View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 13 posts ] 
Print view Previous topic   Next topic  
Author Message
Search for:
 Post subject: MythWeb Security R5F27
PostPosted: Tue Apr 07, 2009 6:52 am 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
To any/all:

KnoppMyth install R5F27 MBE with MythWelcome active, custom preshutdown script and ACPIwake running.

Smooth operation for about 2 years.

Going on the road soon and want to access MythWeb via internet.

Problem: if I forward port 80 on my router, see MythWeb just fine. UserID and password challenge (htdigest) works as expected.

However, if I change the port (in /etc/ports.conf) to something else (e.g. 12012), change the forwarding to my MBE to the new port number, I get a timeout error over the internet connection.

I can still, however, connect in on my LAN.

My services page at DynDNS.org say that the port on my router is OPEN and accepting connections.

I am wondering what OTHER files in KnoppMyth are involved in blocking WAN hosts.

I've looked through /etc/hosts, hosts.deny, hosts.allow -- I have made ZERO mods to these files.

Help...I don't want to bring down the wrath of my ISP by leaving port 80 open.

Squiff


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 07, 2009 7:22 am 
Offline
Joined: Mon Jun 21, 2004 5:28 am
Posts: 700
Location: Germany
I'm not sure about R5F27, but on R5.5 the file to change the port is was /etc/apache2/ports.conf.

However, most routers allow the port forward to be between different ports. Ex. External 12012 maps to internal 80. Then there is no need to change the port apache is running on.

I think I would change ISPs if mine ever complained about port 80. I can understand port 25 (potential spam relay), but port 80 is none of their business.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 07, 2009 7:31 am 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
alien wrote:
I'm not sure about R5F27, but on R5.5 the file to change the port is was /etc/apache2/ports.conf.

However, most routers allow the port forward to be between different ports. Ex. External 12012 maps to internal 80. Then there is no need to change the port apache is running on.


Alien,

Danke for the quick response. I have an aging router that (I'm pretty sure) does direct port mapping (no transposing as you are suggesting). It is a NetGear WGT624 (yeah, I know...consider replacing).

The /etc/ports.conf file was modified to the port I have forwarded on my router.

Using a port forwarding checker tool indicates that this port IS responding to external requests.

But...the connection to http://<hostname>:12012/mythweb/ still times out.

This is regardless of whether I hardcode the external IP from my ISP or plug in my DynDNS hostname.

Squiff


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 07, 2009 8:01 am 
Offline
Joined: Mon Jun 21, 2004 5:28 am
Posts: 700
Location: Germany
Hard to say what is happening. You might try a more common alt HTTP port (ex. 8080). If that fails, I would try using tcpdump to see what is getting to the box to try and narrow down the problem.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 07, 2009 8:21 am 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
alien wrote:
Hard to say what is happening. You might try a more common alt HTTP port (ex. 8080). If that fails, I would try using tcpdump to see what is getting to the box to try and narrow down the problem.


Alien,

I will do that when I get home tonite (Eastern Time Zone).

I am following other leads as well about TCPWrappers and the hosts files.

When success follows I will post the results on this thread as [SOLVED]

Thanks again for the review and replies.

Squiff


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 07, 2009 9:31 am 
Offline
Joined: Fri Sep 15, 2006 12:16 pm
Posts: 292
When I am on the road I just ssh in with whatever ports I want
to use forwarded by ssh. You then just access localhost on
your "away" machine and it comes out magically on the other
end.

Your setup is different than mine, but just make sure that you
can ssh from a remote location into your mythtv box (by
forwarding just port 22 from your router to your mythtv box
I think). Once you are on the road you can do something like
this (as root): "ssh -L 80:localhost:80 home-ip-address"
(assuming that home-ip-address is the ip of your router. Then,
with that running just point your browser to localhost and you
are accessing your mythtv box.

I usually forward 5800 and 5900 for vnc at the same time and
wind up using vnc because I know mythfrontend better than
I know the web frontend. Just point your vnc client to
localhost.

If you already have ssh setup to another host on your network
you would just bounce it off of that by doing:
"ssh -L 80:mythtv:80 home-ip-address" assuming that the box
you are sshing into can access your mythtv box with the name
"mythtv".

Cliff


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 07, 2009 11:01 am 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
cliffsjunk wrote:
When I am on the road I just ssh in with whatever ports I want
to use forwarded by ssh. You then just access localhost on
your "away" machine and it comes out magically on the other
end.

