What are the potential issues in exposing the transcoding port openly on the net. Any known issues or more just a bad idea to expose anything?
The only proper answer is the Radio Eriwan way:
In theory that should be no risk at all, as long as the author(s) maintain their code properly and there are no issues inside the listener.
In practice, opening a port to the net always exposes the machine to all the risks of any known or not-yet-known issue within the listener, which could or should be none, but more realistically are not equal zero.
Happily in this case we can become a bit more specific:
All E2 streaming uses plain http (not https) thus unencrypted traffic "on the wire".
So the risk you
unavoidably get for granted when you open one of the streaming ports is that
anyone on the same network as you (e.g. the hotel/restaurant WiFi) can monitor your login (So actually, no auth would be at least a bit more secure, because all people could watch TV using your box but wouldn't get the OpenWebif password for free together with it).
But even if you do not login and thus the login can not be monitored, http basic auth allows for unlimited login attempts without any delay.
So an open streaming port (For OpenWebif read on) allows anyone to use brute-force for probing the root password, which - if also opened to the outside - might grant him access via ssh, then you have effectively lost your whole network (and not just the E2 box) to someone else.
OpenWebif allows to disable root logins to it (You will have to create a different user for login to the OpenWebif then, I guess about 0.01% of all users do this
), which entirely gets rid of the possibility to brute-force the root password via OpenWebif but sadly I'm an idiot nobody listens to, so erik insisted on implementing his own auth in his transcoding proxy and someone else did the same for OpenPLi's built-in streaming port (Which historically always has been entirely open and was replaced with a proxy hooking to the webif as soon as a webif was installed), so neither streaming ports honors "disallow root logins".
So on Vu+ Duo² and Solo², you now get triple duplicated code:
OpenPLi's built-in http auth for streaming
trancoding proxy's built-in http auth for transcoded streaming
OpenWebifs http auth for the Webif itself.
Now to the real
known risks (Nobody with a clear mind would dare to promise there aren't any unknown ones):
You must not open ssh and one or more of the streaming ports at the same time to avoid the streaming port being abused for brute-forcing the root password which would then be usable for ssh login. Instead you are strongly advised to use key auth for ssh and disable password logins to ssh.
You must not allow root logins in OpenWebif and open one or more of the streaming ports at the same time to avoid the streaming port being abused for brute-forcing the root password which would then be usable for OpenWebif logins. While OpenWebif doesn't grant full access it still allows enough damage to the E2 box - like deleted timers/recordings/bouquets - to be preferably avoided.
If you
- create one or more additional users without shell access and home directory
- disallow root logins to OpenWebif
- do not open the http port for OpenWebif but only its https port
- create own cert/key for OpenWebif with proper hostname informations rather than using the auto-generated cert/key and adding your own cert/key to the trusted sites in your browser
- always make sure that the cert/key for OpenWebif matches (Green closed lock and "https" in Chrome, gray closed lock and "https" in Firefox) before you enter any credentials
- disallow password logins to ssh or do not open its port to the outside
- use the root (sic!) password for streaming
.. there are at least no
known issues for gaining control over your E2 box.
In this scenario, the root password monitored on the streaming port is useless for anything else (OpenWebif or ssh) and with proper key/cert for OpenWebifs https access you can be sure that there is no MITM intercepting the credentials, as long as you take care that OpenWebif has presented its proper cert (Thus the green/gray closed lock).
If you fail to understand or apply any of the above steps, you are lost as soon as you open any of those ports.
But even if you apply all of the above measures one issue remains and
definitely will be abused:
Some chinese guy
will probe your streaming ports until he gets access and will then watch TV using your box resp. stream it to others.
Especially with the Solo² and its software transcoding, this might and probably will end in crashes of your box.
Rest assured:
Any port opened to the internet will sooner or later be probed.
Right now my secondary router's traffic LED keeps blinking although there is
no device attached which would legally cause those amounts of activity, so someone is trying to exploit its ssh.
He or she will be rotten to a skeleton before he/she is done with it, so I just let them waste their time, but they would succeed easily and quickly with Joe Average's ultra-secure password(s) ...[
Edited by SpaceRat, 14 September 2014 - 10:54.
