5 replies to this topic

[gspock]

Hi all,

context: I am using an android app to connect to my VU+DUO4KSE to use the remote control facility. In this app, there is a username/password where I used to put "root" and its password, "root" being the only user on the system to my knowledge. A bit by hazard, those infos were cleaned-up, and now I see that even without those logging info I can connect to the STB.

 

I made the same test with a few other apps and that is the same ! access is allowed without giving any credential.

 

What am I missing ?

 

Thanks,

GS

[betacentauri]

Have you really set a password? If not, you can login via telnet with any password.

If you have set a password, this shouldn't be possible anymore. Only with the valid password.

 

Just login via telnet and use "passwd" to set a new password. There is also a plugin available which can set a password.

 

Nevertheless e2 boxes are NOT hardened security devices. Better don't use port forwarding to access the box from the internet. Instead use a vpn tunnel.

[gspock]

Have you really set a password? If not, you can login via telnet with any password.

If you have set a password, this shouldn't be possible anymore. Only with the valid password.

 

Just login via telnet and use "passwd" to set a new password. There is also a plugin available which can set a password.

 

Nevertheless e2 boxes are NOT hardened security devices. Better don't use port forwarding to access the box from the internet. Instead use a vpn tunnel.

 

Thanks.

Yes, 100% sure "root" userid is password protected.

I am not using any port fwd and indeed when I want to remotely access any of my devices I am using a vpn .... I also noticed that with some version of Windows, I can access the system via SMB withou providing any credential info ....

This is really surprising, even if you say that "e2 boxes are not hardened ..." ;  so, anyone any other idea ?

 

BTW is there an easy way, from ssh session, to check who is connected to the box ?

[WanWizard]

I can access the system via SMB withou providing any credential info ....

 

There was a lot of opposition when we tried to change that.

 

You can change that by removing the # in front of

# include = /etc/samba/smb-secure.conf

in  /etc/samba/smb-user.conf

 

( there is no GUI option to change this yet )

[WanWizard]

p.s. most apps connect to the web interface API, you can enable password authentication and/or enforcement of HTTPS in the plugin config (menu / plugins / openwebif ).

 

If authentication is disabled, it only allows passwordless access from the local subnet, or, if VPN access is allowed, from all RFC1918 addresses.

[gspock]

@WanWizard Thanks for your answers.

Edited by gspock, 31 July 2021 - 15:37.