View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 34 posts ] 
Go to page 1, 2, 3  Next

Print view Previous topic   Next topic  
Author Message
Search for:
 Post subject: Securing KnoppMyth
PostPosted: Fri Sep 28, 2007 9:52 am 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
When I ran ps -u root I noticed that apache is running. Is that secure? [since I know apache has security issues!] Also, are there any other processes that pose security threats that have to be running in KM? Any advice on how to secure KM?

Here's the outcome of ps -u root. Please feel free to let me know what you think about which processes are secure and which are not.

Thanks

Code:
PID TTY          TIME CMD
    1 ?        00:00:00 init
    2 ?        00:00:00 migration/0
    3 ?        00:00:00 ksoftirqd/0
    4 ?        00:00:00 watchdog/0
    5 ?        00:00:00 migration/1
    6 ?        00:00:00 ksoftirqd/1
    7 ?        00:00:00 watchdog/1
    8 ?        00:00:00 events/0
    9 ?        00:00:00 events/1
   10 ?        00:00:00 khelper
   11 ?        00:00:00 kthread
   15 ?        00:00:00 kblockd/0
   16 ?        00:00:00 kblockd/1
   17 ?        00:00:00 kacpid
  174 ?        00:00:00 kseriod
  291 ?        00:00:00 pdflush
  292 ?        00:00:00 pdflush
  293 ?        00:00:00 kswapd0
  294 ?        00:00:00 kprefetchd
  295 ?        00:00:00 aio/0
  296 ?        00:00:00 aio/1
  297 ?        00:00:00 jfsIO
  298 ?        00:00:00 jfsCommit
  299 ?        00:00:00 jfsCommit
  300 ?        00:00:00 jfsSync
  301 ?        00:00:00 xfslogd/0
  302 ?        00:00:00 xfslogd/1
  303 ?        00:00:00 xfsdatad/0
  304 ?        00:00:00 xfsdatad/1
  994 ?        00:00:00 ata/0
  995 ?        00:00:00 ata/1
  996 ?        00:00:00 ata_aux
 1009 ?        00:00:00 scsi_eh_0
 1010 ?        00:00:00 scsi_eh_1
 1036 ?        00:00:00 kpsmoused
 1039 ?        00:00:00 kirqd
 1051 ?        00:00:00 khpsbpkt
 1065 ?        00:00:00 khubd
 1067 ?        00:00:00 kjournald
 1146 ?        00:00:00 udevd
 2248 ?        00:00:00 cx88 tvaudio
 2587 ?        00:00:00 unionfs_siod/0
 2588 ?        00:00:00 unionfs_siod/1
 2839 ?        00:00:00 kjournald
 2956 ?        00:00:00 dhclient3
 3231 ?        00:00:00 syslogd
 3255 ?        00:00:00 klogd
 3281 ?        00:00:00 apache2
 3341 ?        00:00:00 lircd
 3399 ?        00:00:00 mysqld_safe
 3437 ?        00:00:00 logger
 3521 ?        00:00:00 sshd
 3676 ?        00:00:00 cron
 3730 tty1     00:00:00 getty
 3731 tty2     00:00:00 getty
 3732 tty3     00:00:00 getty
 3733 tty4     00:00:00 getty
 3734 tty5     00:00:00 getty
 3735 tty6     00:00:00 getty
 3736 ?        00:00:00 openvt
 3751 ?        00:00:00 openvt
 3782 tty7     00:00:01 Xorg
 3953 ?        00:00:00 sshd
 3974 ttyp0    00:00:00 su
 3975 ttyp0    00:00:00 bash
 3976 ttyp0    00:00:00 ps


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 10:18 am 
Offline
Joined: Thu Sep 30, 2004 12:26 pm
Posts: 468
Location: Canada
Apache is running so you can use MythWeb. Which, is probably one of the BEST features of MythTV...next to the whole "it being a commercial skipping PVR" part.

I'd say 99% of my recordings are scheduled through MythWeb. That's also how I delete recordings, etc...

_________________
"The amount of time needed to solve a problem is inversely proportionate to the complexity of the solution" -- Me

KM: R5.5
CPU: Athlon 3800+
Vid: nvidia 7300GT
Snd: Chaintech av-710
Tuner: PVR150
HD: 1000gb sata + 750gb sata + 500gb usb


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 10:19 am 
Offline
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location: Warwick, RI
Hi,

More of a question than an answer but how are you thinking of connecting to outside world? Via a firewall, directly? Is it part of an internal network?

If you want to just lock it down, apt-get install firestarter. You add it to the sudoers list so you can open a port if needed as user mythtv.

Port 22, ssh is open to the user that you created at install time and any new users you may add. Mythtv & root are blocked from ssh starting R5F1 to current.

They may be many better ways but at least it is a start. There was a post recently howto make apache2 use only https requiring a login for the first page (which may be any page).

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 10:37 am 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
mjl wrote:
Hi,

More of a question than an answer but how are you thinking of connecting to outside world? Via a firewall, directly? Is it part of an internal network?

If you want to just lock it down, apt-get install firestarter. You add it to the sudoers list so you can open a port if needed as user mythtv.

Port 22, ssh is open to the user that you created at install time and any new users you may add. Mythtv & root are blocked from ssh starting R5F1 to current.

They may be many better ways but at least it is a start. There was a post recently howto make apache2 use only https requiring a login for the first page (which may be any page).

Mike


For now the mythbox is using a wireless card and connects to my linksys router. The router has a firewall (does not allow unrecognized applications). It port forwards to my mythbox, and so I can do ssh from outside (using dyndns.org).

EDIT: I'm guessing since it's sitting behind a firewall, mythweb is not open to the outside world, right? So if I only use ssh tunneling to access mythweb from the outside world, that should solve all the security issues with apache, right? Or is there something I'm overlooking and one can in fact access my mythweb without ssh tunneling? [I DO agree: a very useful thing, mythweb is :) .. I mean if I forget to schedule a recording and I'm at work when I remember about that, who else will save my day???? :) ]


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 11:25 am 
Offline
Joined: Tue Sep 12, 2006 6:03 am
Posts: 210
Location: Roseville, MI
http://www.mysettopbox.tv/phpBB2/viewtopic.php?t=15796&highlight=secure+mythweb

You can also change the port number to something other then 80 for a bit more security.
Code:
nano /etc/apache2/ports.conf

_________________
-Roseville, Michigan USA
LinHES R8: FE/BE, FE (x2)


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 12:01 pm 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
well.. i'm perfectly happy accessing mythweb via ssh tunneling only. is apache closed by default or do i need to do something to close it to the outside world?

are there any other security issues i need to worry about? [i mean other than apache]


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 4:55 pm 
Offline
Joined: Tue Mar 22, 2005 9:18 pm
Posts: 1422
Location: Brisbane, Queensland, Australia
The issue has been discussed by the testers before and some of the results are now seen in the release product, i.e. requiring password for mythweb and disabling mythtv & root users access via ssh.

As to your particular question unless there is a port forwarding rule in your router to forward traffic to port 80 on your myth box, then you should be safe cause there is no path to the service from the outside world.

Is there a particular vulnerability that you are concerned about? If there is, please PM Cecil and or me even and then cecil may look at fixing it in a future release.

_________________
Girkers


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 5:49 pm 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
Girkers wrote:
The issue has been discussed by the testers before and some of the results are now seen in the release product, i.e. requiring password for mythweb and disabling mythtv & root users access via ssh.

As to your particular question unless there is a port forwarding rule in your router to forward traffic to port 80 on your myth box, then you should be safe cause there is no path to the service from the outside world.

Is there a particular vulnerability that you are concerned about? If there is, please PM Cecil and or me even and then cecil may look at fixing it in a future release.


NO NO! nothing particular :) Knock on wood. I'm just paranoid :) Don't want to have to go through reinstallation and customization again because some kid wanted to have fun with my mythbox! :)

I'm very comfy with ssh tunneling from my work machine only. So I have my ssh set up with a password, a key, and allowing only my work ip. The only port that is forwarded to the mythbox is the one for ssh. (anything else to secure my ssh session??!! :) )

On the other hand, I want that no one can access my webpages other than the mythbox itself. That includes the local network. I'm fine with ssh tunneling again from my home mac to my mythbox if I for some reason want to see my webpages.

Do you see any potential issues with this arrangement?

To avoid double posting, here's a link to where I just asked a few questions about this "security concern":
http://mysettopbox.tv/phpBB2/viewtopic. ... 217#100217
(just in case someone reading this post would like to answer some of these questions!)

Thanks for all the help!!


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 10:08 pm 
Offline
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location: Warwick, RI
Hi,

To add a little, to be a bit paranoid is not a bad thing in my book, helps keep the horses in the barn.

There was posted a couple simple iptable things that would also help lock down some more. It added two or three ssh password attempts and then reject for x number of minutes. Helps stop the constant hammering on the front door from robots. If you can't enter your password correctly by the third try, maybe a cooling period is needed :)

As for the web service, setting up for https is quite easy and works quite nicely so then you could feel comfortable to allow for your internal access.

Nice to see someone else concerned about keeping our KM boxes secure :)

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Fri Sep 28, 2007 11:37 pm 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
mjl wrote:
Hi,

To add a little, to be a bit paranoid is not a bad thing in my book, helps keep the horses in the barn.

There was posted a couple simple iptable things that would also help lock down some more. It added two or three ssh password attempts and then reject for x number of minutes. Helps stop the constant hammering on the front door from robots. If you can't enter your password correctly by the third try, maybe a cooling period is needed :)

As for the web service, setting up for https is quite easy and works quite nicely so then you could feel comfortable to allow for your internal access.

Nice to see someone else concerned about keeping our KM boxes secure :)

Mike


thanks :) i'll look these up (ip tables, 3 attempts+cool down period!, https) are there any other things (other than ssh and web access) to worry about? also, my router only lets in the port ssh listens to. and it is not the same one as the one apache listens to :) so web access should be closed to the outside world, right?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 29, 2007 3:30 am 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
fra wrote:
also, my router only lets in the port ssh listens to. and it is not the same one as the one apache listens to :) so web access should be closed to the outside world, right?


Right. No port forwarding = no connection. You'll also wanna disable remote admin inside your router (assuming it has that feature) if you haven't done so already. I think iptables is overkill since you have a hardware firewall (router). As long as you're controlling your ssh connections with pw+key+ip rule I think you're fine.

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 29, 2007 7:53 am 
Offline
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location: Warwick, RI
Hi,

I added the iptables note mainly as an awareness factor. There are these robots that just sit on the front door of your machine going through the "book of names" trying every name looking for a log in. The iptables makes them go away as it blocks the ip after your designated failure try count.

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 29, 2007 10:09 am 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
graysky wrote:
Right. No port forwarding = no connection. You'll also wanna disable remote admin inside your router (assuming it has that feature) if you haven't done so already. I think iptables is overkill since you have a hardware firewall (router). As long as you're controlling your ssh connections with pw+key+ip rule I think you're fine.


Router requires username and password to get into the configuration, also only uses https, and only works with a cable (no wireless). I'm guessing this is what you meant. To configure it you have to be AT my house. And if the intruder is already at the house, then that's a different security matter :) !!

I found this site where the author shows how to simply block anyone who tries more than 2 times and fails:

http://aplawrence.com/Blog/B1117.html

I think I'll configure my router to only allow my work ip to ssh, rather than do it with ip tables. That should be enough, I guess. No?

Also, are there any other security issues I need to worry about (other than ssh and web connection)???? I'm guessing since the only open port is the ssh one, I just need to secure my ssh connection, right?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 29, 2007 6:40 pm 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
one more question: it seems that if in the sshd_config file i set PasswordAuthentication to yes then when someone tries to access the mythbox and they don't have the key, they get asked for the password!

Doesn't this beat the purpose of key authentication??? Or am I missing something?

For now, I have it set to no and so if someone doesn't have the key they simply get denied access. What I wanted to have, originally, is: if someone doesn't have a key they get denied access but if they do have the key they get asked for the passphrase and the password :) Seems impossible to set up, right? [and is probably an overkill, since if someone cracked the key and the passphrase they probably can crack the password quite simply :) ]

Next, I'll set up https.. And finally ip restricting :) [and next, if it is easy, then maybe also max of 3 failed attempts and 30 min cool down period]


Top
 Profile  
 
 Post subject:
PostPosted: Sat Sep 29, 2007 9:54 pm 
Offline
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location: Arlington, MA
fra wrote:
one more question: it seems that if in the sshd_config file i set PasswordAuthentication to yes then when someone tries to access the mythbox and they don't have the key, they get asked for the password!

Doesn't this beat the purpose of key authentication??? Or am I missing something?

It sounds like you've misunderstood what it's for, and that is almost 180 degrees from what you seem to think. Requiring a password for authentication is the normal state of affairs, key authentication allows you to bypass that for trusted hosts. Therefore if you don't have a key you get prompted for a password. There is a different mechanism for allowing and disallowing remote hosts by IP address.


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 34 posts ] 
Go to page 1, 2, 3  Next



All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 21 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu