What's new
By:
Filters

externally viewing your box - warning

kiddac

kiddac

Newbie
After doing a bit of research last night. I was totally unaware of how easy it is for 3rd parties to view your unsecured networks.

I am not referring to your own home wifi network I am referring to setting up your router and box so it can be viewed outside of your home network and not using a password on it.

With a simple port scan, your sat-box becomes freely available to anyone with a bit of know how searching for it. It is scarily easy to do.

If they have 2 tuners you can view any channel you want from their box and they won't even know.
If they have 1 tuner you can piss them off by keep turning the channel over.
I can send a message to that box ...
I can steal there line off their box.

All this can be done via an unsecured openwebif.

There is also forums on the net that post all these unsecure dreambox ips. All they do is just scan various IP ranges all day long.

So the advice is, make sure if you have set up an external network to view your box, that you set a secure password on it.

I won't be explaining anymore how this is done, or what software to use to do it. So don't bother asking me.

It's just a warning.

(edited for legal reasons ;) )

see this post# for the correct way to secure your openwebif
http://www.techkings.org/zgemma-star-2s/85471-externally-viewing-your-box-warning-3.html#post482990
 
Last edited:
Yeah I must get 10 login attemps a day on my security cameras. Never leave defaults, although some of the blame should lay with the manufacturers of the hardware/software. In my opinion every device that requires a password should ask you to change away from the defaults as soon as you first enter the default login info.
 
yes it does.

my thread is purely for that reason. to highlight the risk, to highlight how easy it is. To give you a kick up the backside to secure your external network.

there have been many thread on techkings on people asking how to view outside their network. not once do I recall people advising to make sure its secure.
 
Last edited:
kiddac said:
yes it does.

my thread is purely for that reason. to highlight the risk, to highlight how easy it is. To give you a kick up the backside to secure your external network.

there have been many thread on techkings on people asking how to view outside their network. not once do I recall people advising to make sure its secure.
Click to expand...


There is highlighting a risk and telling people how to go and get into others systems.

You could of just stated to people to change ports and add different password but you didn't you have told people what to do to go and find them.
 
FreeUK said:
Goto Plugins OpenWebif and change from the default 80 to something a little more memorable problem solved
Click to expand...

I think you've mis-understood what a port scanner does - it scans the entire port range for open ports for an IP, it doesn't matter if you've used 80, 8080, 6969 - the port scanner will find it no matter what you set it to. The key is securing it first!

TC.

---------- Post Merged at 06:17 PM ----------

kiddac said:
there have been many thread on techkings on people asking how to view outside their network. not once do I recall people advising to make sure its secure.
Click to expand...

I discussed it last year at http://www.techkings.org/zgemma-star-2s/83001-zgemma-2-box-iphone.html and in more detail at
http://www.techkings.org/zgemma-star-2s/82557-change-streaming-port-openwebif-zgemma.html and http://www.techkings.org/zgemma-star-2s/82997-security-openwebif-internet-access.html - I even stated in this thread "I turned port forwarding on last week and found a particular IP (from a data centre in London so it was likely a bot with SQL/PHP sniffing for devices) was consistently scanning my device, despite the above settings being switched on. I can only presume it either found a way around it and could steal the feed anyway, or was scanning to try and find the root password (which luckily I changed before to a very secure password) or any other user accounts set up on the box"

No one cared back then.... :(

TC.
 
Last edited:
Would setting a secure password for root access to your box with telnet "passwd" command (or dreambox control centre) and enabling http authentication in openwebif plugin menu be sufficient security?

Oh and changing the streaming port from 8001 to something different too!!
 
The main issue I found with OpenWebIf is that even with HTTP streaming authentication switched on, when I was testing I could still play an m3u playlist on my Dad's internet connection which went to my zGemma and it didn't ask for authentication once! In theory all HTTP authentication is doing is saying - log in using the web interface, but if you're smart enough and know what you're doing, you can create m3u playlists going to unprotected machines and this requires no authentication. This is why I locked down my router to only allow traffic on port 8080 (my chosen http port) and 8001 from IP's I allow.
It's definitely worth putting a secure password on your root account too if you're exposing it to the outside world.

TC.
 
Last edited:
HTTP authentication and Telnet 'passwd' with a secure password will protect the webif, just doing the HTTP authentication on its own is not enough
 
we all no streaming hd is pretty much useless unless you got mega fast network. don't think my 22mb will handle it.
 
Last edited:
Still trying to get my head around setting up the required security. Would disabling the Openwebinterface solve this issue?
 
How Do You Get To Change The Root Password In Latest Sucmnsee image?
Looked All Over It But cant Find It.
 
FreeUK said:
HTTP authentication and Telnet 'passwd' with a secure password will protect the webif
Click to expand...

I wish it did but what I posted above shows how you can get around that issue using modified m3u links which can be distributed easily. You either enable port forwarding and ensure you know what you are allowing through. Or you turn off port forwarding completely, or you go down the OpenVPN route...

TC
 
FreeUK said:
I dont know personally how the modified M3U works what i do know is some casual user just port scanning will not get in if you password and HTTP authentication
Click to expand...

But it isn't casual users who are likely to find an open port. When they found mine, I located the source IP address to a data centre hosted in London which people can rent for a monthly fee. All they would do is run IP scanners en masse (and probably 24/7), and then have automated scripts to interrogate OpenWebIf. They don't need to crack your root password, nor will they be deterred by having HTTP authentication switched on - all HTTP authentication does is ask for a password when you log into the OpenWebIf web interface, but when you click on a channel, or programme, it generates an M3U file in the form of http://internalIP:8001/GUIDofChannel. Problem is, the so-called hackers can simply change the IP of the M3U files to your external IP address. This will then play their side with no authentication required. I've tested this myself using my own box and 2 different other broadband lines and confirm this works without any password being asked for. It's up to you really, If you feel safe enough, go for it...
 
if anyone is watching derren brown on channel 4 at the moment and you keep getting strange subliminal messages on your screen. I am sorry. ha ha
 
kiddac said:
if anyone is watching derren brown on channel 4 at the moment and you keep getting strange subliminal messages on your screen. I am sorry. ha ha
Click to expand...

Haha, it can get a bit tin-hat time kidda c but you have raised a very good thread here, I'm glad the discussion is getting going now! :)
 
it only said, do you get paranoid. big brother is watching. Hope your enjoying my show. Hilarious because they are watching derren brown.
 
Last edited:
You must log in or register to reply here.
Back
Top