Re: [SlimDevices: Unix] piCorePlayer: security
peterw wrote: > I just wanted to say thanks to the pCP crew for adding the Security page > to the Beta web UI for 6.0! I do hope you'll promote that to the > mainstream admin UI, although I suggest you consider a few tweaks: > 1) add a Password Confirmation input on the httpd settings page > 2) add a note that the pCP settings will be saved as soon as the change > is applied (I expected that they would NOT be, that I would be able to > verify that I could still access the httpd and sshd after setting > passwords and just power cycle the Pi if I goofed somehow) > 3) incorporate CSRF protection into the web UI, at least Referer checks. > It seems too easy to use CSRF with mere GET requests to effect > significant changes on the pCP. Even those w/ authentication required > for the web UI are vulnerable to CSRF attacks. > > Thanks! Hi peterw, Thanks for the feedback. I've added your requests to my list of things todo. Regarding #3, there was a forth page that didn't make it into production that disabled the http server (after a few minutes). I think, you can manually change GUI_DISABLE="0" in the pcp.cfg to a few minutes. The CLI setup command ($ setup) has the option to turn off the GUI but it is either on or off, no grace period after reboot. regards Greg Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Greg Erskine wrote: > > This option will be available in pCP6.0.0 when we release it. Best to > wait. > I just wanted to say thanks to the pCP crew for adding the Security page to the Beta web UI for 6.0! I do hope you'll promote that to the mainstream admin UI, although I suggest you consider a few tweaks: 1) add a Password Confirmation input on the httpd settings page 2) add a note that the pCP settings will be saved as soon as the change is applied (I expected that they would NOT be, that I would be able to verify that I could still access the httpd and sshd after setting passwords and just power cycle the Pi if I goofed somehow) 3) incorporate CSRF protection into the web UI, at least Referer checks. It seems too easy to use CSRF with mere GET requests to effect significant changes on the pCP. Even those w/ authentication required for the web UI are vulnerable to CSRF attacks. Thanks! owner of the stuff at https://tuxreborn.netlify.app/ (which used to reside at www.tux.org/~peterw/) Note: The best way to reach me is email or PM, as I don't spend much time on the forums. *Free plugins:* AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Greg Erskine wrote: > Some people consider using port 80 to be less secure because it is the > http default. > Agreed which is why I replied here. I also agree the LMS stuff is off topic, sorry about that. trigdog's Profile: http://forums.slimdevices.com/member.php?userid=69356 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Some people consider using port 80 to be less secure because it is the http default. The LMS http port number is really not part of piCorePlayer security. It might confuse people talking about it in the same thread/post/paragraph as piCorePlayer http port. Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Greg Erskine wrote: > > > You can't do this. > > Most people only change the LMS port if it clashes with other software. > 9001 is usually used. > > I see LMS doesn't support 80 now. I was just trying to make a more user friendly url to get to the LMS server. I created a host file record in my pi-hole DNS server that redirects the domain: my.music to the IP of the PCP LMS server...I just can't redirect to a specific port using DNS. Maybe I can create a redirect with busybox httpd from 80 to 9000will investigate. Thanks. trigdog's Profile: http://forums.slimdevices.com/member.php?userid=69356 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Greg Erskine wrote: > > > If you are using pCP6.0.0-b1 you *may* be able to edit your pcp config > file manually (/usr/local/etc/pcp/pcp.cfg)? > > Actually, I just tried this on 5.0 before I saw this replyit seems to have worked just fine when I edited manually and used "pcp br" to reboot afterward. Is that not suppose to work in 5.0? trigdog's Profile: http://forums.slimdevices.com/member.php?userid=69356 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
hi trigdog, trigdog wrote: > Is there anyway to change the default WWW_PORT="80" in the config to > something like 8080? This option will be available in pCP6.0.0 when we release it. Best to wait. 27918 If you are using pCP6.0.0-b1 you *may* be able to edit your pcp config file manually (/usr/local/etc/pcp/pcp.cfg)? trigdog wrote: > It would be nice if I could change the LMS to 80 instead of 9000. You can't do this. Most people only change the LMS port if it clashes with other software. 9001 is usually used. We offer only this option on the [Tweaks] page. Please read the note carefully. 27919 regards Greg +---+ |Filename: lmsipport.PNG| |Download: http://forums.slimdevices.com/attachment.php?attachmentid=27919| +---+ Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
paul- wrote: > You should be able to add SERVER_PORT=8080 to the config. > > > > > > > > Thanks, I will give it try tonight. > > > > QUOTE=paul-;947624]Not sure why you would want to change LMS > > interface...we don't offer a way to do that.> > > > Oh, I thought I saw it in the LMS setting where you could change the > port as well as a setting in pcp LMS settings tab to put in the port > you changed it to in the LMS settingsmaybe I am misunderstanding > those settings...I will check when I get back into it tonight. trigdog's Profile: http://forums.slimdevices.com/member.php?userid=69356 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Not sure why you would want to change LMS interface...we don't offer a way to do that. piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Greg Erskine wrote: > > > Just remove the # on the last line and make sure there is a newline > added to the end of the last line. > > This is great. Is there anyway to change the default WWW_PORT="80" in the config to something like 8080? It would be nice if I could change the LMS to 80 instead of 9000. trigdog's Profile: http://forums.slimdevices.com/member.php?userid=69356 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Grazie mille :-) cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
RE: pCP5.0.0 One small step towards increased security, for those that can't wait for the Web GUI to be updated and know vi. The httpd web server now uses a configuration file /etc/httpd.conf Code: $ sudo cat httpd.conf # Maintained by piCorePlayer H:/home/tc/www #/cgi-bin:admin:admin Just remove the # on the last line and make sure there is a newline added to the end of the last line. Do a $ pcp br The browser will now prompt for a user name and password. Default is admin/admin. regards Greg Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
peterw wrote: > a widely available case that looks sufficient for an audio HAT: > https://www.thingiverse.com/thing:2268017 Yup, that's the DesignSpark case that I'm using, and it looks like a nice 3D-printed extension. /Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
cfuttrup wrote: > Hi Peter > > I've had success with the DesignSpark case and a Dremel tool. Please > see: http://www.cfuttrup.com/touch_upgrade.html > > ... but yes, finding a good case for a different board and/or with > different features requires some work, or you use a setup without a rear > cover, or you design your own (maybe 3D printed). Another option is to > connect the pieces with cables and e.g. use one of the Audiophonics > cases. Claus, hanks for the info & suggestions. I spent a bunch of time on Thingverse the other day, and this project looked pretty good, a revised cap for a widely available case that looks sufficient for an audio HAT: https://www.thingiverse.com/thing:2268017 owner of the stuff at https://tuxreborn.netlify.com/ (which used to reside at www.tux.org/~peterw/) Note: The best way to reach me is email or PM, as I don't spend much time on the forums. *Free plugins:* AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
peterw wrote: > Greg, I am still playing with pCP a bit. > > Frankly the biggest problem is finding a case for a touchscreen that > will work with (and enclose and protect) a 3B+ and an I2S DAC.** :-) The > Smartipi case with optional extended backs is about the best I've found > so far, but it looks not quite polished/tidy enough for some rooms. :-( Hi Peter I've had success with the DesignSpark case and a Dremel tool. Please see: http://www.cfuttrup.com/touch_upgrade.html ... but yes, finding a good case for a different board and/or with different features requires some work, or you use a setup without a rear cover, or you design your own (maybe 3D printed). /Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Greg, I am still playing with pCP a bit. Frankly the biggest problem is finding a case for a touchscreen that will work with (and enclose and protect) a 3B+ and an I2S DAC.** :-) The Smartipi case with optional extended backs is about the best I've found so far, but it looks not quite polished/tidy enough for some rooms. :-( For the httpd I'm pretty comfortable with my loopback binding and tunneling through ssh. At least with that sshd is the only listening daemon. BTW I'm glad you chose OpenSSH instead of something like dropbear. I also played with Ubuntu Mate today and ooh, boy, Jivelite on pCP is soo much snapper than my first attempt at Squeezeplay on Mate on Pi that it's hard to imagine Mate being viable. pCP with a 3B+ seems likely to be snappier than my Touch but I expect Mate would be a step backward. ** I'd especially like one in which I could fit an IR receiver and a rotary encoder knob for Radio-style quick volume control. owner of the stuff at https://tuxreborn.netlify.com/ (which used to reside at www.tux.org/~peterw/) Note: The best way to reach me is email or PM, as I don't spend much time on the forums. *Free plugins:* AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
hi peterw, Thanks for your continued interest in pCP. Are you still using it? We understand the security issues you mention. We are working on security in the background but generally don't discuss things we are developing. The current pCP has a method of disabling ssh. The next version of pCP has a new "beta" method of disabling the web GUI. It can be permanently on, permanently off or shuts down after so many seconds. The general password checking code has been written but not implemented yet. Adding a password authentication on the web server has been tested but not implemented yet. It requires a restructure of the current web server, planned for some time after pCP 5.0.0 BTW: My last job was in the SIEM Team for a large IT company working for a major bank. I was the team Audit/Compliance officer. I know what it's like to have processes and security so tight you can barely do any work!!! I used to work in various data centres so know a bit about physical security as well. regards Greg Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
peterw wrote: > BTW, pCP seems to include OpenSSH's sshd so you might be able to do > things like configure busybox httpd to listen on the loopback address > only (looks like you'd want to edit /usr/local/etc/init.d/httpd) Looks like a much simpler approach would be to "disable" the web UI with the command line 'setup' tool and then have one of the User Commands be Code: /usr/sbin/httpd -h /home/tc/www -p 127.0.0.1:80 owner of the stuff at https://tuxreborn.netlify.com/ (which used to reside at www.tux.org/~peterw/) Note: The best way to reach me is email or PM, as I don't spend much time on the forums. *Free plugins:* AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
huxmut wrote: > would a public/private certificate ever be an option ? BTW, pCP seems to include OpenSSH's sshd so you might be able to do things like configure busybox httpd to listen on the loopback address only (looks like you'd want to edit /usr/local/etc/init.d/httpd), and then use ssh port forwarding to access it remotely via something like http://localhost:8010/ on your SSH client box. I expect you should also be able to configure sshd to only accept public key authentication if you'd like to avoid passwords. Editing those files is a bit cumbersome -- http://www.brianlinkletter.com/persistent-configuration-changes-in-tinycore-linux/ seems to explain how to make persistent changes. I think it'd be nice if pCP supported something like the old 'Pi config.txt' (https://www.raspberrypi.org/documentation/configuration/config-txt/README.md) to allow setting some common options (including disabling the httpd or binding it only to loopback) when preparing the SD card, so the system could be locked down from the moment it first booted up without jumping though so many hoops. Might be nice to offer a web UI (on picoreplayer.org?) that would output a textarea whose contents could be pasted straight into the config text file to help avoid errors. I'd include wifi configuration in such a tool. owner of the stuff at https://tuxreborn.netlify.com/ (which used to reside at www.tux.org/~peterw/) Note: The best way to reach me is email or PM, as I don't spend much time on the forums. *Free plugins:* AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Cool. Thanks Paul rPi 3 + rasPi 7" LCD + HiFiBerry DiGi+ | rPi 2 + IQaudio DAC+ |rPi 2 + HiFiBerry DAC+ | Squeeze Box Touch | LMS + XPenology on HP Gen 8 | huxmut's Profile: http://forums.slimdevices.com/member.php?userid=65108 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Busybox httpd doesnt support https. There are solutions like stunnel that supposedly work without needing any changes to the httpd code. But its not actively being worked on. Easier options for access control is what we are looking at. piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
would a public/private certificate ever be an option ? rPi 3 + rasPi 7" LCD + HiFiBerry DiGi+ | rPi 2 + IQaudio DAC+ |rPi 2 + HiFiBerry DAC+ | Squeeze Box Touch | LMS + XPenology on HP Gen 8 | huxmut's Profile: http://forums.slimdevices.com/member.php?userid=65108 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
hi peterw, Yeah, the original piCorePlayer's configuration was done via a "setup" script. :) The web interface is easier to use but there were some circumstances where a script still made sense. We have been doing some "security" development but it probably won't make it into the next pCP. For instance, the web interface can be turned off, or it will only work for x number of seconds after a reboot. There is a [Configure] button for alsaequal (after it has been installed) on the web interface! The original help message is still valid though. regards Greg Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
paul- wrote: > You can shut It down. There is a command line program setup Got it, thanks. Kinda fun that both setup & the alsa equalizer require me to SSH in from 'xterm', which I haven't used much in years. :-) owner of the stuff that used to reside at http://www.tux.org/~peterw/ Note: The best way to reach me is email or PM, as I don't spend time on the forums. *Free plugins:* AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
You can shut It down. There is a command line program setup piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
I just finally decided to play with piCorePlayer -- nice work! Am I missing something, or is there no official way to password-protect the piCorePlayer web interface? Thanks, Peter owner of the stuff that used to reside at http://www.tux.org/~peterw/ Note: The best way to reach me is email or PM, as I don't spend time on the forums. *Free plugins:* AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
OK, eh, I chose the iptables.tcz package (from piCore repository - it's the default), but it seems piCorePlayer downloads the wrong package (!?). I get: Downloading: ipv6-4.14.81-pcpCore_v7.tcz Error on ipv6-4.14.81-pcpCore_v7.tcz ... but that's not iptables, that's the package next in the table of packages ( :-) ). I wonder why the wrong package is downloaded. Anyway, ipv6 is 311 kb, whereas iptables is 307 kb. I first expanded the SD card to 100 Mb, leaving 51 Mb free, then to 200 Mb (it's a 1 GB card). Free space is now 142 Mb. It's impossible that I'm short of space. It seems the files are downloaded to another partition, and this partition is too small, maybe a RAM disk partition (?). Next - i changed to the piCorePlayer repository, and the correct file was downloaded. /Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Hi Paul Thanks. i see the "Extensions" button now - when going from Normal to Advanced ... and the need to resize first :-). I have to say it's really nice to use piCorePlayer. It's quite an amazing piece of software. Cheers, Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
You can install packages from the "Extensions" button on the main pCP web page. Sometimes you might need to install kernel module packages that are only found on the piCorePlayer repo first. piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Hi Paul My understanding is that iptables is not installed in a default piCorePlayer, so I need to install it first. I understand that Tiny Core has the following modules ready to install: http://tinycorelinux.net/9.x/armv6/tcz/ ... but exactly how does one install such packages in piCorePlayer ... can I through the web interface execute some commands and they will be downloaded and installed? - or do I have to find these packages elsewhere? P.S. I think it is wise to let all traffic go through the firewall for a start (i.e. start with iptables being wide open), then I can assess later what's allowed and what's blocked. I'm just being careful. Cheers, Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
I'm not going to get into your rules. But if you are just allowing everything, what is the point. You wanted to know if it would be wiped out during update, and the answer is. it depends. Where is your config script? And how is it being called? piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Hi paul I have just picked someones recommendations for a start - to allow "everything" ... I haven't actually configured iptables yet, because it isn't installed on my piCorePlayer yet. Cheers, Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Where are you doing the configuration steps? piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Sorry to bring this to the surface again. Can anyone offer help how to install iptables? Presumably it's available as a package from Tiny Core -> piCore. Is there a simple command that installs iptables? Next about the configuration, I'm far from an expert, never done this before. Would this make sense? > > # Allow any connection from this host. > iptables -A INPUT -i lo -j ACCEPT > # Allow any connection from the local network. > iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT > # Allow all broadcast traffic. > iptables -A INPUT -m pkttype --pkt-type broadcast -j ACCEPT > Will such an installation be erased when updating piCorePlayer ... meaning I'll have to reinstall ? /Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
cfuttrup wrote: > Is iptables already there on the piCorePlayer, and do I have to edit a > text file on the system, to accomplish this? No Yes Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
DJanGo wrote: > How does a Hacker / Cracker gets his way into the IOT Devices like a > lms? Hi DJanGo - you have many good points (I only quote one line in your response above). IOT are potential targets and in these times, we should think how to reduce the risk in a product like piCorePlayer. Cheers, Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
