DuffMan 0 Posted July 21, 2014 Share Posted July 21, 2014 It is shocking how many people forward ports to their MB install without thinking about the consequences. a simple Google dork reveals several systems running MB3 out there with no credentials set (possibly: ), giving full access to the MB server and it's local disks etc. Maybe a detection to see if the src ip is on the same subnet as the server, and if not always require a password would be a good idea, or just simply not allowing blank passwords. Sorry if this is posted elsewhere, I couldn't find it. I did see some similar concerns around: http://mediabrowser.tv/community/index.php?/topic/909-public-open-port-mb3-server-access/ (xbox asks for password each launch, which is annoying) http://mediabrowser.tv/community/index.php?/topic/919-detect-external-ip-and-require-password/ DuffMan Link to comment Share on other sites More sharing options...
Beardyname 194 Posted July 21, 2014 Share Posted July 21, 2014 (edited) Would not a simple robots.txt solve this regarding google ? Other than that MB can't really help that ppl do not use passwords Edited July 21, 2014 by Beardyname Link to comment Share on other sites More sharing options...
DuffMan 0 Posted July 22, 2014 Author Share Posted July 22, 2014 Would not a simple robots.txt solve this regarding google ? Obscurity != security Also I think those who didn't think of putting a password on their users before forwarding a port, will have no idea what robots.txt is, less how to set it up. Other than that MB can't really help that ppl do not use passwords Although I do agree that it isn't MB's job to do that, I do think they have the potential to. When I add a user with a blank password there is no warning of what I am potentially sharing. Making the software safer by restricting this or warning, will make it more suitable for less tech savy users to know what they are actually doing. Also the purpose of this post was that hopefully some of those users will read this and go and password protect their users. Link to comment Share on other sites More sharing options...
Beardyname 194 Posted July 22, 2014 Share Posted July 22, 2014 Obscurity != security Also I think those who didn't think of putting a password on their users before forwarding a port, will have no idea what robots.txt is, less how to set it up. Although I do agree that it isn't MB's job to do that, I do think they have the potential to. I could not agree more I was just thinking out loud that this should be added as a default for mb3 (No need to have crawlers trying to index stuff anyway) This is one of the most asked for features but until it gets here we can only hope that users know what they are doing (If not they are probably not reading the forums either) Link to comment Share on other sites More sharing options...
Luke 37046 Posted July 23, 2014 Share Posted July 23, 2014 you already have it with the new api security. even without a password anyone who wants to access your content has to go through the api authentication process and obtain a security token. The enforcement of it will be turned on soon once all the clients have been updated. 1 Link to comment Share on other sites More sharing options...
DuffMan 0 Posted July 26, 2014 Author Share Posted July 26, 2014 Hi Luke, I am not sure how the API is meant to function, but if the users password is blank, which it is by default, and you just select the login, it logs you in fine. It shows your browser under the security sections with the API key generated next to it. are you saying this behaviour will be changed, or should already be working correctly? Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted July 26, 2014 Share Posted July 26, 2014 I think it would be the administrator's task to set passwords on users. If they don't then nothing will prevent them from being used. Same with people opening ports in their firewalls. They need to take responsibility for that. Link to comment Share on other sites More sharing options...
DuffMan 0 Posted July 26, 2014 Author Share Posted July 26, 2014 it's easy to say that, In reality it works quite different Link to comment Share on other sites More sharing options...
Logos302 86 Posted July 26, 2014 Share Posted July 26, 2014 Personally I think there should be an option to ask for a password on next login. As well as option for ask for Password when not local. Link to comment Share on other sites More sharing options...
DuffMan 0 Posted July 26, 2014 Author Share Posted July 26, 2014 I think the main problem here is that the default behaviour is no password. Link to comment Share on other sites More sharing options...
Yogi 367 Posted July 26, 2014 Share Posted July 26, 2014 I think it would be the administrator's task to set passwords on users. If they don't then nothing will prevent them from being used. Same with people opening ports in their firewalls. They need to take responsibility for that. Totally agre, it should be the admins responsibility to make sure his oe her own setup is secure as much as they want it to be. Link to comment Share on other sites More sharing options...
Logos302 86 Posted July 26, 2014 Share Posted July 26, 2014 While I agree that is the admin's responsibility there still should be some options to allow for this. As luke has said they have added tokens which should go along way in allowing for a secure system. I'm just not sure it's enough, only time will tell. Link to comment Share on other sites More sharing options...
Beardyname 194 Posted July 26, 2014 Share Posted July 26, 2014 Personally I think there should be an option to ask for a password on next login. As well as option for ask for Password when not local. I think the main problem here is that the default behaviour is no password. Both of thees suggestions are quite possible that they will happen, but my bet is that they don't have top priority Read in to it if you wish, but it's quite new software and if you really wish for this to happen find someone who knows how to code and make a pull request! Link to comment Share on other sites More sharing options...
DuffMan 0 Posted July 28, 2014 Author Share Posted July 28, 2014 Hi Beardyname, Problem is the people who need this don't know that they do. The people who know about this have already either secured their MB with a password, or use something else like a VPN to ensure it isn't accessible from the public. 30% of servers on the first page of a Google search is unsecured. I think that indicates a problem. I don't want to post that here is it will just make the problem worst. Yogi, I think everyone agree's that ultimately security lies with the person installing the software, however well designed software prevent people form making common mistakes. It looks like this problem being fixed is on the cards, and lets hope for the sake of the less tech-savy users out there that it does get fixed. Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted July 28, 2014 Share Posted July 28, 2014 You should write a guide on how people can secure their media network. Then it can be posted on the site. The software itself provides for security already. 2 Link to comment Share on other sites More sharing options...
DuffMan 0 Posted August 11, 2014 Author Share Posted August 11, 2014 like with any software most people will leave most settings at default. (here) I am merely suggesting the default is that there is a password on the account, where currently it is not. I think there is enough information about the potential risks, I think the problem is that the people don't read it, they just grab the installer and go for it. They only come to the forums if they have a problem and even then they normally enter from a google search rather than a forum browse. SO most people seeing the guide will already know about the risks, and would have already protected themselves. I think this topic have been well and truly covered in this post, so i will stop replying now. Link to comment Share on other sites More sharing options...
Riverhouse 0 Posted October 4, 2014 Share Posted October 4, 2014 So I am a newbie and could use your help on this topic. Where do I set these settings? What do I do for remote access from my iPad and devices so I can watch from these devices at a different location away from home. Firewall/modem settings. Thanks. I agree with the comments about not knowing about robot.txt and things like that. Thanks so much. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
ebr 14910 Posted October 4, 2014 Share Posted October 4, 2014 Port Forwarding - A guide Link to comment Share on other sites More sharing options...
Riverhouse 0 Posted October 4, 2014 Share Posted October 4, 2014 Awesome. Just what I needed. Thank you. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now