Re: [slim] Re: Possible??? - Remote Squeezebox
On Fri, 21 Apr 2006 08:09:36 -0700, "Mark Lanctot" <[EMAIL PROTECTED]> said: > > Yes, if the attacker were to spoof the IP address, they could just walk > right in to SlimServer. And once they were in, there's an extensive set > of documentation both for the web interface and the CLI / TCP/IP > interface explaining just what they can do and how to do it. The IP spoofing is definitely easier said than done. Spoofing a (packet oriented) UDP connection is quite possible (often used in DNS attacks) but AFAIK spoofing TCP connections (that require two way negotiations just to set up the link) are impossible if the attacker can't position himself somewhere in the local network, and if they've gotten as far as that you've got bigger problems. Also the slimserver CLI doesn't offer that much in the way of hacking. You can't just execute arbitrary OS commands. It's quite possible though that someone left a door open somewhere (I'd advise against leaving it open without filtering). The usual attacks are done with buffer overflows which are unlikely since the server is written in Perl, which has dynamic string allocation. Perl itself is very well tested (probably even better than sshd). > It's fortunate that SlimServer isn't widely known outside of the people > here, but security by obscurity is not much better than no security at > all. :-) I like the fact that security is built into SS but I doubt > if it has been subject to intense, repeated attack to see what breaks, > unlike certain other programs! > > I don't require any external access, have set IP address blocking, CSRF > protection to High and no port forwarding. External port scans indicate > these ports do not respond, just like all my other ports. If it was me, > I'd go for SSH. I'm not sure if VPN surpasses SSH protection or if it > can be used to supplement it. SSH is not bad for SoftSqueeze, but very cumbersome if used for connecting real SB hardware to servers on another location. Same with VPN. They're both unnecessary unless you're the Bank Of America, but you probably shouldn't be running slimserver in that case anyway. My preference would be to: - Use filtering on the router (port forwarding with ip filter) - Use filtering in the software firewall on the server machine - Use filtering in the application But definitely don't leave the server open on a publically accessible (standard) port. If a bug becomes known and the script kiddies get wind of it, they'll start scanning and the dominoes will start falling. As will the SB's image ;) Test your setup from a remote machine. Regards, Peter ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
[slim] Re: Possible??? - Remote Squeezebox
to return to the original topic, I am currently listening to my slimserver in the states, cable modem, 256K up, streaming to my temporary apartment in London. Security iss SSH via Softsqueeze. I am fortunate enough to have high bandwith ether here. One issue to think about is how to detect the ip address at home. Dyndns.org does that for me for softsqueeze. Good luck -- ericj ericj's Profile: http://forums.slimdevices.com/member.php?userid=3230 View this thread: http://forums.slimdevices.com/showthread.php?t=23132 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
[slim] Re: Possible??? - Remote Squeezebox
geoffb Wrote: > On 4/21/06, Mark Lanctot wrote: > > geoffb Wrote: > > > PC requirements aside, presuming that you didn't put any security > in > > > place apart from router IP filtering at the both ends, that would > still > > > leave you open to whatever exploits your routers expose. For > example, > > > there's at least one router I read about a while back that shuts > down > > > and requires a hard boot if (a) IP filtering is on and (b) it > detects > > > more than a certain number of port scans from unauthorized IPs. > Means > > > that you have no music for the rest of the weekend, unless there > is > > > someone at home you can call to reset it. > > > > I believe what was referred to is IP filtering by SlimServer itself, > > i.e. Server Settings - Security - Block Incoming Connections. > > > > I suppose IP blocking at the router would eliminate all access > attempts > > to the SlimServer machine, from SlimServer clients or otherwise. > I'm > > wondering if it would offer any additional protection though - while > > the router would let traffic through SlimServer wouldn't respond to > any > > connection attempts. > > > > Ah, I see that I misread the original suggestion, although I have to > say, I don't think this changes the security issue. > Although it's unlikely, given the relatively few SS instances running > on the internet, wouldn't it be possible to spoof a source IP and > issue commands to the SS - presuming that you didn't care about the > return packets? > This is reaching into the realm of 'unlikely, so don't bother worrying > about it', but it's still a possiblity. I'd say "unlikely" is a bit weak of a word. "Approaching impossible" is closer to it. If you can predict TCP Sequence Numbers, it is possible to send packets that appear to be from a trusted source, but you never get any return packets. To successfully cause damage by pretending to be a trusted slimserver client, the slimserver would have to be running on an OS with predictable TCP sequence numbers (Windows, MacOS X, and Linux are all quite secure in this regard) AND the attacker would have to know which source IP address was trusted, AND the attacker would have to know of a bug in slimserver that could be exploited in a way that causes damage, AND the slimserver would have to be running as a user on the host OS that had sufficient privileges to cause that damage. And besides all of that, slimserver just isn't that big of a prize for anyone to bother. There are far jucier and lower-hanging fruit. If you or your systems are of *that* much interest to someone, there are far easier ways to gain access or cause damage, one of which would be to attack PPTP. As implemented by Microsoft, PPTP is more of a security liability than Slimserver. -- rudholm rudholm's Profile: http://forums.slimdevices.com/member.php?userid=2980 View this thread: http://forums.slimdevices.com/showthread.php?t=23132 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
