Jump to content


Photo

tcpd hosts.allow hosts.deny support


  • Please log in to reply
9 replies to this topic

#1 imopen

  • Member
  • 5 posts

0
Neutral

Posted 4 September 2018 - 23:49

Hello,

I'm trying to protect my box compiling /etc/hosts.allow and /etc/hosts.deny files, but without success, it seems they are completely ignored.

Am I doing something wrong or tcpd is not supported in enigma2 images?  :wacko:

 

What I'm trying to do is to geo-protect my devices (with tcpd and geoip database), I do manage it successfully on a Nuc server but it seems impossible to achieve on my Gigablue decoder.

 

Thanks in advance and keep up the good work,

imopen

 



Re: tcpd hosts.allow hosts.deny support #2 littlesat

  • PLi® Core member
  • 56,123 posts

+685
Excellent

Posted 5 September 2018 - 06:26

Why? First don’t share you e2 box on the www! Without using ssh with a key or vpn.

Edited by littlesat, 5 September 2018 - 06:26.

WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: tcpd hosts.allow hosts.deny support #3 imopen

  • Member
  • 5 posts

0
Neutral

Posted 5 September 2018 - 07:11

Why? First don’t share you e2 box on the www! Without using ssh with a key or vpn.

 

Mainly because I use WebIf (API) opened on web, to remote control my box (add timer from outside my home, view epg on my Android app ) and to remote stream my channels.

 

I do NOT use standard port but I'd like to be sure that my server is unreachable from outside my country.

 

On my Nuc server (plex and transmission) there were connections from China or US and on it I successfully installed a geo block with hosts.allow/deny and GeoIp database, I'd like to do the same on my decoder.


Edited by imopen, 5 September 2018 - 07:15.


Re: tcpd hosts.allow hosts.deny support #4 Pr2

  • PLi® Contributor
  • 6,046 posts

+256
Excellent

Posted 5 September 2018 - 08:24

Hi,

I do NOT use standard port but I'd like to be sure that my server is unreachable from outside my country.


I am quite sure that this guy also think that its OpenWebif is secured because he uses another port:
http://www.yamburg.com.ua:13120/
 
How to find, very easily using Google! You can use any port you want we can retrieve plenty of OpenWebif over the internet with a basic search engine.

So if you want to secure your box, setup a VPN.

Pr2

NO SUPPORT by PM, it is a forum make your question public so everybody can benefit from the question/answer.
If you think that my answer helps you, you can press the up arrow in bottom right of the answer.

Wanna help with OpenPLi Translation? Please read our Wiki Information for translators

Sat: Hotbird 13.0E, Astra 19.2E, Eutelsat5A 5.0W
VU+ Solo 4K: 2*DVB-S2 + 2*DVB-C/T/T2 (used in DVB-C) & Duo 4K: 2*DVB-S2X + DVB-C (FBC)

AB-Com: PULSe 4K 1*DVB-S2X (+ DVB-C/T/T2)
Edision OS Mio 4K: 1*DVB-S2X + 1*DVB-C/T/T2
 


Re: tcpd hosts.allow hosts.deny support #5 littlesat

  • PLi® Core member
  • 56,123 posts

+685
Excellent

Posted 5 September 2018 - 09:52

NEVER forward the OWIF to the WWW... even when it is on a different port and within one country...

When you want to access the OWIF on any place of the world use SSH with a key or (Open)VPN (preferably via your router).


WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: tcpd hosts.allow hosts.deny support #6 imopen

  • Member
  • 5 posts

0
Neutral

Posted 5 September 2018 - 10:04

I very appreciate your suggestions but it's not the topic: I'm asking if exist a way to enable hosts.allow/deny control, not the best practice to secure a box.

 

I do know that VPN it's a better way but it's not pratical, expecially for other user (my wife) that want simply record a tv show when not at home with a tap. 

I know the risk of a open port (even with authentication enabled).



Re: tcpd hosts.allow hosts.deny support #7 littlesat

  • PLi® Core member
  • 56,123 posts

+685
Excellent

Posted 5 September 2018 - 10:10

As far I know IP tables can be installed on the box... but it was a long time ago I used it. And then also it is always better to configure your firewall on your router.

 

And then (and this is not really meant off-topic) we still strongly recommend even not to think about of opening the OWIF on the WWW.... You might experience that over a while using ssh with keys no password -or- VPN is much more practical... And even with a phone (Android and iOS) you use (Open)VPN to get access to your box but then fully secure. The only thing that is not practical  is the first configuration...


WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: tcpd hosts.allow hosts.deny support #8 imopen

  • Member
  • 5 posts

0
Neutral

Posted 5 September 2018 - 11:17

iptables doesn't work, there are unsatisfied dependency with kernel

 

iptables -L
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.1.20-1.9
iptables v1.6.1: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
 
 
for the rest I know you are right, I'm a computer scientist and I know the risk.
 
the setup of VPN it's unpratical because every time you have to add a timer or view the EPG, you must open VPN on phone or forward the port over ssh. it could be easy for me, not for my wife. anyway consider my topic as an academic one: setting up a minimal firewall on a enigma2 box.


Re: tcpd hosts.allow hosts.deny support #9 Pr2

  • PLi® Contributor
  • 6,046 posts

+256
Excellent

Posted 5 September 2018 - 11:56

Except that Engima2 will never be a Firewall since every box use a different kernel version so some boxes are still using unpatched kernel with security weakness.

NO SUPPORT by PM, it is a forum make your question public so everybody can benefit from the question/answer.
If you think that my answer helps you, you can press the up arrow in bottom right of the answer.

Wanna help with OpenPLi Translation? Please read our Wiki Information for translators

Sat: Hotbird 13.0E, Astra 19.2E, Eutelsat5A 5.0W
VU+ Solo 4K: 2*DVB-S2 + 2*DVB-C/T/T2 (used in DVB-C) & Duo 4K: 2*DVB-S2X + DVB-C (FBC)

AB-Com: PULSe 4K 1*DVB-S2X (+ DVB-C/T/T2)
Edision OS Mio 4K: 1*DVB-S2X + 1*DVB-C/T/T2
 


Re: tcpd hosts.allow hosts.deny support #10 Erik Slagter

  • PLi® Core member
  • 46,951 posts

+541
Excellent

Posted 14 September 2018 - 11:33

That's not the real reason. You just don't want your STB to be a firewall as well.


* Wavefrontier T90 with 28E/23E/19E/13E via SCR switches 2 x 2 x 6 user bands
I don't read PM -> if you have something to ask or to report, do it in the forum so others can benefit. I don't take freelance jobs.
Ik lees geen PM -> als je iets te vragen of te melden hebt, doe het op het forum, zodat anderen er ook wat aan hebben.



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users