Jump to content


Photo

Tighten Security From Outside Attacks on my VU+ boxes.


  • Please log in to reply
130 replies to this topic

Re: Tighten Security From Outside Attacks on my VU+ boxes. #21 betacentauri

  • PLi® Core member
  • 7,185 posts

+323
Excellent

Posted 29 November 2016 - 17:24

Then try to setup VPN. This also works with an iPhone, iPad.
Some router make it quite easy to setup VPN. I e.g. have a fritzbox and iPhone. Fritzbox setup is only some mouse clicks. iPhone setup was not so easy, but you can find instructions in the Internet.
I would prefer to use a router with good firmware support to create VPN tunnel. Another option is to install OpenVPN on the receiver...
Xtrend ET-9200, ET-8000, ET-10000, OpenPliPC on Ubuntu 12.04

Re: Tighten Security From Outside Attacks on my VU+ boxes. #22 kermith

  • Senior Member
  • 182 posts

+2
Neutral

Posted 29 November 2016 - 18:42

Thanks. The Fritzbox looks pretty cool maybe something for the future since I got a new router with my fiberline a couple of months ago, but it doesn't have VPN built in.
VPN is really interesting. @betacentauri, when you mean setting up a OpenVPN on the receiver, do you mean VU+ box as being the receiver?


Edited by kermith, 29 November 2016 - 18:43.


Re: Tighten Security From Outside Attacks on my VU+ boxes. #23 Dimmie

  • Senior Member
  • 2,338 posts

+33
Good

Posted 29 November 2016 - 18:43

It's very simple. Don't do WAN sharing and make sure the firewall in your router blocks all incoming parts.

 

Even with VPN enabled on WAN sharing, it is still possible to enter the box. 

 

So the one and only solution: quit wan sharing



Re: Tighten Security From Outside Attacks on my VU+ boxes. #24 kermith

  • Senior Member
  • 182 posts

+2
Neutral

Posted 29 November 2016 - 18:58

Very simple indeed. The safest thing to do would also have all of the computers off line, and then just connect the network cable when needed. I'm not ironic, it is the safest thing. My question is more of a "if" I need WAN share what would be the best alternative being aware of the consequences. 



Re: Tighten Security From Outside Attacks on my VU+ boxes. #25 betacentauri

  • PLi® Core member
  • 7,185 posts

+323
Excellent

Posted 29 November 2016 - 19:01

With receiver I mean E2 box.


Xtrend ET-9200, ET-8000, ET-10000, OpenPliPC on Ubuntu 12.04

Re: Tighten Security From Outside Attacks on my VU+ boxes. #26 Dimmie

  • Senior Member
  • 2,338 posts

+33
Good

Posted 29 November 2016 - 19:04

1. WAN sharing = illegal, so not supported. So there should be no "if".

2. When you do WAN sharing (with or without VPN) , you forward a port in your router to expose your share on the internet. So you expose your hardware to the internet which means it can be hacked.

 

Normal internet traffic by a pc is a totally different thing. Then you don't have to open/forward a port. 



Re: Tighten Security From Outside Attacks on my VU+ boxes. #27 Dimmie

  • Senior Member
  • 2,338 posts

+33
Good

Posted 29 November 2016 - 19:07

Asking for "if" is the same like walking into a police station and then asking: "Hey I know robbing a bank is illegal but if I should do it what is the most secure way not to be caught".



Re: Tighten Security From Outside Attacks on my VU+ boxes. #28 WanWizard

  • PLi® Core member
  • 70,839 posts

+1,832
Excellent

Posted 29 November 2016 - 21:48

Setup a site-to-site VPN between your home and your country house. Then both internal networks can talk to each other, without exposing them to the internet.

 

I do the same here, both my routers support IPSec.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Tighten Security From Outside Attacks on my VU+ boxes. #29 littlesat

  • PLi® Core member
  • 57,426 posts

+708
Excellent

Posted 29 November 2016 - 21:52

low a very quick and easy setup for VPN (Site-2-Site and Road Warriors).

->

But the last time I saw it the standard OpenFritz software has light VPN... that is not that secure.... 


WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: Tighten Security From Outside Attacks on my VU+ boxes. #30 WanWizard

  • PLi® Core member
  • 70,839 posts

+1,832
Excellent

Posted 29 November 2016 - 21:53

The Fritz (the standard OS) does IPSec as well. With a couple of limitations, and not the easiest of configs. But it can be done, we have two of them connected to our office router.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Tighten Security From Outside Attacks on my VU+ boxes. #31 littlesat

  • PLi® Core member
  • 57,426 posts

+708
Excellent

Posted 29 November 2016 - 22:20

But didn;t you need special software installed on the Fritzbox....

 

I'm still considering to post a how-to, how to install and configure OpenVPN on your box and how to create (as example) good keys a.....  and how te create a .opvn file for your iPad/iPhone... but as the preferable safety is to use the VPN of your server I did not post it yet...


WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: Tighten Security From Outside Attacks on my VU+ boxes. #32 WanWizard

  • PLi® Core member
  • 70,839 posts

+1,832
Excellent

Posted 29 November 2016 - 22:20

No, you don't. And afaik both boxes are 7490's.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Tighten Security From Outside Attacks on my VU+ boxes. #33 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 29 November 2016 - 22:26

Fritz!Box does IPSec.
I've connected my Linksys running StrongSwan on LEDE to two Fritz!Boxes.

