Securing external access to the server
Is there any mechanism that can retrict access to the Media Server, as a whole, not content specific?
What I'm looking for is a way that IF I were to make my server accessible outside of my network, I could control what devices could connect remotely. Either by a userID and password for Browser/Flash access, or MAC address for any type of client. Realistically I'm only wanting to do this for access from outside the network the server is on, but I could see in some cases it would be useful internally as well.
Otherwise if I open my server to the net so I can use it wherever I am, so can anyone else, which apart from folks soaking my bandwidth if they find my server, I'm sure would be tantamount to "broadcasting" or file sharing, which is not something I want to be open to.
What I'm looking for is a way that IF I were to make my server accessible outside of my network, I could control what devices could connect remotely. Either by a userID and password for Browser/Flash access, or MAC address for any type of client. Realistically I'm only wanting to do this for access from outside the network the server is on, but I could see in some cases it would be useful internally as well.
Otherwise if I open my server to the net so I can use it wherever I am, so can anyone else, which apart from folks soaking my bandwidth if they find my server, I'm sure would be tantamount to "broadcasting" or file sharing, which is not something I want to be open to.
Re: Securing external access to the server
Same here I would like to know as well
Thanks
Thanks
Re: Securing external access to the server
I did look at the Media Receivers page in the config. I'd hoped with the "Enable sharing for new media receivers automatically:" option unticked that this would stop the Web interface working from a device not on the list. However this option makes no difference, the unlisted device is still able to access the web interface and listen to music AND the unlisted device, then ends up on the list.
However, even if that worked, it would not help me here, as the device listing includes both the MAC address and an IP address. But when I take any media device out into the big wide world I won't be able to predict the IP address.
However, even if that worked, it would not help me here, as the device listing includes both the MAC address and an IP address. But when I take any media device out into the big wide world I won't be able to predict the IP address.
Re: Securing external access to the server
An update for anyone holding out for being able to restrict access to Twonky by MAC address... I don't think it can be done.
Having not found a way to do it inside Twonky I decided to teach myself about Linux firewalls and over time managed to build a firewall on my Linux server containing Twonky that would only accept connections from a list of named MAC addresses. Which I was very proud of until I tried accessing the server from outside my network with a registered device, and it couldn't get through.
The thing is (I npw know), that any TCP/IP packet coming in from the network outside, always presents itself as being from the router - bummer. I know MAC addesses are spoofable and so no more secure than an IP address, but it would have been nice to be able to name devices you want to let in as at least a discouraging filter to stop people pillaging your media collection.
Having not found a way to do it inside Twonky I decided to teach myself about Linux firewalls and over time managed to build a firewall on my Linux server containing Twonky that would only accept connections from a list of named MAC addresses. Which I was very proud of until I tried accessing the server from outside my network with a registered device, and it couldn't get through.
The thing is (I npw know), that any TCP/IP packet coming in from the network outside, always presents itself as being from the router - bummer. I know MAC addesses are spoofable and so no more secure than an IP address, but it would have been nice to be able to name devices you want to let in as at least a discouraging filter to stop people pillaging your media collection.
-
- Posts:1
- Joined:Thu Mar 03, 2011 6:44 am
- AV Hardware:Twonky Server running on Windows 7 Ultimate
Re: Securing external access to the server
I would also love to know if this is possible. However, MAC address filtering can be circumvented by a ten year old and is no longer a real method of security. I know you probably know this but anyone who knows that your IP is a server is probably going to be smart enough to spoof. Even if it is just a dinky media server with nothing important on it, if I noticed one of these in my neighborhood on someone's secured wifi I'd connect just because it's so easy to defeat WPA and filtering, and I could snag movies or whatever.
I really hope they let us set http passwords, because like you I also do not like the idea of connecting my server to the internet for convenience if I cannot do anything to protect it easily. It does not simply open up your media collection to the internet, it opens up an entire machine that can be harnessed for any number of things.
I really hope they let us set http passwords, because like you I also do not like the idea of connecting my server to the internet for convenience if I cannot do anything to protect it easily. It does not simply open up your media collection to the internet, it opens up an entire machine that can be harnessed for any number of things.
Re: Securing external access to the server
Yep, I realise that. You can get past filters by spoofing addresses, just as you can get by userid and password security if you know what you are doing. Once you are public, anyone determined enough will find some way through. But at least you have the obstacles of first knowing there's something there to be had before figuring out what you need to circumvent to get at it, which would stop the bulk of people stumbling upon it.fatalelement wrote:I would also love to know if this is possible. However, MAC address filtering can be circumvented by a ten year old and is no longer a real method of security. I know you probably know this but anyone who knows that your IP is a server is probably going to be smart enough to spoof. Even if it is just a dinky media server with nothing important on it, if I noticed one of these in my neighborhood on someone's secured wifi I'd connect just because it's so easy to defeat WPA and filtering, and I could snag movies or whatever.
