Hi all,

I've done a install of R5A26 and everything went well

But, I noticed that SSHD is on by default and the mythtv user can login....

Just a warning to all that have there knoppmyth PC accessible to the net!!!

Unsure If i have the right forum, is this is the right place?

This is the right place.

SSHD has been on by default for some versions now and this will only be a security issue if you have the port open and forwarded from you firewall. By default this will never be set on a firewall.

_________________
Girkers

I do understand there is a small chance, but at work our internet server keeps getting ssh logins from zombie PC's!

A little bit of a warning to people out there.

That's nothing to worry about. A simple port redirect above 10000 should prevent further ssh login attempts.

One really should not have thier PVR directly hooked up to the Internet (period). MythTV wasn't designed with security in mind. Isaac has stated that doing so would affect performance.

_________________
cesman

When the source is open, the possibilities are endless!

I would only run a machine behind a firewall or a NAT router...but people these days have a tency to put machines in the dmz when they can't get something work and leave it.

I would like SSH access to my myth box from the internet, my router will have port 22 forward onto my myth box as i have no other linux box on my network.

I did notice a couple of guides on http://knoppmythwiki.org reffering to the use of ssh for a couple of things, hence my warning.

I think i could of worded my orginal post a bit better

Oh, several of us have brought this issue up and have all gotten similar replies. So, don't take it too hard.

On the plus side, the powers that be recently password protected mythweb, so they are at least listening...

The other day I was thinking that maybe another solution to this problem that would be more acceptable would be to have the default sshd configs only allow connections from the private ip addresses.. 10.x, 172.x, 192.x.. But I suspect that I'm wrong.

-Aubrey

I am not going to waste my time trying to lock down KnoppMyth out the box (period). If MythTV wasn't designed with security in mind (as it would affect performance), why should I try to lock down KnoppMyth? End of discussion.

_________________
cesman

When the source is open, the possibilities are endless!

If you want secure access to your box from the internet, my advice would be to move sshd to a non-standard port (and forward that port from your router), and allow only key-based logins. There are any number of guides on how to do those two around the web.

You have to forgive Cesman if he's a bit blunt on this issue, I've seen it come up frequently, and I only browse these forums occasionally.

If someone wants to submit a script to help harden a boxen, but all means.

_________________
cesman

When the source is open, the possibilities are endless!