d6jg wrote: > Sensible password. Internal network only no port forwarding etc > Other than that why? Hi d6jg Internal only ... is that something I'd do with iptables? Is iptables already there on the piCorePlayer, and do I have to edit a text file on the system, to accomplish this? Sorry for really not knowing much about this. I ask because I'm afraid I'll do something wrong and/or stupid, like for example make it impossible for the Tiny Core Linux to fetch packages and stay up-to-date. /Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Gaffophone wrote: > [FONT=verdana]Are there recommendations or best practices to secure > piCorePlayer? There are many improvements on the security but most of them are on the other side - not yours and they are not RPI / Picore related. How does a Hacker / Cracker gets his way into the IOT Devices like a lms? First they would use a already implemented update scenario like lms update or the pluginsupdate mechanism. One hack -> many devices with many ips makes a perfect botnet. Mostly the dont hack a single IOT device. Unless the updates arent digital certified and the internal update mechanism first checks the updates for their certificates you always have to trust these updates with your brain instead of the update routine. In case of LMS updates thats a quote easy procedure because there is a single contributor for these updates. In case of the plugin side the whole idea is getting worse because there is no manpower to proove all plugins and sign them and there a more than one plugin repository. That means be aware what plugins you install and check the forum for some warnings. DJanGo's Profile: http://forums.slimdevices.com/member.php?userid=1516 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Sensible password. Internal network only no port forwarding etc Other than that why? VB2.4[/B] STORAGE *QNAP TS419P (NFS) [B]Living Room* - Joggler & SB3 -> Onkyo TS606 -> Celestion F20s *Office* - Pi3+Sreen -> Sony TAFE320 -> Celestion F10s / Pi2+DAC & SB3 -> Onkyo CRN755 -> Wharfedale Modus Cubes *Dining Room* -> SB Boom *Kitchen* -> UE Radio (upgraded to SB Radio) *Bedroom (Bedside)* - Pi2+DAC ->ToppingTP21 ->AKG Headphones *Bedroom (TV)* - SB Touch ->Sherwood AVR ->Mordaunt Short M10s Everything controlled by iPeng d6jg's Profile: http://forums.slimdevices.com/member.php?userid=44051 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
cfuttrup wrote: > > Also I wonder if piCorePlayer could be setup to accept interaction with > a specific IP address only (my NAS running LMS has fixed IP) and/or MAC > address? > That would be iptables role. piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Hi cfuttrup, If you are "super paranoid" about security issues I would not have a Raspberry Pi on my network. One of the advantages of piCore is it is in RAM. The system is a clean rebuild on each boot. So a hacker, unless they were TinyCore savvy, could do their thing, but after a reboot it would be clean again. You could schedule a reboot every 5 minutes! regards Greg Greg Erskine's Profile: http://forums.slimdevices.com/member.php?userid=7403 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
I'm intersted in this topic. Just installed a RPi w. piCorePlayer + JiveLite on my network. Bluetooth and WiFi is disabled, only using Ethernet. I changed the password for tc (tiny-core, I hope it was saved). Is there some way in which a hacker could potentially get access to tc and manipulate the system to serve a hackers purpose? Just wondering. Also I wonder if piCorePlayer could be setup to accept interaction with a specific IP address only (my NAS running LMS has fixed IP) and/or MAC address? Cheers, Claus cfuttrup's Profile: http://forums.slimdevices.com/member.php?userid=32784 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Nothing to worry then. Thanks a lot! Gaffophone's Profile: http://forums.slimdevices.com/member.php?userid=68400 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix
Re: [SlimDevices: Unix] piCorePlayer: security
Yes you can install iptables on pCP, but its really not neccessary. You can shut down all services, so only squeezelite/jivelite is running. LMS itself is not designed to be ran accessible from the internet. LMS and associated devices should only be on your local network.If you want remote access to your music, use a VPN. piCorePlayer a small player for the Raspberry Pi in RAM. Homepage: https://www.picoreplayer.org Please 'donate' (https://www.paypal.com/cgi-bin/webscr?cmd=_donations=U7JHY5WYHCNRU=GB_code=USD=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) if you like the piCorePlayer paul-'s Profile: http://forums.slimdevices.com/member.php?userid=58858 View this thread: http://forums.slimdevices.com/showthread.php?t=109401 ___ unix mailing list unix@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/unix