The problem I have is there doesn't appear to be a way to expose Twonky without making it an absolute gift.
Though of course currently I believe it doesn't work anyway, as the web UI communicates with the media server part by local IP which falls flat on its face once you are outside the local network.
- phibertron
- Posts:1566
- Joined:Sun Jan 30, 2011 5:52 pm
- AV Hardware:Hardware
========
WHS - HP Ex495
PS3
XBOX 360
iTouch - Gen 2 and Gen 3
PSP - 3000
Encoders
========
Handbrake
x264
ffmpeg
mencoder
Tagging
======
mp3tag
Re: Securing external access to the server
I haven't attempted this "idea" yet, but I think it might work
So say one had a web server running at home
What if one created a site on it that was a page that did some sort of include to twonky webbrowse
( the include would have to be using the remote dns name and port one has to configure)
The site created on the web server could be set to use https and then made to require logon etc.
This website would be what was port forwarded to from the outside
One would not port forward to the twonky server at all from the outside
being that the site is doing an include, and being it would/should be local, it should work
But one would still have to configure twonky with remote access settings
to enable its returned links to be based off of it remote dns name
Like I said this is just an idea that if I had to attempt it, this is what I would attempt, at present
But in the end, it would be great to be able to have a user name password, that wasnt the admin account, for access
So say one had a web server running at home
What if one created a site on it that was a page that did some sort of include to twonky webbrowse
( the include would have to be using the remote dns name and port one has to configure)
The site created on the web server could be set to use https and then made to require logon etc.
This website would be what was port forwarded to from the outside
One would not port forward to the twonky server at all from the outside
being that the site is doing an include, and being it would/should be local, it should work
But one would still have to configure twonky with remote access settings
to enable its returned links to be based off of it remote dns name
Like I said this is just an idea that if I had to attempt it, this is what I would attempt, at present
But in the end, it would be great to be able to have a user name password, that wasnt the admin account, for access
viewtopic.php?f=2&t=10627
viewtopic.php?f=2&t=9353
viewtopic.php?f=2&t=9408
viewtopic.php?f=2&t=9416
viewtopic.php?f=2&t=9424
viewtopic.php?f=2&t=9364
viewtopic.php?f=2&t=9497
viewtopic.php?f=2&t=9353
viewtopic.php?f=2&t=9408
viewtopic.php?f=2&t=9416
viewtopic.php?f=2&t=9424
viewtopic.php?f=2&t=9364
viewtopic.php?f=2&t=9497
Re: Securing external access to the server
I had thought about that, if I included "internally" then an external access would fail not seeing the local address. If I did the include using using the remote dns name then the routing goes externally, at which point you have to open the port and put in NAT rules to get the request routed to the right device internally. At which point your Twonky server is "gifted" to the outside world again.
- phibertron
- Posts:1566
- Joined:Sun Jan 30, 2011 5:52 pm
- AV Hardware:Hardware
========
WHS - HP Ex495
PS3
XBOX 360
iTouch - Gen 2 and Gen 3
PSP - 3000
Encoders
========
Handbrake
x264
ffmpeg
mencoder
Tagging
======
mp3tag
Re: Securing external access to the server
gotcha
well, guess its back to requesting for user name and password ability to webbrowse access
even if it was just a single user defined like we do for config access
but not the same account for many reasons
well, guess its back to requesting for user name and password ability to webbrowse access
even if it was just a single user defined like we do for config access
but not the same account for many reasons
viewtopic.php?f=2&t=10627
viewtopic.php?f=2&t=9353
viewtopic.php?f=2&t=9408
viewtopic.php?f=2&t=9416
viewtopic.php?f=2&t=9424
viewtopic.php?f=2&t=9364
viewtopic.php?f=2&t=9497
viewtopic.php?f=2&t=9353
viewtopic.php?f=2&t=9408
viewtopic.php?f=2&t=9416
viewtopic.php?f=2&t=9424
viewtopic.php?f=2&t=9364
viewtopic.php?f=2&t=9497
Re: Securing external access to the server
Yeah that would do it for me. I'm under no illusions it would be "secure" but it would be secure enough to stop casual access getting at my media and bandwidth.