Gesendet von meinem Siemens C25 mit Tapatalk
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: Tighten Security From Outside Attacks on my VU+ boxes. #34 Robinson

  • Senior Member
  • 2,621 posts

+30
Good

Posted 30 November 2016 - 09:00

I'm still considering to post a how-to, how to install and configure OpenVPN on your box and how to create (as example) good keys a.....  and how te create a .opvn file for your iPad/iPhone... but as the preferable safety is to use the VPN of your server I did not post it yet...

 

The how-to would indeed be very useful.


ET9000, OpenPLi 4.0, 13E, 19E

HD51, OpenPLi 6.2, 75E - 30W


Re: Tighten Security From Outside Attacks on my VU+ boxes. #35 kermith

  • Senior Member
  • 182 posts

+2
Neutral

Posted 30 November 2016 - 15:39

 

I'm still considering to post a how-to, how to install and configure OpenVPN on your box and how to create (as example) good keys a.....  and how te create a .opvn file for your iPad/iPhone... but as the preferable safety is to use the VPN of your server I did not post it yet...

 

The how-to would indeed be very useful.

 

 


1. WAN sharing = illegal, so not supported. So there should be no "if".
2. When you do WAN sharing (with or without VPN) , you forward a port in your router to expose your share on the internet. So you expose your hardware to the internet which means it can be hacked.
 
Normal internet traffic by a pc is a totally different thing. Then you don't have to open/forward a port.


I think your answer has a point but if I'd count on how many times most people cross that line everyday it would take a whole different discussion and I wont even go there.
 

With receiver I mean E2 box.


Oh, OK, thanks.
 

 

I'm still considering to post a how-to, how to install and configure OpenVPN on your box and how to create (as example) good keys a.....  and how te create a .opvn file for your iPad/iPhone... but as the preferable safety is to use the VPN of your server I did not post it yet...

 
The how-to would indeed be very useful.

 


Yeah, that would be appreciated.

But also how about just allow devices with specific mac address to be able to logon to the router or the box?
Would that work?



Re: Tighten Security From Outside Attacks on my VU+ boxes. #36 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 30 November 2016 - 15:41

No.

MACs can be spoofed.

And also only the traffic inside the LAN cares about MACs, it's IP based through the outside world.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: Tighten Security From Outside Attacks on my VU+ boxes. #37 kermith

  • Senior Member
  • 182 posts

+2
Neutral

Posted 30 November 2016 - 15:46

OK. Thanks. Then the OpenVPN setup is mostly versatile and interesting. 

Also the SSH setup from post #11 is not a bad idea.

@littlesat if you could please post a "how to" setup guide :)


Edited by kermith, 30 November 2016 - 15:49.


Re: Tighten Security From Outside Attacks on my VU+ boxes. #38 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 30 November 2016 - 20:16

ssh is easy to set up:

Execute the following commands to generate and install a key pair on your E2 box:
dropbearkey -t rsa -f ~/.ssh/id_rsa
dropbearkey -y -f ~/.ssh/id_rsa | grep "^ssh-rsa " >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/*
chmod 700 ~/.ssh
chmod 700 ~
You should now be able to login to your box using the private key file id_rsa located in /home/root/.ssh of your box (See the instructions of your ssh client on how to use key auth).

If this succeeds, make the content of /etc/default/dropbear read
DROPBEAR_EXTRA_ARGS="-s"
This will disallow password logins for ssh entirely (let alone logins with empty passwords, which is the default for all oe-a images) (The only way to recover from ssh login problems would then be telnet).

You can transfer the file /home/root/authorized_keys to other boxes too, to use the same key file for multiple boxes, but make sure to adjust the file rights after copy:
chmod 600 ~/.ssh/*
chmod 700 ~/.ssh
chmod 700 ~
With ssh, you have everything you need:
  • ssh gives you shell access, just like telnet but secure (when using key auth)
  • ssh gives you file access, either using scp (secure copy) or sftp (FileZilla supports sftp, you can access your box' files just like you could using ftp).
  • ssh allows to tunnel ports from the remote machine (= your E2 box) to your local machine.
    You can for example tunnel port 80 of your E2 box to port 80 of your smartphone and port 8001 of your E2 box to port 8001 of your smartphone.
    As long as the tunnel is established, you can login to your E2 webif using address "http://localhost" on your smartphone and use streaming, just as if your smartphone would be your E2 box.
The free app "ConnectBot" (https://play.google....=org.connectbot) has the necessary capabilities of using key auth and port tunneling on Android.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: Tighten Security From Outside Attacks on my VU+ boxes. #39 kermith

  • Senior Member
  • 182 posts

+2
Neutral

Posted 30 November 2016 - 20:58

WOW, thanks for the explanation. Would it work on iPad as well? Someone mentioned I'd have trouble using it...



Re: Tighten Security From Outside Attacks on my VU+ boxes. #40 littlesat

  • PLi® Core member
  • 57,426 posts

+708
Excellent

Posted 30 November 2016 - 21:05

Nope... on ssh the iPad with iOS >= 7 will "blow-up" the tunnel after the app that did open the tunel is not on the foreground for approx 5 min... The only option for iPad I found is openVPN...


WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W



2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users