Securing external access to the server

[steamhead]

Is there any mechanism that can retrict access to the Media Server, as a whole, not content specific?

What I'm looking for is a way that IF I were to make my server accessible outside of my network, I could control what devices could connect remotely. Either by a userID and password for Browser/Flash access, or MAC address for any type of client. Realistically I'm only wanting to do this for access from outside the network the server is on, but I could see in some cases it would be useful internally as well.

Otherwise if I open my server to the net so I can use it wherever I am, so can anyone else, which apart from folks soaking my bandwidth if they find my server, I'm sure would be tantamount to "broadcasting" or file sharing, which is not something I want to be open to.

[ezclips]

Same here I would like to know as well
Thanks

[steamhead]

I did look at the Media Receivers page in the config. I'd hoped with the "Enable sharing for new media receivers automatically:" option unticked that this would stop the Web interface working from a device not on the list. However this option makes no difference, the unlisted device is still able to access the web interface and listen to music AND the unlisted device, then ends up on the list.

However, even if that worked, it would not help me here, as the device listing includes both the MAC address and an IP address. But when I take any media device out into the big wide world I won't be able to predict the IP address.

[steamhead]

An update for anyone holding out for being able to restrict access to Twonky by MAC address... I don't think it can be done.

Having not found a way to do it inside Twonky I decided to teach myself about Linux firewalls and over time managed to build a firewall on my Linux server containing Twonky that would only accept connections from a list of named MAC addresses. Which I was very proud of until I tried accessing the server from outside my network with a registered device, and it couldn't get through.

The thing is (I npw know), that any TCP/IP packet coming in from the network outside, always presents itself as being from the router - bummer. I know MAC addesses are spoofable and so no more secure than an IP address, but it would have been nice to be able to name devices you want to let in as at least a discouraging filter to stop people pillaging your media collection.

[fatalelement]

I would also love to know if this is possible. However, MAC address filtering can be circumvented by a ten year old and is no longer a real method of security. I know you probably know this but anyone who knows that your IP is a server is probably going to be smart enough to spoof. Even if it is just a dinky media server with nothing important on it, if I noticed one of these in my neighborhood on someone's secured wifi I'd connect just because it's so easy to defeat WPA and filtering, and I could snag movies or whatever.

I really hope they let us set http passwords, because like you I also do not like the idea of connecting my server to the internet for convenience if I cannot do anything to protect it easily. It does not simply open up your media collection to the internet, it opens up an entire machine that can be harnessed for any number of things.

[steamhead]

I would also love to know if this is possible. However, MAC address filtering can be circumvented by a ten year old and is no longer a real method of security. I know you probably know this but anyone who knows that your IP is a server is probably going to be smart enough to spoof. Even if it is just a dinky media server with nothing important on it, if I noticed one of these in my neighborhood on someone's secured wifi I'd connect just because it's so easy to defeat WPA and filtering, and I could snag movies or whatever.

Yep, I realise that. You can get past filters by spoofing addresses, just as you can get by userid and password security if you know what you are doing. Once you are public, anyone determined enough will find some way through. But at least you have the obstacles of first knowing there's something there to be had before figuring out what you need to circumvent to get at it, which would stop the bulk of people stumbling upon it.

The problem I have is there doesn't appear to be a way to expose Twonky without making it an absolute gift.

Though of course currently I believe it doesn't work anyway, as the web UI communicates with the media server part by local IP which falls flat on its face once you are outside the local network.

[phibertron]

I haven't attempted this "idea" yet, but I think it might work

So say one had a web server running at home
What if one created a site on it that was a page that did some sort of include to twonky webbrowse
( the include would have to be using the remote dns name and port one has to configure)

The site created on the web server could be set to use https and then made to require logon etc.
This website would be what was port forwarded to from the outside
One would not port forward to the twonky server at all from the outside
being that the site is doing an include, and being it would/should be local, it should work

But one would still have to configure twonky with remote access settings
to enable its returned links to be based off of it remote dns name

Like I said this is just an idea that if I had to attempt it, this is what I would attempt, at present

But in the end, it would be great to be able to have a user name password, that wasnt the admin account, for access

[steamhead]

I had thought about that, if I included "internally" then an external access would fail not seeing the local address. If I did the include using using the remote dns name then the routing goes externally, at which point you have to open the port and put in NAT rules to get the request routed to the right device internally. At which point your Twonky server is "gifted" to the outside world again.

[phibertron]

gotcha

well, guess its back to requesting for user name and password ability to webbrowse access
even if it was just a single user defined like we do for config access
but not the same account for many reasons

[steamhead]

Yeah that would do it for me. I'm under no illusions it would be "secure" but it would be secure enough to stop casual access getting at my media and bandwidth.