View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 29 posts ] 
Go to page Previous  1, 2

Print view Previous topic   Next topic  
Author Message
Search for:
 Post subject:
PostPosted: Mon Feb 12, 2007 6:58 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Fidelis wrote:
As prosonik posted long ago, I want to enable access from outside my internal network to my mythweb so that users can download recorded shows. I have searched and been unable to find how to do this.

Given that I have followed the steps successfully listed in this thread, how can I configure the system to accept outside users to my mythweb?

I am using my XP machine as a gateway atm. I would prefer to keep it this way, but am open to changing it if it is necessary to allow semi-secure access to mythweb.


Fidelis, I'm re-reading your original post and seeing more places you could be running into trouble... Are ZoneAlarm's proper ports open? Will your SB5100 forward all requests to your XP gateway? Does your ISP block port 80 inbound to you? Check out this thread:
http://www.linuxquestions.org/questions/showthread.php?threadid=274336

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 8:26 pm 
Offline
Joined: Tue Apr 13, 2004 6:51 pm
Posts: 890
Location: Groton, MA
I have a couple general comments for this thread.


comment 1)

you SHOULD be able to access your LAN servers via a dyndns setup from you LAN. There are however some crappy consumer quality routers (belkin) that dont handle this.

I have a dyndns setup that points to my WAN ip address and my router (netgear) forwards to my mythbox. I can use the http://<dyndns>/ address from WAN and LAN. I had the Belkin and had issues in this area, so now the belkin is simply an extra access point on the other side of the house.

Comment 2)

you can create a secure SSH tunnel and pipe all of your traffic through the tunnel. this requires an ssh client like putty on any remote pc accessing you LAN. search here for putty/ssh/tunnel/. i use this to access my mythstreamtv data from work....looks like a busy ssh session :)

Comment 3)

People are not wearing enough hats

_________________
R5F1 - Dell P4 2.4Ghz 500MB - PVR250 x 2 - GeForce FX 5200 - Onboard sound/NIC 80GB ATA/250GB ATA/400GB SATA


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 12, 2007 11:40 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
khrusher wrote:
comment 1)

you SHOULD be able to access your LAN servers via a dyndns setup from you LAN. There are however some crappy consumer quality routers (belkin) that dont handle this.

I have a dyndns setup that points to my WAN ip address and my router (netgear) forwards to my mythbox. I can use the http://<dyndns>/ address from WAN and LAN. I had the Belkin and had issues in this area, so now the belkin is simply an extra access point on the other side of the house.


Ahhhh, yes... now I remember why I thought it was not possible. My Buffalo router has an issue with loopback... :wink:

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 13, 2007 11:13 am 
Offline
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
mihanson wrote:
I'm kind of confused... You can connect to your MythWeb from inside your network. If you go to another location, i.e. office, school, etc, you cannot connect to your MythWeb? (Server Refused Our Key)


Correct.

mihanson wrote:
Sorry, if you've tried these things, but I have to ask . . .

1) Did you use puttygen.exe on your Windows machine to cnvert the key to a format putty recognizes?


Yes. I can see that the key works from within the network. "Authenticating with public key xxxx."


mihanson wrote:
2) Is putty configured to point to the correct key file?



Yes.


mihanson wrote:
3) On your MythTV box, does your authorized_keys file have only one key per line?


Had to check this. There is only one line, since I made only one key atm. Beings with "ssh rsa..." and ends with the name of my one key. Looks good to me. I can try making another key, however.



mihanson wrote:
4) What are the permissions of your .ssh directory? Here's mine:
[code]drwx------ 2 mythtv mythtv 4096 Jan 22 14:01 .ssh


[code]
-rw-r--r-- 1 mythtv mythtv 726 authorized_keys
-rw------- 1 mythtv mythtv 3311 id_rsa
-rw-r--r-- 1 mythtv mythtv 726 id_rsa.pub[/code]




EDIT: As I was posting this, more info came in from the community (thanks!). I'll check out the suggestions that were posted.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 13, 2007 2:20 pm 
Offline
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
Quote:
Fidelis, I'm re-reading your original post and seeing more places you could be running into trouble... Are ZoneAlarm's proper ports open?



In Zonealarm, I have granted outbound access for my mythbox ip.

Quote:
Will your SB5100 forward all requests to your XP gateway?



Don't know.


Quote:
Does your ISP block port 80 inbound to you?


Don't know, I'll try changing the port for apache. My httpd.conf doesn't have anything in it tho. In /etc/apache2/ports.conf, I changed 'listening 80' to 'listening 8080.' Is this correct?

And were the permissions in my .ssh folder good?