Your setup is different than mine, but just make sure that you
can ssh from a remote location into your mythtv box (by
forwarding just port 22 from your router to your mythtv box
I think). Once you are on the road you can do something like
this (as root): "ssh -L 80:localhost:80 home-ip-address"
(assuming that home-ip-address is the ip of your router. Then,
with that running just point your browser to localhost and you
are accessing your mythtv box.

I usually forward 5800 and 5900 for vnc at the same time and
wind up using vnc because I know mythfrontend better than
I know the web frontend. Just point your vnc client to
localhost.

If you already have ssh setup to another host on your network
you would just bounce it off of that by doing:
"ssh -L 80:mythtv:80 home-ip-address" assuming that the box
you are sshing into can access your mythtv box with the name
"mythtv".

Cliff


Cliff,

Good suggestion...

Would do if I was travelling with laptop...I have an iPod Touch 2G...I haven't gotten to the point of SSH tunneling with an iPod yet.

If were with a laptop/desktop while away, I certainly would do that.

My planned implementation currently is to use a small external PC running TinyCore linux with an sshd alternative to SSH in by iPod.

Then I will run a script that will wakeonlan my backend and hook into or create a running process that will cause my MythPreShutdown custom script to 'exit 1' and prevent a time out to shutdown/sleep.

I would rather not leave Port 80 open on my router while I am away.

Your suggestion is right on the money...just haven't worked out the iPod implementation.

Squiff


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 08, 2009 7:06 am 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
Last night I reset the /etc/ports.conf file to listen on '8080'.

My router was modified to forward to '8080' and I can now see MythWeb in all its glory.

I am not considering this a 'solved' case yet, though.

I still think that the '/etc/services' file and naming conventions on my router may be playing a role with some bad interactions.

I will check back in a few days from now with an update...hoping to drop a [SOLVED] in the topic.

Thanks to all who tracked this and took the time to reply with suggestions.

Squiff


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 08, 2009 7:31 am 
Offline
Joined: Mon Jun 21, 2004 5:28 am
Posts: 700
Location: Germany
Congratulations. You might want to take a look at this if you are going to allow mythweb access from the internet:

http://knoppmyth.net/phpBB2/viewtopic.p ... cure+https

As a minimum, you should follow Step 1 and Step 3 as the current password control does not apply to all pages. I would also recommend enabling SSL, but that is more for privacy than security once authentication is working.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)


Top
 Profile  
 
 Post subject: Curioser and curioser...
PostPosted: Thu Apr 09, 2009 6:43 am 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
alien wrote:
Congratulations. You might want to take a look at this if you are going to allow mythweb access from the internet:

http://knoppmyth.net/phpBB2/viewtopic.p ... cure+https

As a minimum, you should follow Step 1 and Step 3 as the current password control does not apply to all pages. I would also recommend enabling SSL, but that is more for privacy than security once authentication is working.


Alien,

Much respect for your tracking this thread. Part 3 was implemented when I did my initial build of R5F27 Oct-2007 timeframe. No issues there.

I will follow your advice (as a minimum) on Part 1 tonight.

As Ringo says on his blog..."Peace and love, peace_and_love".

More news:

I have some additional feedback on the issue of port forwarding. As I surmised, it does not appear that the /etc/services file plays any role in port forwarding of mythweb. That's actually a relief to me, since as I understand the lay of the land, that file is only to be consulted if

Historically, I had opened a "non-IANA.org official" port in the range of 10000 to 15000 as my pipeline to a master backend. In earlier Knoppmyth builds of mine (R5C1 comes to mind), it was NOT picky about which port I forwarded...8011, 17017, you name it went no problems.

Of course, I also had an older router, BUT I put that back into temporary service yesterday as a test, and MythWeb gagged on all but ports 80 and 8080 being forwarded. So it does NOT appear that the SPI firewall features on my newer router are interfering with the forward. In fact, the DynDNS port checker tool reports back happily that the ports I have opened are reporting back as going through and sending at least something back.

You may well ask at this point a few questions:

1) Why is it SO important that I consider a port other than 80 or 8080 to forward?

2) Why don't I just bite the bullet and use the SSH tunneling setup?

3) Are you crazy...?

Answers:

1) I don't really have a compelling answer here. It just 'seems' to me that something "non-obvious" would be better than picking a common port used for web server traffic. Since I am a neophyte 'MythWebmaster', I readily concede that my paranoia may be misplaced...welcome feedback on the relative exposure of port 8080 versus something 'interesting' like 17017.

2) I am planning on using an iPod Touch while traveling and I am 0% certain that the SSH apps for iPod/iPhone will allow me to SSH AND subsequently pull data "down the tube" I've created to the iPod Safari browser.

So, if someone in UserLand can convince me (one way or the other) on item 1) above, I will just push ahead with port 443 SSL services on the Apache2 MythWeb implementation per Alien's post.

If someone has experience with TouchTerm for iPod Touch tunneling to Safari for iPod with MythWeb and has a working solution, much appreciation for your report in this thread.

Squiff


Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 09, 2009 10:04 am 
Offline
Joined: Mon Jun 21, 2004 5:28 am
Posts: 700
Location: Germany
Using non-obvious ports is a form of "security through obscurity". Most consider it a poor form of security, but it does add an additional layer of protection to an already secure configuration for those who want to be really paranoid.

For example, I'm running SSL with password protection and I know there is only one userid/password that will work. For that, I use the obvious 443 SSL port without too many worries. Even if someone did get in, they probably couldn't do what most of the bad guys want to do with unix boxes, create an ftp server for illegal files.

On the other hand, SSH (and sftp) uses port 22. There are several accounts that use ssh. I have checked them all, but since it is relatively easy to enable another account to use ssh, I have it running on a non-obvious port. I may be paraniod here, but as part of my job I have seen carrier grade machines broken into where someone forgot about the oracle/oracle account created when oracle is installed. In my experience, a machine with port 22 open and a crackable password will have a half life of about 3 months on the internet.

If I was REALLY paranoid, I would disable password authorization on ssh and use only key files. Now I think of it.....

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)


Top
 Profile  
 
 Post subject:
PostPosted: Fri Apr 10, 2009 12:54 pm 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
alien wrote:
Using non-obvious ports is a form of "security through obscurity". Most consider it a poor form of security, but it does add an additional layer of protection to an already secure configuration for those who want to be really paranoid.


My "spidey-sense" told me I was probably kidding myself. The power of a PC and some rudimentary tools would allow someone to sweep the ports on a router quickly and automatically.

alien wrote:
For example, I'm running SSL with password protection and I know there is only one userid/password that will work. For that, I use the obvious 443 SSL port without too many worries. Even if someone did get in, they probably couldn't do what most of the bad guys want to do with unix boxes, create an ftp server for illegal files.

On the other hand, SSH (and sftp) uses port 22. There are several accounts that use ssh. I have checked them all, but since it is relatively easy to enable another account to use ssh, I have it running on a non-obvious port.


I am using the "iPodFeed" stuff on the KnoppMyth Wiki to allow playback via transcoded streaming on my wireless. I was hoping to take this on the road on an upcoming vacation. SSL seemed like a good road to pursue, since I would rather not arrive home to find my precious backend hacked and pillaged by some script kiddie.

Unfortunately, the iPhone and iPod Touch don't handle playback through the embedded QuickTime Player using SSL.

The iPhone Safari browser hooks in no problem, spawns the QuickTime player when I pick a stream it lobs an error.

So that feature was disabled. Too bad, it worked fine on my other platforms with Firefox and IE6/7 locally and remotely.

I STILL have the original conundrum, however. I simply cannot determine where KnoppMyth R5F27 hides the port settings that permits ports 80, 8080 and 443 through but REJECTS other ports I've tried (like 12012, 17017, 7904, etc.).

Very much a poser.

_________________
Squiff
______________________________________
ECS K7SOM+ (v7.5c)m embedded AMD CPU
512 MB RAM, 120 GB HDD
DVD, FDD
PVR250, Plextor TV-M402U (go7007 method)
R5F27 (ACPI_wake method)
Mythwelcome


Top
 Profile  
 
 Post subject:
PostPosted: Fri Apr 10, 2009 1:47 pm 
Offline
Joined: Sun May 30, 2004 11:05 am
Posts: 37
Location: Acton, Ontario, Canada
alien wrote:
Congratulations. You might want to take a look at this if you are going to allow mythweb access from the internet:

http://knoppmyth.net/phpBB2/viewtopic.p ... cure+https

As a minimum, you should follow Step 1 and Step 3 as the current password control does not apply to all pages. I would also recommend enabling SSL, but that is more for privacy than security once authentication is working.


When I look through the posting above, the file you reference does not exist in my R5F27 build. There is a symlink to a file at:

/etc/apache2/sites-available/default

This file has the "AllowOverride" section you reference, but I am not sure whether the instructions to add the authentication belongs here for the root folder.

This authentication section is ALSO present in the /etc/apache2/apache2.conf file lower down.

Suggestions, alien?

_________________
Squiff
______________________________________
ECS K7SOM+ (v7.5c)m embedded AMD CPU
512 MB RAM, 120 GB HDD
DVD, FDD
PVR250, Plextor TV-M402U (go7007 method)
R5F27 (ACPI_wake method)
Mythwelcome


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 


All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu