I have a suggestion for the next version of KnoppMyth when it comes out. I think the security needs to be tightened up a bit by default.

Example: Run the default install, connect to the Internet and watch all your EPG data download. Cool! We're good to go, or so many users might think.

What's to prevent somebody from hitting your IP address with ssh and walking right on in with userid "mythtv", password "mythtv", the defaults that KnoppMyth installs? This seems like a bigger security hole than the one often discussed about protecting MythWeb with standard Apache .htaccess stuff.

My recommendation would be for KnoppMyth to also install a basic iptables config that locks things down to at least the LAN level, if not TOTALLY locked down. Provide instructions or at least warnings on how_to/why_not to open up access to the general Internet.

I'm not an iptables expert, but I think something similar to the below example might work as a starting point:



There are other private IP ranges that qualify as a LAN and those would need to be included as well. The above is just an example, not a full blown iptables configuration. It has not been tested! Other ACCEPT rules may be needed as well. For instance, I don't have any remote frontends therefore I don't know what open ports/protocols thay may need to work.

Pretty much any router will.
And if you've got more than one computer on the net (Would anyone actually have a net connection just for their Myth box?) then they would have to specifically setup access from the outside world to their myth box.

Maybe it's just because I come from a windows background, but I would assume that a default install of any OS should be 'hardened' before being allowed on the net unless it's behind some kind of firewall.

Also, there are some users out there that connect to their myth boxes from outside their local network, specifically for mythweb.

I'm not trying to say that what you're suggesting is a bad thing, but I think it sould exiast as an optional script so that people can easily run it and lock down their boxes if they want, but it's not inforced on us that don't know enough about linux as it'll most likely confuse us...

Mephi

Agreed, of course. I'm behind a router. I imagine most users are as well. But I don't think it's a valid assumption that ALL KnoppMyth users will be.

For example, my original intent for MythTV was to install it on a general purpose box that I'd use for day-to-day stuff also. Debian based. The only reason I grabbed KnoppMyth was to use as a quickie install to verify my newly purchased capture_card, video_card, and harddrive were functional. Later I decided, why not just stick with KnoppMyth only on this box? It's not like I don't have five million OTHER computers on my LAN to do day-to-day stuff on.

My point is, there could be others that have similar plans like I did initially - one box for day-to-day AND MythTV. They may only HAVE one box. Therefore a high likelyhood that it might be connected directly to the Internet.

I chose KnoppMyth for the convenience, not because I'm incapable of installing Debian/Slackware/whatever and compiling MythTV from scratch. However, I imagine there's a large user community out there that choose KnoppMyth because they have no idea how to put something like this together. A boot-it-and-go solution like KnoppMyth is not only a convenience for these users ... it's pretty much a necessity. This is the user community that I worry might get blindsided. "ssh? What's that? A strong password - sure! I changed mine from 'mythtv' to 'myth123'. And my root password? They'll NEVER guess 'r00t'!"

I'm not trying to be critical of KnoppMyth at all. It does so much to make the introduction to Linux and MythTV painless. And the stuff it currently does is a heck of a lot more sophisticated than setting up a little iptables script to run at boot. I like the approach "Lock it down, and tell 'em how to open it up" approach better than "Leave it open, and expect them to figure out they need to lock it down."

Just my personal opinon, or course!

Well being a security minded person I can understand what you are saying and I agree, however being a person who helps support knoppmyth I can tell you right now the reason it's open and we'll tell you how to lock it down is because the majority of the users don't need it locked down because they are behind a firewall, and generally the few who do want/need it locked down are much quicker at picking up how to lock it down than the masses would be an figuring out how to open it up. I'm not saying it's right, but when resources and time are limited, you hate to waste them on answering hundreds of how to I get to this or allow that questions which you will recieve even if you have FAQ's stating how to do it. Some times you just have to give up right for easy, as much as it pains me to say that.

_________________
Have a question search the forum and have a look at the KnoppMythWiki.

Xsecrets

Your explanation is perfectly good. It's not a matter of what's right or wrong. If it was wrong to supply KnoppMyth default install in this manner, then it would be wrong to sell Microsoft Windows!

Another thing I didn't think of until after posting, is that we're only dealing with TV shows here. The default automatic install, and that's the only one I'm talking about, takes over the entire disk. Given that, how much do people actually stand to lose if they get hacked? If, as I originally suggested, the user's plan was for a multi-purpose box then they'd better have their own ideas on how to setup security and not depend on KnoppMyth to totally bail them out. And they probably wouldn't be going with a fully automatic install in the first place if multi-use was their plan.

Oh well. It was just a suggestion. I didn't say it was necessarily a GOOD one!

BTW, if anyone is considering applying the iptables settings I gave as an example above for their own use ... don't expect your EPG downloads to work!

[edit]

Deleted details...

Nevermind. I edited the original post to correct the bad line I was talking about here, so as not to confuse the issue further.

[/edit]

I would guess that if you can get a fully functional knoppmyth box up and running, you prolly have enough intelligence to have setup a router previously

Of course this gets less and less likely as knoppmyth gets easier to install lol.

Is there anything that stops us from changed the default password once the install is complete?

_________________
GA-K8NS-939 Ultra
AMD 64 939 Venice 3200+
1GB RAM (2 512MB DDR400 184PIN DIMM )
HD3000
2 160GB SATA Seagate Barracuda 7200.7s
MSI Nx6200ax-td128 video card
Cooler Master Cavalier 2 - 350W PS
BenQ DW1640

Thanks,

Chris Lopeman

No.

_________________
cesman

When the source is open, the possibilities are endless!