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 13, 2007 3:00 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Fidelis wrote:
Quote:
Does your ISP block port 80 inbound to you?


Don't know, I'll try changing the port for apache. My httpd.conf doesn't have anything in it tho. In /etc/apache2/ports.conf, I changed 'listening 80' to 'listening 8080.' Is this correct?


I think that's correct. With the new apache version included with R5E50 I'm not very versed. I have not had to muck with it, so I don't really have any expereience with it's config files. The apache website has good documentation though...
Quote:
And were the permissions in my .ssh folder good?

The permissions on the folder contents matched mine. What about the folder .ssh itself?
Code:
$ ls -la /home/mythtv

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 13, 2007 4:35 pm 
Offline
Joined: Thu Mar 09, 2006 6:54 pm
Posts: 34
Hmm...my apologies...there was aparently a router further down the line that I was unaware of. I can log into it, however, and will make sure it is forwarding the ports correctly.

I am glad that many things were clarified, however, by mihanson and khrusher specifically. Much obliged to you and to the authors of other posts I've been reading (and implementing)for 6-7 hours now. Lots of data.

After following the directions from portforward.com for my router, some things still aren't clear as it still isn't working. I'll try a few more things on my own over the next few days and post a summary for this thread.

Peace to you all.


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 27, 2007 10:42 am 
Offline
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location: Minnesota- Brrrrr!
When configuring putty with a Private key file, there are six check boxes that are available in addition to the field for the private key. This dialogue box can be found under Connection >> SSH > Auth.

These options were checked by default:
Quote:
Attempt authentication using Pageant
Attempt "keyboard- interactive" auth (SSH-2)


Do any of the other checkboxes need to be checked? I ask because I have tried for 4 hours on a fresh install and keep getting "Server refused our key". I have tried logging in with the last two options enabled, but it did not change anything.

If I should make this a new posting, let me know and I will do so. Thanks to all who provide guidance.

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 27, 2007 11:29 am 
Offline
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location: Warwick, RI
Hi,

You are aware that R5F1 does not allow root or user mythtv to remotely login? Only the user you added at install time is authorized ssh access. This is done to protect KM and is default settings. You can of course, over ride it.

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 27, 2007 12:28 pm 
Offline
Joined: Wed May 09, 2007 8:47 pm
Posts: 367
Location: Minnesota- Brrrrr!
Thank you for the update. I thought that this might be the case. I will try it again with the localuser account created at install time again: my first attempt with this account was not successful.

Again, thank you :)

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 5:31 pm 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
what about directions for allowing only certain ip addresses to ssh? :) that's always a useful security measure! [password+key+ip restrictions! what else can one add?!!]


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 6:28 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
fra wrote:
what about directions for allowing only certain ip addresses to ssh? :) that's always a useful security measure! [password+key+ip restrictions! what else can one add?!!]


Feel free to add, but I think that's out of the scope of this how to. Search for IPtables... or look here.

_________________
Mike
My Hardware Profile


Top
 Profile  
 
 Post subject:
PostPosted: Mon Apr 14, 2008 10:26 pm 
Offline
Joined: Fri Oct 20, 2006 12:04 pm
Posts: 905
Location: LA, CA
Is there any good reason to having the
Code:
MaxStartups 10:30:60
line commented out of the /etc/ssh/sshd_config file?

Notice thisarticle. Granted it isn't the end all, be all. But it seems like another layer that can be turned on easily.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 11, 2009 6:18 pm 
Offline
Joined: Sun Sep 25, 2005 3:50 pm
Posts: 1013
Location: Los Angeles
Just wanted to give this a bump because of something I saw in my logs today...

Quote:
Feb 11 01:39:32 mythbox-mbe sshd[13585]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers
Feb 11 01:39:33 mythbox-mbe sshd[13587]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers
Feb 11 01:39:35 mythbox-mbe sshd[13589]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers
Feb 11 01:39:36 mythbox-mbe sshd[13591]: User mythtv from 94.75.192.71 not allowed because listed in DenyUsers
Feb 11 01:39:38 mythbox-mbe sshd[13593]: Invalid user oracle from 94.75.192.71
Feb 11 01:39:40 mythbox-mbe sshd[13595]: Invalid user oracle from 94.75.192.71
Feb 11 01:39:41 mythbox-mbe sshd[13597]: Invalid user oracle from 94.75.192.71
...


Hackers will try to use the userid mythtv, so if you expose your mythweb or something like ssh to the world, it's a good idea to use something stronger than simple password authentication.

_________________
Mike
My Hardware Profile


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 29 posts ] 
Go to page Previous  1, 2



All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu