Author |
Message |
mihanson
|
Posted: Mon Feb 12, 2007 6:58 pm |
|
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location:
Los Angeles
|
Fidelis wrote: As prosonik posted long ago, I want to enable access from outside my internal network to my mythweb so that users can download recorded shows. I have searched and been unable to find how to do this.
Given that I have followed the steps successfully listed in this thread, how can I configure the system to accept outside users to my mythweb?
I am using my XP machine as a gateway atm. I would prefer to keep it this way, but am open to changing it if it is necessary to allow semi-secure access to mythweb.
Fidelis, I'm re-reading your original post and seeing more places you could be running into trouble... Are ZoneAlarm's proper ports open? Will your SB5100 forward all requests to your XP gateway? Does your ISP block port 80 inbound to you? Check out this thread:
http://www.linuxquestions.org/questions/showthread.php?threadid=274336
_________________ Mike
My Hardware Profile
|
|
Top |
|
|
khrusher
|
Posted: Mon Feb 12, 2007 8:26 pm |
|
Joined: Tue Apr 13, 2004 6:51 pm
Posts: 890
Location:
Groton, MA
|
I have a couple general comments for this thread.
comment 1)
you SHOULD be able to access your LAN servers via a dyndns setup from you LAN. There are however some crappy consumer quality routers (belkin) that dont handle this.
I have a dyndns setup that points to my WAN ip address and my router (netgear) forwards to my mythbox. I can use the http://<dyndns>/ address from WAN and LAN. I had the Belkin and had issues in this area, so now the belkin is simply an extra access point on the other side of the house.
Comment 2)
you can create a secure SSH tunnel and pipe all of your traffic through the tunnel. this requires an ssh client like putty on any remote pc accessing you LAN. search here for putty/ssh/tunnel/. i use this to access my mythstreamtv data from work....looks like a busy ssh session
Comment 3)
People are not wearing enough hats
_________________ R5F1 - Dell P4 2.4Ghz 500MB - PVR250 x 2 - GeForce FX 5200 - Onboard sound/NIC 80GB ATA/250GB ATA/400GB SATA
|
|
Top |
|
|
mihanson
|
Posted: Mon Feb 12, 2007 11:40 pm |
|
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location:
Los Angeles
|
khrusher wrote: comment 1) you SHOULD be able to access your LAN servers via a dyndns setup from you LAN. There are however some crappy consumer quality routers (belkin) that dont handle this. I have a dyndns setup that points to my WAN ip address and my router (netgear) forwards to my mythbox. I can use the http://<dyndns>/ address from WAN and LAN. I had the Belkin and had issues in this area, so now the belkin is simply an extra access point on the other side of the house.
Ahhhh, yes... now I remember why I thought it was not possible. My Buffalo router has an issue with loopback...
_________________ Mike
My Hardware Profile
|
|
Top |
|
|
Fidelis
|
Posted: Tue Feb 13, 2007 11:13 am |
|
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
|
mihanson wrote: I'm kind of confused... You can connect to your MythWeb from inside your network. If you go to another location, i.e. office, school, etc, you cannot connect to your MythWeb? (Server Refused Our Key) Correct. mihanson wrote: Sorry, if you've tried these things, but I have to ask . . .
1) Did you use puttygen.exe on your Windows machine to cnvert the key to a format putty recognizes?
Yes. I can see that the key works from within the network. "Authenticating with public key xxxx." mihanson wrote: 2) Is putty configured to point to the correct key file?
Yes. mihanson wrote: 3) On your MythTV box, does your authorized_keys file have only one key per line?
Had to check this. There is only one line, since I made only one key atm. Beings with "ssh rsa..." and ends with the name of my one key. Looks good to me. I can try making another key, however. mihanson wrote: 4) What are the permissions of your .ssh directory? Here's mine: [code]drwx------ 2 mythtv mythtv 4096 Jan 22 14:01 .ssh
[code]
-rw-r--r-- 1 mythtv mythtv 726 authorized_keys
-rw------- 1 mythtv mythtv 3311 id_rsa
-rw-r--r-- 1 mythtv mythtv 726 id_rsa.pub[/code]
EDIT: As I was posting this, more info came in from the community (thanks!). I'll check out the suggestions that were posted.
|
|
Top |
|
|
Fidelis
|
Posted: Tue Feb 13, 2007 2:20 pm |
|
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
|
Quote: Fidelis, I'm re-reading your original post and seeing more places you could be running into trouble... Are ZoneAlarm's proper ports open? In Zonealarm, I have granted outbound access for my mythbox ip. Quote: Will your SB5100 forward all requests to your XP gateway?
Don't know. Quote: Does your ISP block port 80 inbound to you?
Don't know, I'll try changing the port for apache. My httpd.conf doesn't have anything in it tho. In /etc/apache2/ports.conf, I changed 'listening 80' to 'listening 8080.' Is this correct?
And were the permissions in my .ssh folder good?
|
|
Top |
|
|
mihanson
|
Posted: Tue Feb 13, 2007 3:00 pm |
|
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location:
Los Angeles
|
Fidelis wrote: Quote: Does your ISP block port 80 inbound to you? Don't know, I'll try changing the port for apache. My httpd.conf doesn't have anything in it tho. In /etc/apache2/ports.conf, I changed 'listening 80' to 'listening 8080.' Is this correct? I think that's correct. With the new apache version included with R5E50 I'm not very versed. I have not had to muck with it, so I don't really have any expereience with it's config files. The apache website has good documentation though... Quote: And were the permissions in my .ssh folder good?
The permissions on the folder contents matched mine. What about the folder .ssh itself?
Code: $ ls -la /home/mythtv
_________________ Mike
My Hardware Profile
|
|
Top |
|
|
Fidelis
|
Posted: Tue Feb 13, 2007 4:35 pm |
|
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
|
Hmm...my apologies...there was aparently a router further down the line that I was unaware of. I can log into it, however, and will make sure it is forwarding the ports correctly.
I am glad that many things were clarified, however, by mihanson and khrusher specifically. Much obliged to you and to the authors of other posts I've been reading (and implementing)for 6-7 hours now. Lots of data.
After following the directions from portforward.com for my router, some things still aren't clear as it still isn't working. I'll try a few more things on my own over the next few days and post a summary for this thread.
Peace to you all.
|
|
Top |
|
|
gatorback
|
Posted: Sun May 27, 2007 10:42 am |
|
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location:
Minnesota- Brrrrr!
|
When configuring putty with a Private key file, there are six check boxes that are available in addition to the field for the private key. This dialogue box can be found under Connection >> SSH > Auth.
These options were checked by default:
Quote: Attempt authentication using Pageant Attempt "keyboard- interactive" auth (SSH-2)
Do any of the other checkboxes need to be checked? I ask because I have tried for 4 hours on a fresh install and keep getting "Server refused our key". I have tried logging in with the last two options enabled, but it did not change anything.
If I should make this a new posting, let me know and I will do so. Thanks to all who provide guidance.
_________________ R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB
|
|
Top |
|
|
mjl
|
Posted: Sun May 27, 2007 11:29 am |
|
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location:
Warwick, RI
|
Hi,
You are aware that R5F1 does not allow root or user mythtv to remotely login? Only the user you added at install time is authorized ssh access. This is done to protect KM and is default settings. You can of course, over ride it.
Mike
|
|
Top |
|
|
gatorback
|
Posted: Sun May 27, 2007 12:28 pm |
|
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location:
Minnesota- Brrrrr!
|
Thank you for the update. I thought that this might be the case. I will try it again with the localuser account created at install time again: my first attempt with this account was not successful.
Again, thank you
_________________ R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB
|
|
Top |
|
|
fra
|
Posted: Fri Sep 28, 2007 5:31 pm |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
what about directions for allowing only certain ip addresses to ssh? that's always a useful security measure! [password+key+ip restrictions! what else can one add?!!]
|
|
Top |
|
|
mihanson
|
Posted: Fri Sep 28, 2007 6:28 pm |
|
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location:
Los Angeles
|
fra wrote: what about directions for allowing only certain ip addresses to ssh? that's always a useful security measure! [password+key+ip restrictions! what else can one add?!!]
Feel free to add, but I think that's out of the scope of this how to. Search for IPtables... or look here.
_________________ Mike
My Hardware Profile
|
|
Top |
|
|
Too Many Secrets
|
Posted: Mon Apr 14, 2008 10:26 pm |
|
Joined: Fri Oct 20, 2006 12:04 pm
Posts: 905
Location:
LA, CA
|
Is there any good reason to having the Code: MaxStartups 10:30:60 line commented out of the /etc/ssh/sshd_config file?
Notice thisarticle. Granted it isn't the end all, be all. But it seems like another layer that can be turned on easily.
|
|
Top |
|
|
mihanson
|
Posted: Wed Feb 11, 2009 6:18 pm |
|
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location:
Los Angeles
|
Just wanted to give this a bump because of something I saw in my logs today...
Quote: Feb 11 01:39:32 mythbox-mbe sshd[13585]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers Feb 11 01:39:33 mythbox-mbe sshd[13587]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers Feb 11 01:39:35 mythbox-mbe sshd[13589]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers Feb 11 01:39:36 mythbox-mbe sshd[13591]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers Feb 11 01:39:38 mythbox-mbe sshd[13593]: Invalid user oracle from 94.75.192.71 Feb 11 01:39:40 mythbox-mbe sshd[13595]: Invalid user oracle from 94.75.192.71 Feb 11 01:39:41 mythbox-mbe sshd[13597]: Invalid user oracle from 94.75.192.71 ...
Hackers will try to use the userid mythtv, so if you expose your mythweb or something like ssh to the world, it's a good idea to use something stronger than simple password authentication.
_________________ Mike
My Hardware Profile
|
|
Top |
|
|