[slim] Re: Possible??? - Remote Squeezebox
Except it's very very difficult to do IP spoofing against a modern operating system. -- snarlydwarf snarlydwarf's Profile: http://forums.slimdevices.com/member.php?userid=1179 View this thread: http://forums.slimdevices.com/showthread.php?t=23132 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
[slim] Re: Possible??? - Remote Squeezebox
geoffb Wrote: > Ah, I see that I misread the original suggestion, although I have to > say, I don't think this changes the security issue. Although it's > unlikely, given the relatively few SS instances running on the > internet, wouldn't it be possible to spoof a source IP and issue > commands to the SS - presuming that you didn't care about the return > packets? > This is reaching into the realm of 'unlikely, so don't bother worrying > about it', but it's still a possiblity. Since SS usually runs as a > semi-previledged process, at least on Windows, with read/write access > to the hard drive, any buffer overflows or other problems would > presumably make the server a liability. > > But I'm probably unduly biased because I enjoy being able to listen to > music in hotel rooms, while I'm travelling, via SS. This of course > precludes IP filtering, so I always considered it unsecure :) > Yes, if the attacker were to spoof the IP address, they could just walk right in to SlimServer. And once they were in, there's an extensive set of documentation both for the web interface and the CLI / TCP/IP interface explaining just what they can do and how to do it. It's fortunate that SlimServer isn't widely known outside of the people here, but security by obscurity is not much better than no security at all. :-) I like the fact that security is built into SS but I doubt if it has been subject to intense, repeated attack to see what breaks, unlike certain other programs! I don't require any external access, have set IP address blocking, CSRF protection to High and no port forwarding. External port scans indicate these ports do not respond, just like all my other ports. If it was me, I'd go for SSH. I'm not sure if VPN surpasses SSH protection or if it can be used to supplement it. -- Mark Lanctot Mark Lanctot's Profile: http://forums.slimdevices.com/member.php?userid=2071 View this thread: http://forums.slimdevices.com/showthread.php?t=23132 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
Re: [slim] Re: Possible??? - Remote Squeezebox
On 4/21/06, Mark Lanctot wrote: > geoffb Wrote: > > PC requirements aside, presuming that you didn't put any security in > > place apart from router IP filtering at the both ends, that would still > > leave you open to whatever exploits your routers expose. For example, > > there's at least one router I read about a while back that shuts down > > and requires a hard boot if (a) IP filtering is on and (b) it detects > > more than a certain number of port scans from unauthorized IPs. Means > > that you have no music for the rest of the weekend, unless there is > > someone at home you can call to reset it. > > I believe what was referred to is IP filtering by SlimServer itself, > i.e. Server Settings - Security - Block Incoming Connections. > > I suppose IP blocking at the router would eliminate all access attempts > to the SlimServer machine, from SlimServer clients or otherwise. I'm > wondering if it would offer any additional protection though - while > the router would let traffic through SlimServer wouldn't respond to any > connection attempts. > Ah, I see that I misread the original suggestion, although I have to say, I don't think this changes the security issue. Although it's unlikely, given the relatively few SS instances running on the internet, wouldn't it be possible to spoof a source IP and issue commands to the SS - presuming that you didn't care about the return packets? This is reaching into the realm of 'unlikely, so don't bother worrying about it', but it's still a possiblity. Since SS usually runs as a semi-previledged process, at least on Windows, with read/write access to the hard drive, any buffer overflows or other problems would presumably make the server a liability. But I'm probably unduly biased because I enjoy being able to listen to music in hotel rooms, while I'm travelling, via SS. This of course precludes IP filtering, so I always considered it unsecure :) Cheers Geoff ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
[slim] Re: Possible??? - Remote Squeezebox
geoffb Wrote: > PC requirements aside, presuming that you didn't put any security in > place apart from router IP filtering at the both ends, that would still > leave you open to whatever exploits your routers expose. For example, > there's at least one router I read about a while back that shuts down > and requires a hard boot if (a) IP filtering is on and (b) it detects > more than a certain number of port scans from unauthorized IPs. Means > that you have no music for the rest of the weekend, unless there is > someone at home you can call to reset it. > I believe what was referred to is IP filtering by SlimServer itself, i.e. Server Settings - Security - Block Incoming Connections. I suppose IP blocking at the router would eliminate all access attempts to the SlimServer machine, from SlimServer clients or otherwise. I'm wondering if it would offer any additional protection though - while the router would let traffic through SlimServer wouldn't respond to any connection attempts. -- Mark Lanctot Mark Lanctot's Profile: http://forums.slimdevices.com/member.php?userid=2071 View this thread: http://forums.slimdevices.com/showthread.php?t=23132 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
[slim] Re: Possible??? - Remote Squeezebox
Assuming you have at least 384kbps upload speed in your primary house (where the slimserver is located), you should be fine, but you will have to configure slimserver to limit the bitrate for the player in the lake house down to 256 or 128kbps. -- rudholm rudholm's Profile: http://forums.slimdevices.com/member.php?userid=2980 View this thread: http://forums.slimdevices.com/showthread.php?t=23132 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/lists/listinfo/discuss
