Author |
Message |
fra
|
Posted: Fri Sep 28, 2007 9:52 am |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
When I ran ps -u root I noticed that apache is running. Is that secure? [since I know apache has security issues!] Also, are there any other processes that pose security threats that have to be running in KM? Any advice on how to secure KM?
Here's the outcome of ps -u root. Please feel free to let me know what you think about which processes are secure and which are not.
Thanks
Code: PID TTY TIME CMD 1 ? 00:00:00 init 2 ? 00:00:00 migration/0 3 ? 00:00:00 ksoftirqd/0 4 ? 00:00:00 watchdog/0 5 ? 00:00:00 migration/1 6 ? 00:00:00 ksoftirqd/1 7 ? 00:00:00 watchdog/1 8 ? 00:00:00 events/0 9 ? 00:00:00 events/1 10 ? 00:00:00 khelper 11 ? 00:00:00 kthread 15 ? 00:00:00 kblockd/0 16 ? 00:00:00 kblockd/1 17 ? 00:00:00 kacpid 174 ? 00:00:00 kseriod 291 ? 00:00:00 pdflush 292 ? 00:00:00 pdflush 293 ? 00:00:00 kswapd0 294 ? 00:00:00 kprefetchd 295 ? 00:00:00 aio/0 296 ? 00:00:00 aio/1 297 ? 00:00:00 jfsIO 298 ? 00:00:00 jfsCommit 299 ? 00:00:00 jfsCommit 300 ? 00:00:00 jfsSync 301 ? 00:00:00 xfslogd/0 302 ? 00:00:00 xfslogd/1 303 ? 00:00:00 xfsdatad/0 304 ? 00:00:00 xfsdatad/1 994 ? 00:00:00 ata/0 995 ? 00:00:00 ata/1 996 ? 00:00:00 ata_aux 1009 ? 00:00:00 scsi_eh_0 1010 ? 00:00:00 scsi_eh_1 1036 ? 00:00:00 kpsmoused 1039 ? 00:00:00 kirqd 1051 ? 00:00:00 khpsbpkt 1065 ? 00:00:00 khubd 1067 ? 00:00:00 kjournald 1146 ? 00:00:00 udevd 2248 ? 00:00:00 cx88 tvaudio 2587 ? 00:00:00 unionfs_siod/0 2588 ? 00:00:00 unionfs_siod/1 2839 ? 00:00:00 kjournald 2956 ? 00:00:00 dhclient3 3231 ? 00:00:00 syslogd 3255 ? 00:00:00 klogd 3281 ? 00:00:00 apache2 3341 ? 00:00:00 lircd 3399 ? 00:00:00 mysqld_safe 3437 ? 00:00:00 logger 3521 ? 00:00:00 sshd 3676 ? 00:00:00 cron 3730 tty1 00:00:00 getty 3731 tty2 00:00:00 getty 3732 tty3 00:00:00 getty 3733 tty4 00:00:00 getty 3734 tty5 00:00:00 getty 3735 tty6 00:00:00 getty 3736 ? 00:00:00 openvt 3751 ? 00:00:00 openvt 3782 tty7 00:00:01 Xorg 3953 ? 00:00:00 sshd 3974 ttyp0 00:00:00 su 3975 ttyp0 00:00:00 bash 3976 ttyp0 00:00:00 ps
|
|
Top |
|
|
Gibble
|
Posted: Fri Sep 28, 2007 10:18 am |
|
Joined: Thu Sep 30, 2004 12:26 pm
Posts: 468
Location:
Canada
|
Apache is running so you can use MythWeb. Which, is probably one of the BEST features of MythTV...next to the whole "it being a commercial skipping PVR" part.
I'd say 99% of my recordings are scheduled through MythWeb. That's also how I delete recordings, etc...
_________________ "The amount of time needed to solve a problem is inversely proportionate to the complexity of the solution" -- Me
KM: R5.5
CPU: Athlon 3800+
Vid: nvidia 7300GT
Snd: Chaintech av-710
Tuner: PVR150
HD: 1000gb sata + 750gb sata + 500gb usb
|
|
Top |
|
|
mjl
|
Posted: Fri Sep 28, 2007 10:19 am |
|
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location:
Warwick, RI
|
Hi,
More of a question than an answer but how are you thinking of connecting to outside world? Via a firewall, directly? Is it part of an internal network?
If you want to just lock it down, apt-get install firestarter. You add it to the sudoers list so you can open a port if needed as user mythtv.
Port 22, ssh is open to the user that you created at install time and any new users you may add. Mythtv & root are blocked from ssh starting R5F1 to current.
They may be many better ways but at least it is a start. There was a post recently howto make apache2 use only https requiring a login for the first page (which may be any page).
Mike
|
|
Top |
|
|
fra
|
Posted: Fri Sep 28, 2007 10:37 am |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
mjl wrote: Hi,
More of a question than an answer but how are you thinking of connecting to outside world? Via a firewall, directly? Is it part of an internal network?
If you want to just lock it down, apt-get install firestarter. You add it to the sudoers list so you can open a port if needed as user mythtv.
Port 22, ssh is open to the user that you created at install time and any new users you may add. Mythtv & root are blocked from ssh starting R5F1 to current.
They may be many better ways but at least it is a start. There was a post recently howto make apache2 use only https requiring a login for the first page (which may be any page).
Mike
For now the mythbox is using a wireless card and connects to my linksys router. The router has a firewall (does not allow unrecognized applications). It port forwards to my mythbox, and so I can do ssh from outside (using dyndns.org).
EDIT: I'm guessing since it's sitting behind a firewall, mythweb is not open to the outside world, right? So if I only use ssh tunneling to access mythweb from the outside world, that should solve all the security issues with apache, right? Or is there something I'm overlooking and one can in fact access my mythweb without ssh tunneling? [I DO agree: a very useful thing, mythweb is .. I mean if I forget to schedule a recording and I'm at work when I remember about that, who else will save my day???? ]
|
|
Top |
|
|
spideyk21
|
Posted: Fri Sep 28, 2007 11:25 am |
|
Joined: Tue Sep 12, 2006 6:03 am
Posts: 210
Location:
Roseville, MI
|
|
Top |
|
|
fra
|
Posted: Fri Sep 28, 2007 12:01 pm |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
well.. i'm perfectly happy accessing mythweb via ssh tunneling only. is apache closed by default or do i need to do something to close it to the outside world?
are there any other security issues i need to worry about? [i mean other than apache]
|
|
Top |
|
|
Girkers
|
Posted: Fri Sep 28, 2007 4:55 pm |
|
Joined: Tue Mar 22, 2005 9:18 pm
Posts: 1422
Location:
Brisbane, Queensland, Australia
|
The issue has been discussed by the testers before and some of the results are now seen in the release product, i.e. requiring password for mythweb and disabling mythtv & root users access via ssh.
As to your particular question unless there is a port forwarding rule in your router to forward traffic to port 80 on your myth box, then you should be safe cause there is no path to the service from the outside world.
Is there a particular vulnerability that you are concerned about? If there is, please PM Cecil and or me even and then cecil may look at fixing it in a future release.
_________________ Girkers
|
|
Top |
|
|
fra
|
Posted: Fri Sep 28, 2007 5:49 pm |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
Girkers wrote: The issue has been discussed by the testers before and some of the results are now seen in the release product, i.e. requiring password for mythweb and disabling mythtv & root users access via ssh.
As to your particular question unless there is a port forwarding rule in your router to forward traffic to port 80 on your myth box, then you should be safe cause there is no path to the service from the outside world.
Is there a particular vulnerability that you are concerned about? If there is, please PM Cecil and or me even and then cecil may look at fixing it in a future release.
NO NO! nothing particular Knock on wood. I'm just paranoid Don't want to have to go through reinstallation and customization again because some kid wanted to have fun with my mythbox!
I'm very comfy with ssh tunneling from my work machine only. So I have my ssh set up with a password, a key, and allowing only my work ip. The only port that is forwarded to the mythbox is the one for ssh. (anything else to secure my ssh session??!! )
On the other hand, I want that no one can access my webpages other than the mythbox itself. That includes the local network. I'm fine with ssh tunneling again from my home mac to my mythbox if I for some reason want to see my webpages.
Do you see any potential issues with this arrangement?
To avoid double posting, here's a link to where I just asked a few questions about this "security concern":
http://mysettopbox.tv/phpBB2/viewtopic. ... 217#100217
(just in case someone reading this post would like to answer some of these questions!)
Thanks for all the help!!
|
|
Top |
|
|
mjl
|
Posted: Fri Sep 28, 2007 10:08 pm |
|
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location:
Warwick, RI
|
Hi,
To add a little, to be a bit paranoid is not a bad thing in my book, helps keep the horses in the barn.
There was posted a couple simple iptable things that would also help lock down some more. It added two or three ssh password attempts and then reject for x number of minutes. Helps stop the constant hammering on the front door from robots. If you can't enter your password correctly by the third try, maybe a cooling period is needed
As for the web service, setting up for https is quite easy and works quite nicely so then you could feel comfortable to allow for your internal access.
Nice to see someone else concerned about keeping our KM boxes secure
Mike
|
|
Top |
|
|
fra
|
Posted: Fri Sep 28, 2007 11:37 pm |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
mjl wrote: Hi, To add a little, to be a bit paranoid is not a bad thing in my book, helps keep the horses in the barn. There was posted a couple simple iptable things that would also help lock down some more. It added two or three ssh password attempts and then reject for x number of minutes. Helps stop the constant hammering on the front door from robots. If you can't enter your password correctly by the third try, maybe a cooling period is needed As for the web service, setting up for https is quite easy and works quite nicely so then you could feel comfortable to allow for your internal access. Nice to see someone else concerned about keeping our KM boxes secure Mike
thanks i'll look these up (ip tables, 3 attempts+cool down period!, https) are there any other things (other than ssh and web access) to worry about? also, my router only lets in the port ssh listens to. and it is not the same one as the one apache listens to so web access should be closed to the outside world, right?
|
|
Top |
|
|
graysky
|
Posted: Sat Sep 29, 2007 3:30 am |
|
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location:
/dev/null
|
fra wrote: also, my router only lets in the port ssh listens to. and it is not the same one as the one apache listens to so web access should be closed to the outside world, right?
Right. No port forwarding = no connection. You'll also wanna disable remote admin inside your router (assuming it has that feature) if you haven't done so already. I think iptables is overkill since you have a hardware firewall (router). As long as you're controlling your ssh connections with pw+key+ip rule I think you're fine.
_________________ Retired KM user (R4 - R6.04); friend to LH users.
|
|
Top |
|
|
mjl
|
Posted: Sat Sep 29, 2007 7:53 am |
|
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location:
Warwick, RI
|
Hi,
I added the iptables note mainly as an awareness factor. There are these robots that just sit on the front door of your machine going through the "book of names" trying every name looking for a log in. The iptables makes them go away as it blocks the ip after your designated failure try count.
Mike
|
|
Top |
|
|
fra
|
Posted: Sat Sep 29, 2007 10:09 am |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
graysky wrote: Right. No port forwarding = no connection. You'll also wanna disable remote admin inside your router (assuming it has that feature) if you haven't done so already. I think iptables is overkill since you have a hardware firewall (router). As long as you're controlling your ssh connections with pw+key+ip rule I think you're fine.
Router requires username and password to get into the configuration, also only uses https, and only works with a cable (no wireless). I'm guessing this is what you meant. To configure it you have to be AT my house. And if the intruder is already at the house, then that's a different security matter !!
I found this site where the author shows how to simply block anyone who tries more than 2 times and fails:
http://aplawrence.com/Blog/B1117.html
I think I'll configure my router to only allow my work ip to ssh, rather than do it with ip tables. That should be enough, I guess. No?
Also, are there any other security issues I need to worry about (other than ssh and web connection)???? I'm guessing since the only open port is the ssh one, I just need to secure my ssh connection, right?
|
|
Top |
|
|
fra
|
Posted: Sat Sep 29, 2007 6:40 pm |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
one more question: it seems that if in the sshd_config file i set PasswordAuthentication to yes then when someone tries to access the mythbox and they don't have the key, they get asked for the password!
Doesn't this beat the purpose of key authentication??? Or am I missing something?
For now, I have it set to no and so if someone doesn't have the key they simply get denied access. What I wanted to have, originally, is: if someone doesn't have a key they get denied access but if they do have the key they get asked for the passphrase and the password Seems impossible to set up, right? [and is probably an overkill, since if someone cracked the key and the passphrase they probably can crack the password quite simply ]
Next, I'll set up https.. And finally ip restricting [and next, if it is easy, then maybe also max of 3 failed attempts and 30 min cool down period]
|
|
Top |
|
|
tjc
|
Posted: Sat Sep 29, 2007 9:54 pm |
|
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location:
Arlington, MA
|
fra wrote: one more question: it seems that if in the sshd_config file i set PasswordAuthentication to yes then when someone tries to access the mythbox and they don't have the key, they get asked for the password!
Doesn't this beat the purpose of key authentication??? Or am I missing something?
It sounds like you've misunderstood what it's for, and that is almost 180 degrees from what you seem to think. Requiring a password for authentication is the normal state of affairs, key authentication allows you to bypass that for trusted hosts. Therefore if you don't have a key you get prompted for a password. There is a different mechanism for allowing and disallowing remote hosts by IP address.
|
|
Top |
|
|