank you for the information jensavage's Profile: http://forums.slimdevices.com/member.php?userid=69579 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
That's what I was doing so far, damn! Got it, will change now. Jonas54's Profile: http://forums.slimdevices.com/member.php?userid=69278 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
But why is your nas open to internet, use router vpn! *SqueezeBoxes:* 1x Transporter (Living room) 1x SB2 (shed), 1x Radio (Kitchen), 1x Boom (Dining room), 1x piCorePlayer (jacuzzi), 1x piCorePlayer (Garden) 1x OSMC + Squeezelite (Movie room), 1x Touch (Study 2), few spare unit's *Server:* LMS on Pi3 7.9.1. on PcP 3.21 *Network:* AVM Fritzbox, Netgear Smart Switch 24p, 3x Ubiquity edwin2006's Profile: http://forums.slimdevices.com/member.php?userid=66926 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Just a warning to anyone who blocked theses ports in the past. If you get a new router and and use Synology's automatic router configuration, pay a little more attention than I did. I had blocked theses ports years ago on my old router and did not think to tell the server to not open them back up. Of course someone with too much time on there hands found them and locked me out of my LMS. Of note, I informed Synology that they should not allow the automatic router configuration tool to do this as it is a known exploit. They basically told me it was my fault for using their software :confused:. Fair enough, but it is the first time I've had a response from Synology that annoyed me in the 9 years I've been using there servers. judojimmie's Profile: http://forums.slimdevices.com/member.php?userid=69290 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > > And then there's that undocumented pref you can set to disable the check > > in such an exceptional case. > > So how to disable this check? I didn't find the answer! I want to disable it. Where is that pref, what should i do to disable it? fominator's Profile: http://forums.slimdevices.com/member.php?userid=69103 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > The Gallery plugin was developed for pictures only. Thanks for sharing your thoughts!! With the above & the seemingly normal outgoing traffic volumes my router is showing, I'm trying to semi-comfort my mind that someone had their fun, looking at family pics or a weekend outing... and browsing the names of my directory structure, leaving the trace of a saved random folder in the settings... Fingers crossed, but I suppose nothing to actively do to find out if things may have been stolen and where they may have ended up. Gesendet von meinem HTC U Ultra mit Tapatalk dr..mike's Profile: http://forums.slimdevices.com/member.php?userid=68686 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
dr..mike wrote: > Assuming, someone 'only' installed the gallery plugin: does this allow > reading / downloading also PDFs, excels, docs and so on? Or 'only' shows > pictures it finds? > > Am I understanding correctly, that once someone accessed the LMS, the > user & password had to be set, i.e. max one person can go inside as it's > locked afterwards? > The Gallery plugin was developed for pictures only. That said I know that some of the attackers did install modified versions of the plugin. They could potentially do anything they want. They could as well just write their own to download all those files, yes. But then I'm not aware of an attack at that level. The password can be used by anyone knowing it. Most likely this is only being set to annoy the users, and potentially have a bit more time to explore whatever content they got access to. Michael http://www.herger.net/slim-plugins - Spotty, MusicArtistInfo mherger's Profile: http://forums.slimdevices.com/member.php?userid=50 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I backtracked on that thread (should be working instead...) and I want to say having a password protecting settings from remote accesses will be (is?) a great addition. To those with routed VPNs complaining about the extra password, I say use a bridged network, it makes player discovery work ;) In passing, I don't know the state of TOTP/QR on perl, but in my opinion a time-based password is a concept end-users grasp easily. Downloading an app and flashing a QR code is somehow an easier proposition than choosing and remembering yet another password, hard to guess please. It would be probably better to have a short, volatile 6-digit password protect the server rather than the usual "passw0rd" or "lms1234"... There are plenty of free TOTP clients for mobile, desktop or the command line. 3 SB 3 Libratone Loop, Zipp Mini iPeng (iPhone + iPad) LMS 7.9 (linux) with plugins: CD Player, WaveInput, Triode's BBC iPlayer by bpa IRBlaster by Gwendesign (Felix) Server Power Control by Gordon Harris Smart Mix, Music Walk With Me, What Was That Tune? by Michael Herger PowerSave by Jason Holtzapple Song Info, Song Lyrics by Erland Isaksson AirPlay Bridge by philippe_44 WeatherTime by Martin Rehfeld Auto Dim Display, SaverSwitcher, ContextMenu by Peter Watkins. epoch1970's Profile: http://forums.slimdevices.com/member.php?userid=16711 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
what did the clown do? See the very first posting in this thread. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Grumpy Bob wrote: > I gave up on remotely accessing my LMS after I inadvertently left the > ports open when the vpn no longer worked. I had some clown playing stuff > on my system. Nowadays I have a backup on a wifi enabled WD Passport > drive that runs its own copy of LMS. I use that to play locally to > mobile devices or a Raspberry Pi. > > Robert well, that sucks, some clown taking control of your system. what did the clown do? was he able to delete anything or mess your LMS completely? did you have password protection on your lms? Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I gave up on remotely accessing my LMS after I inadvertently left the ports open when the vpn no longer worked. I had some clown playing stuff on my system. Nowadays I have a backup on a wifi enabled WD Passport drive that runs its own copy of LMS. I use that to play locally to mobile devices or a Raspberry Pi. Robert *Home: *Raspberry Pi 3/piCoreplayer/LMS7.9.1 with files on QNAP TS-239 Touch > DacMagic 100 > Naim Audio Nait 3 > Mission 752 (plus Rega Planar 3 > Rega Fono Mini; Naim CD3) PiCorePlayer(Pi2) with IQAudIO DAC+>Sennheisers 2 x Squeezebox Radios, 1 X Squeezebox 3 (retired), spare Pi2/piCorePlayer *Office:* LMS7.9 running on WiFi MyPassport drive > piCorePlayer(PiB)/HiFiBerryDAC > Amptastic Amplifier SqueezePad, iPeng as controllers last.fm/user/GrumpyBob Grumpy Bob's Profile: http://forums.slimdevices.com/member.php?userid=41857 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
drmatt wrote: > Personally I would kill the idea of streaming flac to mobile devices and > just bandwidth limit the client in LMS. 320kb MP3 is undoubtedly good > enough when out and about. I would guess the limitation is insufficient > pre buffering, whereas internet video players would be more aware of the > requirements for this. > > Flac is as you say about 900kbit, maybe just over 1mbit so shouldn't > really be a big issue. Note that HD video can be streamed in about > 1.8mbit and still be bearable. Probably less, but still more than a flac > stream. > > > > -Transcoded from Matt's brain by Tapatalk- For mobile use on iphone i use transcoded stream of 192kbit. For remote use with laptop connected to highend gear or good headphones i rather use flac. its just around 800kbit. The videos i stream from my sat reciever use a bandwith of 8-14mbit! No issue so far, even with openvpn. as i said: only the win7 squeezeplay when used via openvpn doesnt do, but streams flac when not using openvpn Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Personally I would kill the idea of streaming flac to mobile devices and just bandwidth limit the client in LMS. 320kb MP3 is undoubtedly good enough when out and about. I would guess the limitation is insufficient pre buffering, whereas internet video players would be more aware of the requirements for this. Flac is as you say about 900kbit, maybe just over 1mbit so shouldn't really be a big issue. Note that HD video can be streamed in about 1.8mbit and still be bearable. Probably less, but still more than a flac stream. -Transcoded from Matt's brain by Tapatalk- -- Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0 Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums.. drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
epoch1970 wrote: > Right. Past the 3 openvpn options I've described just above, I don't > know what to do next. > I suppose the idea could be to increase buffering in the player, but I'm > not sure how to do that properly with squeezelite (?). > Also take a look at your LMS settings for players, perhaps the > preferences for that Win squeezelite are not set the same way as the > others. Dont worry I will just use the open ports for squeezeplay. It is working fine with the open ports. But the modification of ovpn conf which you told me to do definitely increased the streaming ability via open VPN for my video from satellite receiver, so thanks again Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Pommes wrote: > So it must be some kind of issue between squeeze play and open VPN on > windows which makes the bottleneck. Right. Past the 3 openvpn options I've described just above, I don't know what to do next. I suppose the idea could be to increase buffering in the player, but I'm not sure how to do that properly with squeezeplay. Also take a look at your LMS settings for players, perhaps the preferences for that Win squeezelite are not set the same way as the others. 3 SB 3 Libratone Loop, Zipp Mini iPeng (iPhone + iPad) LMS 7.9 (linux) with plugins: CD Player, WaveInput, Triode's BBC iPlayer by bpa IRBlaster by Gwendesign (Felix) Server Power Control by Gordon Harris Smart Mix, Music Walk With Me, What Was That Tune? by Michael Herger PowerSave by Jason Holtzapple Song Info, Song Lyrics by Erland Isaksson AirPlay Bridge by philippe_44 WeatherTime by Martin Rehfeld Auto Dim Display, SaverSwitcher, ContextMenu by Peter Watkins. epoch1970's Profile: http://forums.slimdevices.com/member.php?userid=16711 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
epoch1970 wrote: > Mhh. FLAC or WAV take a lot of bandwidth, probably the tunnel can't keep > up. > I have used bridged OpenVPN tunnels from time to time, everything is > fine for mp3/AAC/CD-quality stuff but for hi-def or hi-quality I've seen > issues. > The server side uses its upload link to send the data, with asymmetric > connexions (small upload/large download bandwidths) you get a bottleneck > there. High definition playback does work via open Ports though. And the video I stream from my satellite receiver via OpenVPN is about 10 times higher bit rate then FLAC from LMS. So it must be some kind of issue between squeeze play and open VPN on windows which makes the bottleneck. Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Pommes wrote: > I edited my ovpn file on windows, squeezeplay still not able to play > flac without buffering every few seconds. Mhh. FLAC or WAV take a lot of bandwidth, probably the tunnel can't keep up. I have used bridged OpenVPN tunnels from time to time, everything is fine for mp3/AAC/CD-quality stuff but for hi-def or hi-quality I've seen issues. The server side uses its upload link to send the data, with asymmetric connexions (small upload/large download bandwidths) you get a bottleneck there. 3 SB 3 Libratone Loop, Zipp Mini iPeng (iPhone + iPad) LMS 7.9 (linux) with plugins: CD Player, WaveInput, Triode's BBC iPlayer by bpa IRBlaster by Gwendesign (Felix) Server Power Control by Gordon Harris Smart Mix, Music Walk With Me, What Was That Tune? by Michael Herger PowerSave by Jason Holtzapple Song Info, Song Lyrics by Erland Isaksson AirPlay Bridge by philippe_44 WeatherTime by Martin Rehfeld Auto Dim Display, SaverSwitcher, ContextMenu by Peter Watkins. epoch1970's Profile: http://forums.slimdevices.com/member.php?userid=16711 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
epoch1970 wrote: > In other words, try to add > Code: > > sndbuf 131072 > rcvbuf 131072 > > in the OpenVPN configuration file of the Win7 machine and see if > squeezelite works better. I edited my ovpn file on windows, squeezeplay still not able to play flac without buffering every few seconds. I stream from my satelite reciever via openvpn, and this does work a lot better after i edited the ovpn file the way you asked, so thanks for that. But for streaming flac with squeezeplay i will use the open ports. Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Pommes wrote: > I tested again: > When I connect my iPhone from remote to my LMS at home via openvpn, it > connects as cellular, both on WiFi and 4g/lte > When I connect my iPhone from remote to my LMS at home via public ip/ > open ports, it connects as WiFi, both on WiFi and 4g/lte > Thats both fine with me, I just thought that iPeng would check the > connection on my phone. > But: > When connecting via openvpn, all my iPads,Mac, iPhones work well, but my > old windows7 squeezeplay laptop buffers every few seconds. > When connecting via public ip/ open ports the windows squeezeplay works > fine, as all other devices. > > So I would rather keep connecting via public ip/ open ports. > I have put a user/password into LMS, so do you really think its a huge > security problem with the open ports??? > Pease let me know what you honestly think of the security risks. > Thanks > Pommes Open ports are dangerous. If you can see them externally then so will others (and they will look). You will need to ask Pippin about why iPeng sees the openvpn connection as cellular and not wifi when it is wifi but it could be to do with the outgoing public IP that is detected i.e. if it isn't public then perhaps iPeng assumes it to be cellular. I use an SSL VPN connection on my iPhone and that seems to work correctly. PI3 PCP/LMS STORAGE QNAP TS419P (NFS) *Living Room* - Joggler & SB3 -> Onkyo TS606 -> Celestion F20s *Office* - Pi3+Sreen -> Sony TAFE320 -> Celestion F10s / Pi2+DAC & SB3 -> Onkyo CRN755 -> Wharfedale Modus Cubes *Dining Room* -> SB Boom *Kitchen* -> UE Radio (upgraded to SB Radio) *Bedroom (Bedside)* - Pi2+DAC ->ToppingTP21 ->AKG Headphones *Bedroom (TV)* - SB Touch ->Sherwood AVR ->Mordaunt Short M10s Everything controlled by iPeng d6jg's Profile: http://forums.slimdevices.com/member.php?userid=44051 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
In other words, try to add Code: sndbuf 131072 rcvbuf 131072 in the OpenVPN configuration file of the Win7 machine and see if squeezelite works better. 3 SB 3 Libratone Loop, Zipp Mini iPeng (iPhone + iPad) LMS 7.9 (linux) with plugins: CD Player, WaveInput, Triode's BBC iPlayer by bpa IRBlaster by Gwendesign (Felix) Server Power Control by Gordon Harris Smart Mix, Music Walk With Me, What Was That Tune? by Michael Herger PowerSave by Jason Holtzapple Song Info, Song Lyrics by Erland Isaksson AirPlay Bridge by philippe_44 WeatherTime by Martin Rehfeld Auto Dim Display, SaverSwitcher, ContextMenu by Peter Watkins. epoch1970's Profile: http://forums.slimdevices.com/member.php?userid=16711 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
epoch1970 wrote: > (I don't understand your connection test report. Anyways.) > > Are you using an UDP tunnel or a TCP tunnel for OpenVPN? I would think > UDP works much better. > There seems to be a Win7-specific OVPN issue with network buffer sizes: > https://community.openvpn.net/openvpn/ticket/640 > According to bug report, setting this in the Win7 client config file: > Code: > > sndbuf 131072 > rcvbuf 131072 > > > or having this in the corresponding ccd on the server side:> Code: > > push "sndbuf 131072" > push "rcvbuf 131072" > > > could solve the issue you see with Win7. Sorry but I dont understand that . I am just a user with no programming nor Linux skills. My router runs the OpenVPN server and I just imported the ovpn file into open vpn GUI on windows 7. The tunnel is udp and runs fine on Mac, iPad and iPhone Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
(I don't understand your connection test report. Anyways.) Pommes wrote: > When connecting via openvpn, all my iPads,Mac, iPhones work well, but my > old windows7 squeezeplay laptop buffers every few seconds. Are you using an UDP tunnel or a TCP tunnel for OpenVPN? I would think UDP works much better. There seems to be a Win7-specific OVPN issue with network buffer sizes: https://community.openvpn.net/openvpn/ticket/640 According to bug report, setting this in the Win7 client config file: Code: sndbuf 131072 rcvbuf 131072 or having this in the corresponding ccd on the server side: Code: push "sndbuf 131072" push "rcvbuf 131072" could solve the issue you see with Win7. 3 SB 3 Libratone Loop, Zipp Mini iPeng (iPhone + iPad) LMS 7.9 (linux) with plugins: CD Player, WaveInput, Triode's BBC iPlayer by bpa IRBlaster by Gwendesign (Felix) Server Power Control by Gordon Harris Smart Mix, Music Walk With Me, What Was That Tune? by Michael Herger PowerSave by Jason Holtzapple Song Info, Song Lyrics by Erland Isaksson AirPlay Bridge by philippe_44 WeatherTime by Martin Rehfeld Auto Dim Display, SaverSwitcher, ContextMenu by Peter Watkins. epoch1970's Profile: http://forums.slimdevices.com/member.php?userid=16711 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > There's no known, major issue yet. But LMS has not been developed with > security in mind. A lot has been added to lower the risks. But I > wouldn't be surprised if there were major issues we don't know yet. Thank you Michael, I think I will leave the ports open for now. It is just working much better than with OpenVPN and more convenient. The server is actually only serving audio and video files. The audio gets backuped every week, I dont care about loosing the video. Pommes Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Pommes wrote: > I have put a user/password into LMS, so do you really think its a huge > security problem with the open ports??? > Pease let me know what you honestly think of the security risks. There's no known, major issue yet. But LMS has not been developed with security in mind. A lot has been added to lower the risks. But I wouldn't be surprised if there were major issues we don't know yet. Michael http://www.herger.net/slim-plugins - Spotty, MusicArtistInfo mherger's Profile: http://forums.slimdevices.com/member.php?userid=50 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
> Open VPN only seen as cellular Even when connected via wifi to a hostspot? If from within your own (wifi) LAN the iPhone doesn't know how to reach the public address of your OVPN gateway, I suspect it would send that traffic to cellular which is an external network. 3 SB 3 Libratone Loop, Zipp Mini iPeng (iPhone + iPad) LMS 7.9 (linux) with plugins: CD Player, WaveInput, Triode's BBC iPlayer by bpa IRBlaster by Gwendesign (Felix) Server Power Control by Gordon Harris Smart Mix, Music Walk With Me, What Was That Tune? by Michael Herger PowerSave by Jason Holtzapple Song Info, Song Lyrics by Erland Isaksson AirPlay Bridge by philippe_44 WeatherTime by Martin Rehfeld Auto Dim Display, SaverSwitcher, ContextMenu by Peter Watkins. epoch1970's Profile: http://forums.slimdevices.com/member.php?userid=16711 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Hi, after opening the ports today I found this thread. Now I set up OpenVPN and it works fine, only one issue: In iPeng I set the Audio Bitrate for cellular to 192kbit and for WiFi to unlimited . Unfortunately this doesnt work with open vpn. All music is transcoded to 192 when connected to OpenVPN. When using port forwarding instead it works fine, untranscoded flac when connected to WiFi, transcoded to 192 when cellular. Does Anybody have a hint for me? Thanks Pommes Pommes's Profile: http://forums.slimdevices.com/member.php?userid=67682 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > > I think if you're using VPN to access your LMS at home, then you're on > the safe side. Nothing to log or investigate. > > -- > > Michael Thanks Michael. *Music Store: *Synology DS215J NAS* Home Server/Player:* LMS 7.9.1 on Pi 3B piCorePlayer v3.22 Server/IQAudio DAC+/Amp+ *Portable Server/Player:* LMS 7.9.1 on HP-DV2700 Laptop/Ubuntu 17.10 with synced music drive. *Homeplug LAN Players: *Pi 3B piCorePlayer v3.22/HDMI/Jivelite, Squeezelite on Windows 10 PC *UPNP Wifi Players:* Chromecast Audio/Video, Revo Super-Connect Radio, GGMM-E5 portable *VPN Player:* SqueezePlayer on Android Phone ian_heys's Profile: http://forums.slimdevices.com/member.php?userid=2629 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I have been following, but not fully understanding this thread, for quite a while and thought I'd better ask the question. I think if you're using VPN to access your LMS at home, then you're on the safe side. Nothing to log or investigate. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I have been using my Synology NAS, which sits behind my cable TV router, as a VPN Server for connections to my LAN from remote locations. The only use I have for this is for using LMS/Player combinations, usually but not exclusively on my Android Phone, on the rare occasions that I am away from home. The only port that is open on my router is that which is required by the Synology NAS VPN plugin and this port is forwarded by my cable TV router. I have been following, but not fully understanding this thread, for quite a while and thought I'd better ask the question. I'm not sure I'm up to setting up and understanding all the logging that is needed to examine this issue and it wouldn't be too much of a wrench for me to simply stop doing this as I must admit my use is rather more experimental than useful. My only significant discovery has been that my free hospital wifi blocks the Synology VPN port and I have to revert to a 4G phone connection which can be expensive if used for any significant time. *Music Store: *Synology DS215J NAS* Home Server/Player:* LMS 7.9.1 on Pi 3B piCorePlayer v3.22 Server/IQAudio DAC+/Amp+ *Portable Server/Player:* LMS 7.9.1 on HP-DV2700 Laptop/Ubuntu 17.10 with synced music drive. *Homeplug LAN Players: *Pi 3B piCorePlayer v3.22/HDMI/Jivelite, Squeezelite on Windows 10 PC *UPNP Wifi Players:* Chromecast Audio/Video, Revo Super-Connect Radio, GGMM-E5 portable *VPN Player:* SqueezePlayer on Android Phone ian_heys's Profile: http://forums.slimdevices.com/member.php?userid=2629 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
DJanGo wrote: > @Tim: > The "clever" People are the People that causes Michael to open this > Thread and thinks about a "solution" or minimize the worst case > szenario. > > AFAIK Michael wants a solution that the settings from LMS (even when the > LMS Server IP & Ports are forwarded to the Internet) are "safer" then > now. > > Your idea (completly disable the access except for "known" IPs) sounds > clever and might be a better solution, but (the people we are talking > about) would redo these changes (if MIcheal would add them in a next > Version) cause that would stopp these people to access their LMS from > allover the World. > > Since setting up a VPN isnt that easy/simple and we're dealing with lots > of different devices and usecases.. OK - thanks. Never having set up a VPN I think that for solo usage like mine, SSH using public keys seems to be the simplest solution that should be reasonably secure. LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
d6jg wrote: > No issues Michael. I use site to site IPSEC and SSL client VPNs via > Draytek Vigor router that is also a VPN server. > I was simply saying that router & vpn on the same device may be a little > more common than you might think. > > > Sent from my iPhone using Tapatalk Yes my linksys router has open vpn built in , and thats what im using the wrt1900ac is quite common? But im out on site work will test later if it still works for me Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub. Bedroom/Office: Boom Kitchen: Touch + powered Fostex PM0.4 Misc use: Radio (with battery) iPad1 with iPengHD & SqueezePad (spares Touch, SB3, reciever ,controller ) server HP proliant micro server N36L with ClearOS Linux http://people.xiph.org/~xiphmont/demo/neil-young.html Mnyb's Profile: http://forums.slimdevices.com/member.php?userid=4143 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > My gateway is also my VPN server. It may be more common than you > think. > > Are you saying you're facing any issue due to these recent changes? > > I said it wasn't common because I doubt there are many LMS users using a > > VPN. That simple. And in a VPN situation you would dial in to the > router, but AFAIK the client would receive its own IP address from > through the VPN. In that case LMS would not see the gateway's address > but the one of the remote client. > > -- > > Michael No issues Michael. I use site to site IPSEC and SSL client VPNs via Draytek Vigor router that is also a VPN server. I was simply saying that router & vpn on the same device may be a little more common than you might think. Sent from my iPhone using Tapatalk PI3 PCP/LMS STORAGE QNAP TS419P (NFS) *Living Room* - Joggler & SB3 -> Onkyo TS606 -> Celestion F20s *Office* - Pi3+Sreen -> Sony TAFE320 -> Celestion F10s / Pi2+DAC & SB3 -> Onkyo CRN755 -> Wharfedale Modus Cubes *Dining Room* -> SB Boom *Kitchen* -> UE Radio (upgraded to SB Radio) *Bedroom (Bedside)* - Pi2+DAC ->ToppingTP21 ->AKG Headphones *Bedroom (TV)* - SB Touch ->Sherwood AVR ->Mordaunt Short M10s Everything controlled by iPeng d6jg's Profile: http://forums.slimdevices.com/member.php?userid=44051 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Jeff07971 wrote: > I don't think d6jg will have a problem, I think he uses the same system > as I. > I tried accessing via both IPSEC and SSL (To iPhone with iPeng ) and had > no problems playing etc though I have not tried "settings" > I could not work out how to see the accessing IP in the log ( I tried > Plugin:cli @ info level logging ) though. > > Jeff Jeff is correct. I have no problem because I use high end kit. I was just saying that router & vpn is actually more common than you would think. DJanGo - I am more than familiar with DMZ and public IP assignment thank you. Sent from my iPhone using Tapatalk PI3 PCP/LMS STORAGE QNAP TS419P (NFS) *Living Room* - Joggler & SB3 -> Onkyo TS606 -> Celestion F20s *Office* - Pi3+Sreen -> Sony TAFE320 -> Celestion F10s / Pi2+DAC & SB3 -> Onkyo CRN755 -> Wharfedale Modus Cubes *Dining Room* -> SB Boom *Kitchen* -> UE Radio (upgraded to SB Radio) *Bedroom (Bedside)* - Pi2+DAC ->ToppingTP21 ->AKG Headphones *Bedroom (TV)* - SB Touch ->Sherwood AVR ->Mordaunt Short M10s Everything controlled by iPeng d6jg's Profile: http://forums.slimdevices.com/member.php?userid=44051 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Paul Webster wrote: > Turn on the http logging that mherger referred to. I saw it in there > earlier today. Thanks for that, Yes I can confirm that the accessing IP address is that assigned by the VPN to the remote device (In my case this is NATted to a fixed IP) *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard *Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups *Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX *Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Jeff07971 wrote: > > I could not work out how to see the accessing IP in the log ( I tried > Plugin:cli @ info level logging ) though. > > Jeff Turn on the http logging that mherger referred to. I saw it in there earlier today. Paul Webster http://dabdig.blogspot.com Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > My gateway is also my VPN server. It may be more common than you > think. > > Are you saying you're facing any issue due to these recent changes? > > I said it wasn't common because I doubt there are many LMS users using a > > VPN. That simple. And in a VPN situation you would dial in to the > router, but AFAIK the client would receive its own IP address from > through the VPN. In that case LMS would not see the gateway's address > but the one of the remote client. > > -- > > Michael I don't think d6jg will have a problem, I think he uses the same system as I. I tried accessing via both IPSEC and SSL (To iPhone with iPeng ) and had no problems playing etc though I have not tried "settings" I could not work out how to see the accessing IP in the log ( I tried Plugin:cli @ info level logging ) though. Jeff *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard *Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups *Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX *Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
PasTim wrote: > I'm not trying to be clever or better, just trying to understand my > options. I'm the only (valid) user. Why would I need to change a > setting on an update? > > I don't really understand what or who you mean about the "clever" guys > (and presumably gals) and Michael changing settings for them, but it > doesn't matter. @Tim: The "clever" People are the People that causes Michael to open this Thread and thinks about a "solution" or minimize the worst case szenario. AFAIK Michael wants a solution that the settings from LMS (even when the LMS Server IP & Ports are forwarded to the Internet) are "safer" then now. Your idea (completly disable the access except for "known" IPs) sounds clever and might be a better solution, but (the people we are talking about) would redo these changes (if MIcheal would add them in a next Version) cause that would stopp these people to access their LMS from allover the World. Since setting up a VPN isnt that easy/simple and we're dealing with lots of different devices and usecases.. @d6jg There are only two options - The more common "easy" Way: The Router handles Gateway and VPN - The "special" Szenario with a *d*e*m*ilitarized *z*one - used by Techies where Router & Firewall are separate devices DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
My gateway is also my VPN server. It may be more common than you think. Are you saying you're facing any issue due to these recent changes? I said it wasn't common because I doubt there are many LMS users using a VPN. That simple. And in a VPN situation you would dial in to the router, but AFAIK the client would receive its own IP address from through the VPN. In that case LMS would not see the gateway's address but the one of the remote client. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > This unfortunately might be a very common problem as a VPN server is > > often the GW (Mine is both, IPSEC and SSL) > > I doubt it'll be anywhere near "common". Please let me know if it causes > > you a problem. > > -- > > Michael My gateway is also my VPN server. It may be more common than you think. PI3 PCP/LMS STORAGE QNAP TS419P (NFS) *Living Room* - Joggler & SB3 -> Onkyo TS606 -> Celestion F20s *Office* - Pi3+Sreen -> Sony TAFE320 -> Celestion F10s / Pi2+DAC & SB3 -> Onkyo CRN755 -> Wharfedale Modus Cubes *Dining Room* -> SB Boom *Kitchen* -> UE Radio (upgraded to SB Radio) *Bedroom (Bedside)* - Pi2+DAC ->ToppingTP21 ->AKG Headphones *Bedroom (TV)* - SB Touch ->Sherwood AVR ->Mordaunt Short M10s Everything controlled by iPeng d6jg's Profile: http://forums.slimdevices.com/member.php?userid=44051 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
DJanGo wrote: > Hi, > > sounds like a "clever" idea but > > 1) > Who should change that setting? > > The Installer/updater on a clean install -> yes > The Installer/updater on a update install -> > The Installer/updater on a update install where -allowedHosts: 127.*,- > not in the Server.prefs-> yes > > 2) > Remember the guys we are talking about are "clever" - when Michael > changes these settings for them -> They cant use lms from outside (and > these clever guys are stupid enough to change that setting back to > something they think of) > > IMHO Michael had the "better" Idea with "lms is available from > everywhere but the settings are only from internal except Gateway I'm not trying to be clever or better, just trying to understand my options. I'm the only (valid) user. Why would I need to change a setting on an update? I don't really understand what or who you mean about the "clever" guys (and presumably gals) and Michael changing settings for them, but it doesn't matter. LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
PasTim wrote: > Notwithstanding the recent LMS security improvements, I assume that > explicitly specifying each of the local IP addresses that might use LMS > in the 'Allowed' list, and not including the router, will achieve much > the same effect, so I don't need to use the CLI password. If an SSH or > VPN server is on the home network that could be explicitly included or > excluded as required. Hi, sounds like a "clever" idea but 1) Who should change that setting? The Installer/updater on a clean install -> yes The Installer/updater on a update install -> The Installer/updater on a update install where -allowedHosts: 127.*,- not in the Server.prefs-> yes 2) Remember the guys we are talking about are "clever" - when Michael changes these settings for them -> They cant use lms from outside (and these clever guys are stupid enough to change that setting back to something they think of) IMHO Michael had the "better" Idea with "lms is available from everywhere but the settings are only from internal except Gateway DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Notwithstanding the recent LMS security improvements, I assume that explicitly specifying each of the local IP addresses that might use LMS in the 'Allowed' list, and not including the router, will achieve much the same effect, so I don't need to use the CLI password. If an SSH or VPN server is on the home network that could be explicitly included or excluded as required. LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I have not updated my LMS yet but I thought I'd try connecting via a VPN to see what happens. I installed OpenVPN on a Pi (not the one running LMS) and used port forwarding on intermediate routers to get the traffic from an iOS device using iPeng through the VPN server to the LMS server ... and it worked. LMS logs show that it saw the IP address of the connection as being the VPN server. So I think that when I update LMS this will still work without me needing to set a password on LMS. I know that my LMS is not reachable from outside except through this VPN so this is good for me. Paul Webster http://dabdig.blogspot.com Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mea culpa i just forget the NAT/Routing Mode from some devices There is the transparent Mode and the NAT/Routing Mode thats the one Michael is using. That Mode really translates the external IP from sender/receiver to the router. Both modes now should be covered. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > I therefore surmise that the SSH server is sending from the music > > server's own IP address to the same address. > > Hmm... it depends on how your tool is setting up the tunnel. But when I > > ssh into my box and forward requests to the internal IP of the LMS > machine, then LMS does see the IP address of the SSH server. If that was > > the router itself (which I doubt), then LMS would see the gateway > address. If the router forwarded SSH to some other box, then LMS would > see that other box' IP address. > > -- > > Michael My router is forwarding all incoming on port 22 to the music server where there is an SSH server, so that matches what you say. LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I therefore surmise that the SSH server is sending from the music server's own IP address to the same address. Hmm... it depends on how your tool is setting up the tunnel. But when I ssh into my box and forward requests to the internal IP of the LMS machine, then LMS does see the IP address of the SSH server. If that was the router itself (which I doubt), then LMS would see the gateway address. If the router forwarded SSH to some other box, then LMS would see that other box' IP address. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mea culpa i just forget the NAT/Routing Mode from some devices There is the transparent Mode and the NAT/Routing Mode thats the one Michael is using. That Mode really translates the external IP from sender/receiver to the router. Oh, good point. Thanks for the hint. I did have a check for non-local addresses in that code at some point. Should have left it in. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
DJanGo wrote:
> And thats exactly how it works.
>
> own PC -> private IP Adress -> Router ISP official IP Adress ->
> {Internet} <- Router external IP <- foreign private IP.
>
> Its the MAC Adress thats changed to the router not the IP.
mea culpa i just forget the NAT/Routing Mode from some devices
There is the transparent Mode and the NAT/Routing Mode thats the one
Michael is using. That Mode really translates the external IP from
sender/receiver to the router.
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
___
discuss mailing list
discuss@lists.slimdevices.com
http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
paul- wrote:
> Not that I do this, but I opened up the ports to do some testing. On my
> netgear router, when it lets the traffic in, the connection at the
> server is shown as whatever the external device address.
And thats exactly how it works.
own PC -> private IP Adress -> Router ISP official IP Adress ->
{Internet} <- Router external IP <- foreign private IP.
Its the MAC Adress thats changed to the router not the IP.
DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
___
discuss mailing list
discuss@lists.slimdevices.com
http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > > I guess that most systems which currently are systematically attacked > simply forward port 900x on their router to LMS. In this case the > incoming IP address would be the gateway's. > Not that I do this, but I opened up the ports to do some testing. On my netgear router, when it lets the traffic in, the connection at the server is shown as whatever the external device address. paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > I go no report at all with the plugin.cli info settings. > > plugin.cli is only used by the CLI itself. But network.http=info would > be more helpful. > > > So a local port 9000 is set up in ConnectBot to route to my > > home-server-ip-address:9000. > > That's a use case I haven't tested yet. Will do. Could you please enable > > logging as mentioned above, then see what IP address LMS is seeing? Also > > what is your gateway's IP, and your server's? > > -- > > Michael I turned that info on, and looked at "HTTP request: from " lines. I got them from my desktop (...2), my Touch (...7), and the music server itself (...10) when I connected from my mobile. I can see nothing from my gateway (I searched for it). I therefore surmise that the SSH server is sending from the music server's own IP address to the same address. If you need bits of the log I could pm them (tomorrow) rather than attach them here (being paranoid, I know). LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
However, the gateway is only a hop point. Even in a DNAT network, if you allow an external device through the firewall, it will not have the gateways address. I guess that most systems which currently are systematically attacked simply forward port 900x on their router to LMS. In this case the incoming IP address would be the gateway's. I know the current code is far from perfect. But it certainly covers many of the cases I've seen so far. I do know there are already installations out there which take advantage of this slightly improved default behaviour. Please note that I did NOT implement this to make publishing your LMS to the world more safe. I'm still saying: don't do it. But I know that many users did it out of some need, or ignorance. And many of them are not aware of the problem. In these cases new LMS at least does provide a minimum more protection than before. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I go no report at all with the plugin.cli info settings. plugin.cli is only used by the CLI itself. But network.http=info would be more helpful. So a local port 9000 is set up in ConnectBot to route to my home-server-ip-address:9000. That's a use case I haven't tested yet. Will do. Could you please enable logging as mentioned above, then see what IP address LMS is seeing? Also what is your gateway's IP, and your server's? -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
PasTim wrote: > I don't know how the ip_is_gateway works, but since the IP I see for ssh > is certainly not for my gateway maybe that's why it doesn't get trapped > on my system (which has no password set). He is simply using the lms servers routing table to find the gateway address. If I read the perl correctly (Which there is a good chance that I am not) Allowed Addresses IP address of the server itself 127.0.0.1 Any Address in the List of permitted IP addresses defined on the Security page. Not Allowed Addresses Gateway address of the LMS server. However, the gateway is only a hop point. Even in a DNAT network, if you allow an external device through the firewall, it will not have the gateways address. paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Paul Webster wrote: > Try increasing the log level for the module I referred to above. > I think it will log both success and failure with the IP address. I go no report at all with the plugin.cli info settings. Maybe I have misunderstood something (wouldn't be the first time!), so I had better be more precise about what I'm doing. I am connecting via my mobile, using a data connection, not wifi. I use an app called ConnectBot to connect with SSH to LMS via a netgear DDNS service to my router which has port 22 open. I have a public key shared between my mobile and the music server. ConnectBot has the ability to listen to local ports on the mobile and forward on the requests to my music server. So a local port 9000 is set up in ConnectBot to route to my home-server-ip-address:9000. I can connect mobile LMS tools (eg Squeeze Commander and Squeeze Player), or just my web browser connecting to http://localhost:9000. Using the browser, I can look at LMS settings and change some (stopping and restarting the UPnP bridge for instance). I know almost noting about the internals of LMS or its CLI. Does using a web browser go via CLI and hence get checked when accessing Settings? LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
PasTim wrote: > Yes, I have that code. In my server.prefs 'protectSettings' is set to > 1. I don't know how the ip_is_gateway works, but since the IP I see for > ssh is certainly not for my gateway maybe that's why it doesn't get > trapped on my system (which has no password set). Try increasing the log level for the module I referred to above. I think it will log both success and failure with the IP address. Paul Webster http://dabdig.blogspot.com Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Paul Webster wrote:
> Correction - I see it was merged into 7.9 branch 5 days ago.
> https://github.com/Logitech/slimserver/tree/public/7.9/Slim/Plugin/CLI
>
> Try turning on Info level logging in "(plugin.cli) - Command Line
> Interface (CLI)"
>
> If you have access to the source code then check
> Slim/Plugin/CLI/Plugin.pm
> to see if it contains
> >
Code:
> >
> if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
> && $prefsServer->get('protectSettings') &&
!$prefsServer->get('authorize')
> && Slim::Utils::Network::ip_is_gateway($tmpaddr)
> ) {
> $log->error("Access to CLI is restricted to the local network
or localhost: $tmpaddr");
> $cli_socket->close;
> }
> elsif (!($prefsServer->get('filterHosts')) ||
(Slim::Utils::Network::isAllowedHost($tmpaddr))) {
>
> >
Yes, I have that code. In my server.prefs 'protectSettings' is set to
1. I don't know how the ip_is_gateway works, but since the IP I see for
ssh is certainly not for my gateway maybe that's why it doesn't get
trapped on my system (which has no password set).
LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit,
44.1->192kbps. Touch & EDO. 2nd Touch standard.
LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) &
Marantz CR603 UPnP renderers.
Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC
renderers.
Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones.
Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with
Squeeze-Commander/BubbleUPnP controls LMS/Minimserver.
PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
___
discuss mailing list
discuss@lists.slimdevices.com
http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Paul Webster wrote:
> I noticed the changes in the secureSettings branch in github.
> I don't think it is in the daily build yet.
Correction - I see it was merged into 7.9 branch 5 days ago.
https://github.com/Logitech/slimserver/tree/public/7.9/Slim/Plugin/CLI
Try turning on Info level logging in "(plugin.cli) - Command Line
Interface (CLI)"
If you have access to the source code then check
Slim/Plugin/CLI/Plugin.pm
to see if it contains
Code:
if ( !Slim::Utils::Network::ip_is_localhost($tmpaddr)
&& $prefsServer->get('protectSettings') &&
!$prefsServer->get('authorize')
&& Slim::Utils::Network::ip_is_gateway($tmpaddr)
) {
$log->error("Access to CLI is restricted to the local network
or localhost: $tmpaddr");
$cli_socket->close;
}
elsif (!($prefsServer->get('filterHosts')) ||
(Slim::Utils::Network::isAllowedHost($tmpaddr))) {
Paul Webster
http://dabdig.blogspot.com
Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105
View this thread: http://forums.slimdevices.com/showthread.php?t=107165
___
discuss mailing list
discuss@lists.slimdevices.com
http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Ok, I see it. Thanks. JJZolx's Profile: http://forums.slimdevices.com/member.php?userid=10 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
JJZolx wrote: > How do you determine that the connection is coming from "outside"? If > someone is doing port forwarding in order to make the LMS server > available to the internet, wouldn't the connection appear to come from > the router on the same subnet?I think you answered your own question, read > back up the thread. -Transcoded from Matt's brain by Tapatalk- -- Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0 Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums.. drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > As I understand it from some of the previous discussion, something > has > > been added to a recent LMS to require a password to change settings > if > > coming from the router/gateway address. Is that right? If so, which > > password is that? > > I tried to explain this before... If you have a password set, then > you're all fine. If you haven't, then you won't be able to access the > settings from the outside. LMS won't ask for a password unless you've > set it yourself. How do you determine that the connection is coming from "outside"? If someone is doing port forwarding in order to make the LMS server available to the internet, wouldn't the connection appear to come from the router on the same subnet? JJZolx's Profile: http://forums.slimdevices.com/member.php?userid=10 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Paul Webster wrote: > I noticed the changes in the secureSettings branch in github. > I don't think it is in the daily build yet. I see. I think I misunderstood 'stable release' to mean beyond the 9.1 beta daily updates, rather than just in github. LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
PasTim wrote: > I'm running Logitech Media Server Version: 7.9.1 - 1515659378 @ Thu Jan > 11 09:26:58 UTC 2018 I noticed the changes in the secureSettings branch in github. I don't think it is in the daily build yet. Paul Webster http://dabdig.blogspot.com Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Paul Webster wrote: > What does your LMS system see as your IP address when you connect in via > that route? > I don't remember if LMS logs it ... but you could SSH to the LMS server > and type > set | grep -i ssh > on a pCP server (and I suspect other Linux platforms) you will see the > IP address of this SSH session. It's an external IP address that I don't recognise - it isn't an internal one, nor the external IP address of my router/gateway. I have tried looking at the standard web page in the mobile browser, and can still see all the settings and have changed one or two advanced plugin settings. I'm running Logitech Media Server Version: 7.9.1 - 1515659378 @ Thu Jan 11 09:26:58 UTC 2018 LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
PasTim wrote: > I managed to get my remote access working again (a while since I had > used it and some bits and bobs have changed). Using SSH (port 22) and > public key. With Squeeze Commander I could still change the audio > settings of players, even though I have no CLI password set. Is this > what you would expect? > What does your LMS system see as your IP address when you connect in via that route? I don't remember if LMS logs it ... but you could SSH to the LMS server and type set | grep -i ssh on a pCP server (and I suspect other Linux platforms) you will see the IP address of this SSH session. Paul Webster http://dabdig.blogspot.com Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > As I understand it from some of the previous discussion, something > has > > been added to a recent LMS to require a password to change settings > if > > coming from the router/gateway address. Is that right? If so, which > > password is that? > > I tried to explain this before... If you have a password set, then > you're all fine. If you haven't, then you won't be able to access the > settings from the outside. LMS won't ask for a password unless you've > set it yourself. > > -- > > Michael I managed to get my remote access working again (a while since I had used it and some bits and bobs have changed). Using SSH (port 22) and public key. With Squeeze Commander I could still change the audio settings of players, even though I have no CLI password set. Is this what you would expect? Setting a password would be problematic for some of my plugins, like the UPnP bridge. LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > Ok, figured it might be something like that. Not an easy problem to > > solve. In this circumstance it would be better to receive a page back > > that says *why* the request was blocked and where to look to allow it > > rather than a 403. Anonymise the hell out of the response of course so > > people can't reasonably guess it's an LMS instance. > > That's kind of an oxymoron, isn't it? Tell the user what to do to open > the door, but not tell the attacker what system it is?... > > -- > > MichaelYes, I know. Thought that as I wrote it. But a change to default behaviour really should be documented. -Transcoded from Matt's brain by Tapatalk- -- Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0 Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums.. drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > This unfortunately might be a very common problem as a VPN server is > > often the GW (Mine is both, IPSEC and SSL) > > I doubt it'll be anywhere near "common". Please let me know if it causes > > you a problem. > > -- > > Michael Hi Michael No I don't think it'll be a problem for me, my LMS is via a HTTPs (pasworded) proxy or by VPN only so don't even need to turn the password on Thanks anyway Jeff *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard *Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups *Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX *Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Ok, figured it might be something like that. Not an easy problem to solve. In this circumstance it would be better to receive a page back that says *why* the request was blocked and where to look to allow it rather than a 403. Anonymise the hell out of the response of course so people can't reasonably guess it's an LMS instance. That's kind of an oxymoron, isn't it? Tell the user what to do to open the door, but not tell the attacker what system it is?... -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
As I understand it from some of the previous discussion, something has been added to a recent LMS to require a password to change settings if coming from the router/gateway address. Is that right? If so, which password is that? I tried to explain this before... If you have a password set, then you're all fine. If you haven't, then you won't be able to access the settings from the outside. LMS won't ask for a password unless you've set it yourself. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
This unfortunately might be a very common problem as a VPN server is often the GW (Mine is both, IPSEC and SSL) I doubt it'll be anywhere near "common". Please let me know if it causes you a problem. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > > > Interested to see how the code can distinguish an external request > from > > internal though.[/color] > > It's not very sophisticated, and not even fully correct: when a request > is coming from the network's default gateway, I'm assuming it's coming > from the outside. I know that this is a rather simplistic approach. But > I thought I'd push it out this way and see whether people run into > issues :-). If they do, then at least they can double check their > network configuration to make sure they really don't open things up. > > And then there's that undocumented pref you can set to disable the check > in such an exceptional case. > Ok, figured it might be something like that. Not an easy problem to solve. In this circumstance it would be better to receive a page back that says *why* the request was blocked and where to look to allow it rather than a 403. Anonymise the hell out of the response of course so people can't reasonably guess it's an LMS instance. -Transcoded from Matt's brain by Tapatalk- -- Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0 Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums.. drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I'm not sure whether I'm an 'average joe' or not. However, having spent a working lifetime in IT (albeit nothing much to do with security) I suspect not quite (judging by most of my friends). Nonetheless I have found it pretty hard to work out how to do stuff like use ssh, ddns (my IP address changes most nights), open selected ports in the router and so on to make it all work with some semblance of security. I have a public key exchange set up between my mobile and laptop (using ssh) and my music server, and don't allow password access. Being retired I have time to work such things through when I know they must be possible, even when I can't quite get them to work for quite a while :) As I understand it from some of the previous discussion, something has been added to a recent LMS to require a password to change settings if coming from the router/gateway address. Is that right? If so, which password is that? I have LMS from yesterday installed. I may never want to do this, but I'd like to know, just in case LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > Clearly, computers should be licensed only to those who can pass a > > test... (and device developers should be forced to use the products > they > > produce...) > > Ahm... well, at least for the SB I can assure you, I do use it. But > there clearly are products I've been working on I hardly ever (or never) > > use... And this admittedly is a problem for a dev. > > > Interested to see how the code can distinguish an external request > from > > internal though. > > It's not very sophisticated, and not even fully correct: when a request > > is coming from the network's default gateway, I'm assuming it's coming > from the outside. I know that this is a rather simplistic approach. But > > I thought I'd push it out this way and see whether people run into > issues :-). If they do, then at least they can double check their > network configuration to make sure they really don't open things up. > > And then there's that undocumented pref you can set to disable the check > > in such an exceptional case. > > -- > > Michael This unfortunately might be a very common problem as a VPN server is often the GW (Mine is both, IPSEC and SSL) *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard *Server:* LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty/Player Groups *Remotes:* iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX *Music:* 522GB,1660 albums with 23087 songs by 5204 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Clearly, computers should be licensed only to those who can pass a test... (and device developers should be forced to use the products they produce...) Ahm... well, at least for the SB I can assure you, I do use it. But there clearly are products I've been working on I hardly ever (or never) use... And this admittedly is a problem for a dev. Interested to see how the code can distinguish an external request from internal though. It's not very sophisticated, and not even fully correct: when a request is coming from the network's default gateway, I'm assuming it's coming from the outside. I know that this is a rather simplistic approach. But I thought I'd push it out this way and see whether people run into issues :-). If they do, then at least they can double check their network configuration to make sure they really don't open things up. And then there's that undocumented pref you can set to disable the check in such an exceptional case. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
whatever Joe uses it must be somewhere up2date. And needs some minimal security. Fully agreed. Up to date and well configured. Then the difference in terms of ssh vs. VPN aren't what you think. Using VPN or not is a big difference. As is ssh. But again: only if well configured etc. You mention the "hacking" of Raspis over ssh which was basically just using the default password. That's stupid. But if your VPN is configured the same stupid way, then it's no more secure. Cracker Jimboy needs to crack/hack/socialengineering your vpn settings. No more than your ssh setup. I dont think any Joe on linux is using tools like faillock or something else. Unless it's configured by default in your OS (which happened to me, and I didn't know before being locked out...). So what do you expect me to do? Take a break. Tell joe what do to on his 512MB NAS > Tell joe dont do it unless you really know what your doing? Yes. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Clearly, computers should be licensed only to those who can pass a test... (and device developers should be forced to use the products they produce...) Interested to see how the code can distinguish an external request from internal though. -Transcoded from Matt's brain by Tapatalk- -- Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0 Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums.. drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
slartibartfast wrote: > That does target devices with the default password though. -You- would > normally change it. Is -You- Average Joe ? How many additional lines are needed no sending the std. passwort but prase from a dictionary? The Answer is: one additional line of source code. DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
DJanGo wrote: > since michael didnt see edits. > > just a not so old example > http://www.zdnet.com/article/linux-malware-enslaves-raspberry-pi-to-mine-cryptocurrency/That > does target devices with the default password though. You would normally change it. Sent from my SM-G900F using Tapatalk slartibartfast's Profile: http://forums.slimdevices.com/member.php?userid=35609 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
since michael didnt see edits. just a not so old example http://www.zdnet.com/article/linux-malware-enslaves-raspberry-pi-to-mine-cryptocurrency/ DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > But then, please tell Joe Average what safe method there is to access > his network from the outside. > If ssh isn't, then don't even start to type the other three letters > starting > with "V". > > -- > > Michael Hi, whatever Joe uses it must be somewhere up2date. And needs some minimal security. Using VPN or not is a big difference. Cracker Jimboy needs to crack/hack/socialengineering your vpn settings. Thats a big step for him - unless Joe uses some very old methods for his vpn. Simply natting a vpn port to the world - is a bad idea - whatever port your natting everyone who scans for open ports finds the real service behind that very soon and very easy. I dont think any Joe on linux is using tools like faillock or something else. Maybe some using something like iptables to only allow ssh from special ips only. So what do you expect me to do? Tell joe what do to on his 512MB NAS ? Tell joe dont do it unless you really know what your doing? DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Since i am in charge for the computer stuff in my company and should know some tricks and basics - i cant say ssh from outside is somewhere near safe. We all appreciate your knowledge. But then, please tell Joe Average what safe method there is to access his network from the outside. If ssh isn't, then don't even start to type the other three letters starting with "V". -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > Is opening those ports in this way likely to expose me to much risk? > > SSH should be fine if it's well configured and maintained. > > -- > > Michael mea culpa Michael, but thats a little bit tooo short Remember under a actual version of Raspbian ssh isnt activated out of the box any more because of security reasons. Its not a question of a well configured ssh- its a matter of strong passwords for users that could access ssh. Since i am in charge for the computer stuff in my company and should know some tricks and basics - i cant say ssh from outside is somewhere near safe. DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
How do you require a password if one hasn't been set in the options? You can't. In order to get access to the settings from the outside you'd have to set a password. Otherwise you'd simply get blocked (http status 403 - "forbidden"), no questions asked. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
How do you require a password if one hasn't been set in the options? JJZolx's Profile: http://forums.slimdevices.com/member.php?userid=10 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I see some LMS changes being made to try to improve this (password needed to get to settings from outside). Of course, it will need people to update their LMS to do it but a good first step. That's correct. I was fighting over this myself. But looking at open systems there obviously are quite a few who do install updates. I might actually do a release in the near future to push the changes out to users of the "stable" release, too. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I see some LMS changes being made to try to improve this (password needed to get to settings from outside). Of course, it will need people to update their LMS to do it but a good first step. Paul Webster http://dabdig.blogspot.com Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
mherger wrote: > > Is opening those ports in this way likely to expose me to much risk? > > SSH should be fine if it's well configured and maintained. > > -- > > Michael Thanks. LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Is opening those ports in this way likely to expose me to much risk? SSH should be fine if it's well configured and maintained. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
I have tested (and occasionally used) LMS remotely on my mobile using an SSH login with a public/private key arrangement, from mobile and DDNS (since my IP changes regularly). To enable this I opened port 9 (for Wake on Wan) and 22 for SSH to my LMS server. I closed the ports after the test. Is opening those ports in this way likely to expose me to much risk? LMS 7.9.1 on VortexBox Midi box, Xubuntu 17.10, FLACs 16->24 bit, 44.1->192kbps. Touch & EDO. 2nd Touch standard. LMS plugin UPnP/DLNA Bridge to MF M1 CLiC (to A308CR amp & ESLs) & Marantz CR603 UPnP renderers. Alternatively Minimserver & Upplay to same & to upmpdcli/mpd PC renderers. Squeezelite to Meridian USB Explorer DAC to PC speakers/headphones. Wireless Xubuntu 17.10 laptop firefox/upplay or Android 'phone with Squeeze-Commander/BubbleUPnP controls LMS/Minimserver. PasTim's Profile: http://forums.slimdevices.com/member.php?userid=41642 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Yes did that. Had to do it on a new virtual instance of linux server install. Openvpn. Everything works out fine. Gave up on dd-wrt and openvpn server install there. Made it work but the router became unstable (100%cpu). Actually a better solution than exposing LMS direct to internett IMO. bambadoo's Profile: http://forums.slimdevices.com/member.php?userid=65282 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
bambadoo wrote: > Another victim here. Couldn't figure out what happened. Crashed > occasionally. High cpu spikes and gallery plugin was installed. Disabled > it and it kept coming back.. > This was on a Netgear NAS and it scanned through everything. > Also additional repos was configured. > Music library is around 16 songs (13400 albums - flac) så it is > quite big. > Disabled port forwarding, uninstalled everything and installed LMS on 3 > different machines. > On win2012, raspberry pi2 and again on the LMS. At least everything > works fine internally on my network again. Would love to be able to > bring the music to my cellphone again. Used squeezeplay and squeezer app > on android. > > Before this happened I never had any issues. It sounds like you know what you're doing so just set up a SSL vpn and use openvpn app on your phone works great *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer x3,Wandboard *Server:* LMS Version: 7.9.1 - 1503129892 on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud *Remotes:* iPeng8/Orangesqueeze/PC/Jivelite *Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Another victim here. Couldn't figure out what happened. Crashed occasionally. High cpu spikes and gallery plugin was installed. Disabled it and it kept coming back.. This was on a Netgear NAS and it scanned through everything. Also additional repos was configured. Music library is around 16 songs (13400 albums - flac) så it is quite big. Disabled port forwarding, uninstalled everything and installed LMS on 3 different machines. On win2012, raspberry pi2 and again on the LMS. At least everything works fine internally on my network again. Would love to be able to bring the music to my cellphone again. Used squeezeplay and squeezer app on android. Before this happened I never had any issues. bambadoo's Profile: http://forums.slimdevices.com/member.php?userid=65282 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
After your warning (this post), I'm quite sure I've properly closed the open ports and also disable the port forwarding on the internet. But issue/ hack stills happen (Actually, I can see this happen because I've got huge CPU load during many hours as it was scanning hard drive). The huge CPU load and potential crashes often were caused by the Picture Gallery plugin being installed by the intruders. Make sure you remove it or at least review its settings if you've been using it. It often was set up to scan all filesystems - causing the high load and crashes. -- Michael ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
If you're still being hacked after genuinely disabling the port from internet access that means the hackers are already inside your network... Suggest you look at intrusion detection software. -Transcoded from Matt's brain by Tapatalk- -- Hardware: 3x Touch, 1x Radio, 2x Receivers, 1 HP Microserver NAS with Debian+LMS 7.9.0 Music: ~1300 CDs, as 450 GB of 16/44k FLACs. No less than 3x 24/44k albums.. drmatt's Profile: http://forums.slimdevices.com/member.php?userid=59498 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
tom6475 wrote: > Hello > > After your warning (this post), I'm quite sure I've properly closed the > open ports and also disable the port forwarding on the internet. But > issue/ hack stills happen (Actually, I can see this happen because I've > got huge CPU load during many hours as it was scanning hard drive). > > Is there any log where we could see the hack happens, what's the source > IP, and also the used ports ? > > Thanks > > Thomas You could turn "INFO" (Or higher) level logging on for HTTPD under Settings>Advanced>Logging you'll end up with big logs to grep through. Alternatively go to "THAT" website and see if your IP address appears. *Players:* SliMP3,Squeezebox3 x3,Receiver,SqueezePlayer,PiCorePlayer x3,Wandboard *Server:* LMS Version: 7.9.1 - 1503129892 on Centos 7 VM on ESXi 6.5.0U1 on Dell T320 *Plugins:* AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud *Remotes:* iPeng8/Orangesqueeze/PC/Jivelite *Music:* 383GB,1269 albums 17756 songs 4381 artists mostly FLACs *Want a webapp ?* See http://forums.slimdevices.com/showthread.php?104305-Webapp-for-LMS Jeff07971's Profile: http://forums.slimdevices.com/member.php?userid=49290 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Hello After your warning (this post), I'm quite sure I've properly closed the open ports and also disable the port forwarding on the internet. But issue/ hack stills happen (Actually, I can see this happen because I've got huge CPU load during many hours as it was scanning hard drive). Is there any log where we could see the hack happens, what's the source IP, and also the used ports ? Thanks Thomas tom6475's Profile: http://forums.slimdevices.com/member.php?userid=62635 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Nonreality wrote: > So am I understanding that I should not have auto updates turned on in > LMS? > No. The logic was that if an update was made to close the hole in LMS then those with updates enabled would get it. However, the world is not that simple. Paul Webster http://dabdig.blogspot.com Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] IMPORTANT: Stop forwarding your LMS ports to the internet!
Paul Webster wrote: > You could change LMS to require a password if the IP address is not > local and have a maximum number of password attempts before suspending > such access for X hours - and a setting to disable all of this for > someone who really insists on taking the risk. > At least those users who have auto-update enabled would have a bit > better protection.So am I understanding that I should not have auto updates > turned on in LMS? Sent from my SM-G955U using Tapatalk -IF THE RULE YOU FOLLOWED BROUGHT YOU TO THIS, OF WHAT USE IS THE RULE.- HTTP://www.last.fm/user/nonreality Nonreality's Profile: http://forums.slimdevices.com/member.php?userid=15723 View this thread: http://forums.slimdevices.com/showthread.php?t=107165 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
