Before you consider opening the httpd ports to the internet, read this. Even if you do this, there are risks. However, you may be going to do it anyway. At least this will improve things.

Note: This assumes that you are using a firewall and only opening up only the ssl port (443) to the internet. Don't even think of connecting your mythbox to the internet without a firewall....

Step 0: Consider using ssh tunneling

A safer approach is not not open up any http/https ports to the internet, but instead use ssh tunneling. With ssh tunneling, ssh is used to tunnel all traffic from a port on the remote machine (ex. 8080) to the http port on the mythbox (i.e. 80). Then, going to http://localhost:8080 on the remote machine will be the same as going to http://mythbox except all traffic will go through the encrypted tunnel, bi-passing the firewall.

The basic steps are:

a. Make sure you have a secure password on your mythtv box.

b. On the firewall, forward a port (ex 800) to the mytbox ssh port (22). DO NOT FORWARD ANY OTHER PORTS TO ENSURE ALL ACCESS IS THROUGH THE SSH TUNNEL.

c. How you run ssh on the remote machine depends on the ssh client you are using. I use the linux ssh on my windows machine after installing www.cygwin.com. To configure it, I add the following lines to the .ssh/config (comments in brackets):

d. ssh into the firewall ddns hostname, this will log you into your mythbox.

e. Start a web browser and point it to http://localhost:8080. This will be tunneled to the mytbox:80

f. You can skip the remaining steps, or if you are really paranoid, you can do them too (just remember that https uses a different port).

Step 1: Enable Password Control for Everything

The default config only secures mythweb. This should secure all the other pages available.

Edit /etc/apache2/sites-enabled/000-default. Search for the first "AllowOverride" and right before it add the following lines:

Restart the web server (/etc/init.d/apache2 restart) and you should now be requested for a password for all web pages, not just mythweb.

Step 2: Enable SSL

As root, create the self signed certificates:

In /etc/apache2/sites-available/default, near the top right after the "ServerAdmin webmaster@localhost" line, add the following lines:

Edit /etc/apache2/ports.conf and change the port to 443.

As root, execute the following commands:

Restart the web server and you will have to use https://servername to access. Note: http://servername will no longer work.

Step 3: Create a Good UserID/Password for web access

You probably weren't thinking of it at the time, but when you created the mythweb password, it should contain mixed case, letters, numbers and non-alphanumeric characters. If you didn't do this, fix it now:

To create a new password file (overwriting what you create earlier):

To append to the password file with a new userID:


Step 4: Your Done

You should now have a secure SSL httpd running on port 443 that requires password access to all pages. This should be good enought to open port 443 to the internet.

NOTE: I take no responsibility if someone finds a way in.... If I missed anything, please add it here.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

By george, this is exactly what I was looking for yesterday. Thanks a bunch. Worked like a champ.

_________________
-Roseville, Michigan USA
LinHES R8: FE/BE, FE (x2)

I installed phpmyadmin to tweak the mysql database. I realized that there was no root password for mysql so I created one. Now mythbackup fails. So I removed the mysql root password.

Wouldn't this allow a hacker to get to the mysql database through phpmyadmin? Should mysql root have a password?

Maybe I should add that any changes or additions to the web server configuration may introduce security holes (as you have pointed out).

I have never used myphpadmin. Only webmin which runs on a different port that I don't open to the internet.

A few questions that might identify the risks(s):

1. Does myphpadmin run on the same port as the main httpd, or is it like webmin which is running on a different port (http://mybox.com:10000). If it is a different port, then just don't open this port to the internet.

2. If it is running on the same port, do you have to enter the web account password after the above changes? If so, then it is still relatively safe since a password and SSL are required to access the mysql (assuming mysql is not directly accessible from outside. i.e. Only port 443 has been opened to the internet). Still I would recommend only installing this tool when you need it and removing it when you are done.

3. If you can get in to it and make changes without any passwords (ex. the password enabled in step 1 of the instructions) then there is definitely a high risk. You might be able to correct it by looking for the .htaccess files added by myphpadmin, but I would still be very careful.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

After trying the above instructions (very nicely done) I can't restart apache.



Gives me



I've been googling, but I'm not making sense of this.

Any help appreciated.

What version are you using? The instructions are based on R5F1.

The error indicates that apache2 is not running. You might try /etc/init.d/apache2 start. Also, make sure you do this as root.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

Running R5F1 off a fresh install.

I tried the 'apache2 start' and still failed. (tried 'apache start' too but nothin.) apache2 restart worked fine after Step 1, it was after Step 2 that I got this "failed". I've gone thru the instructions for Step 2 twice to make sure I got it right.

I'm open to suggestions...

Forum is acting funny wouldn't let me edit.

But I did run all the above over putty (cut and paste commands) as root.

In that case, it sounds like the server is encountering an error during startup. This might be due to a problem with the keys (if it doesn't have valid keys, it won't start in SSL mode).

Can you check the logs? There should be something logged indicating the error. I think there were some apache related logs in /var/log somewhere. I'm traveling again, so I don't have access to my box to check.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

Although it may be more secure that way, I'd think having to enter a password at every page would quickly kill any desire to use the box remotely.

Isn't there some way to set up a single, privileged login that would allow secure yet easier access without resorting to constant logins for every page?

Another question...if you're using something like a Linksys cable/DSL router and have security set up well on the firewall in that box, is it necessary to have 'shields up' on the Myth box also?

Here's the error log repeatedly featuring:

Your web browser will cache the password. It only needs to be entered once. By "password required for all pages" I mean that no pages can be access without entering the password once earlier. By default, there are several pages that can be reached directly without ever entering a password.


Are you running webadmin? It uses ssl and maybe is conflicting. I did see this error once, but I can't remember what caused it at the moment.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

I haven't setup webadmin, so I guess not.

Ooops, my bad. I just got back and had a chance to look again at my setup and the SSLxxx options don't go in httpd.conf. They have to go in the VirtualHost directives. I've updated the instructions above. Don't forget to remove the options in httpd.conf.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

Is there a way to exempt a directory? I have some folders that have their own form based login and the basic auth method is made redundant.