First off, yes, I know I'm an idiot. Changing the default username and password of my knoppmyth box was one of those things I always meant to do but never really got around to it...

Well, now somebody has found their way into my box, and I have no idea what they've done, so tonight I get to go home and reinstall it. Obviously, this time, I need to be a little smarter. Aside from changing the password to something other than mythtv, what kind of security measures have you guys implemented on your systems?

What indications do you have that someone has been on your system?

You don't have your KM box directly connected to the 'net, do you (No router to hide behind)?

It's behind a router, but i have port 80 open for mythweb and 22 for ssh. I probably wouldn't have noticed if whoever did it hadn't changed the password. When I logged in as root, removed mythtv's password, and then looked at the bash history, I found some stuff there that I definitely didn't do. It looks like they downloaded and executed a bunch of files, then removed them.

sorry about your getting hacked. Just wondering if this was from R5F1 or an earlier version?

You know, I almost titled my post something along the lines of "I've been hacked!"...but then I decided perhaps that wasn't a good use of the word...it was more like inviting a robber into my house as opposed to having someone break in But, to answer your question, it was r5e50. I figured I'd improve security when I upgraded, but it was just something I never got around to doing...Now I'm going to have to upgrade to r5f1 tonight, then go through the whole process again when the new release with the schedules direct fix comes out in a few days...but going without my knoppmyth is not an option...I've become something of an addict;-)

Yikes. Well, as per the R5F1 standard, I don't allow remote logins from mythtv or root. I only access MythWeb via SSH tunnel, so port 80 is closed on my router/firewall. For ha-ha's I converted MythWeb to a secure connection as well.

_________________
Mike
My Hardware Profile

Bummer. Are you sure it will require a reinstall?

As far as what I do to try to keep people out of my systems:

* Run any services on non-standard ports (eg. I run SSH on port 62122)
* Try to create strong passwords (this makes it difficult to remember them, however!)
* Change the passwords once every month or so
* Don't allow direct logins for anything other than a username I created (don't allow mythtv, root, etc. to login via SSH)
* See http://mysettopbox.tv/phpBB2/viewtopic. ... ght=secure for making http more secure

Hope this helps...

Thanks slowtolearn! I was actually looking for the information in that link you gave me a long time ago, but I don't remember ever coming across that post. To answer your question, I'm not positive it will require an install, but since I'm not sure what he did to my computer, I feel much safer that way.

No problem. I understand, and would be doing the same if I were wearing your shoes.

BTW, I was just thinking about this - You are prompted for the password for the mythtv user during installation, there is no "default" (at least not since R5Asomething, when I started with KM). So, during your reinstall pick a strong password as this is not one of the passwords you will want to be changing (messes with access to the database, etc.)

Averyml, do you have a wireless connection to your network, or does your router have pass through for SSH and/or web?

Bruce S.

_________________
Updated 2019/10/26: AthlonII X2 265 Gigabyte GA-970A-DS3P
16Gb PC 1866 DDR3, 500GB+2TB+4TB SATA HDD,
SATA DVD-RW Asus DRW-24D5MT , NVIDIA GeForce GT1080
Hauppauage Nova-T 500, Nova-T LinHes R8.6.1

It's a wired connection. A cable running down the hallway in fact. I never did get wireless working reliably. Our router has quite a few ports open for ssh, web, vnc, my husband's video games, etc. Some of those are about to be changed from their default ports this very evening

Hi,

Kind of leaves a sick pit in the stomach discovering the invasion... R5F1 installs default with root and mythtv locked out of ssh so if the user you add during install has a good password, that is a beginning.

A few days ago there was a step by step post for making your web connection use https also.

And to lock everything down, apt-get install firestarter. Your KM box becomes a little better protected. Then only open ports of what you need.

While doing some googling today, I found a lot of very good tips on how to slow the bad guys down a little, try "linux ssh port" and things along those lines for some ideas, ip tables are some very simple but effective protection, using different ports rather than defaults too.

I agree with a reinstall as things could be buried so well that you would probably never find a lurking script just waiting to do something you would not like.

Mike

My upgrade didn't exactly work for some reason, so I decided I might as well just do a clean install...which means a lot of work, which I will probably be about halfway through by the time we get r5fx with the sd fix. I'm going out of town this weekend, and there's not much on tv anyway right now, so I'm going to try to hold out for the next release, and spend my time researching basic linux security I'll have to take a look at firestarter like Mike suggested, and I may look in to Snort too...it may be a little overkill for my mythbox, but I may have to install it at work soon, and the practice may make me look like I actually know what I'm doing! Thank you for your suggestions. Now...anyone have any good ideas for dealing with pvr withdrawal?

Searching around for parts for a new silent frontend has been keeping me busy for the past few days

Folks, please do not expose your PVR to the Internet. You should have it been a firewall. While we try and keep security in mind, I cannot guarantee the security of an install. Security is a full time job. I've stated in the past that "MythTV isn't designed w/ security in mind. As it would affect performance." this is a quote from Isaac.