Security on MB

[DuffMan 0]

It is shocking how many people forward ports to their MB install without thinking about the consequences.

a simple Google dork reveals several systems running MB3 out there with no credentials set (possibly:  ), giving full access to the MB server and it's local disks etc.

 

Maybe a detection to see if the src ip is on the same subnet as the server, and if not always require a password would be a good idea, or just simply not allowing blank passwords.

 

Sorry if this is posted elsewhere, I couldn't find it.

 

I did see some similar concerns around:

 

http://mediabrowser.tv/community/index.php?/topic/909-public-open-port-mb3-server-access/ (xbox asks for password each launch, which is annoying)

http://mediabrowser.tv/community/index.php?/topic/919-detect-external-ip-and-require-password/

 

DuffMan

[Beardyname 194]

Would not a simple robots.txt solve this regarding google ?

Other than that MB can't really help that ppl do not use passwords

Edited July 21, 2014 by Beardyname

[DuffMan 0]

Would not a simple robots.txt solve this regarding google ?

 

Obscurity != security

 

Also I think those who didn't think of putting a password on their users before forwarding a port, will have no idea what robots.txt is, less how to set it up.

 

Other than that MB can't really help that ppl do not use passwords

 

Although I do agree that it isn't MB's job to do that, I do think they have the potential to.

When I add a user with a blank password there is no warning of what I am potentially sharing.  Making the software safer by restricting this or warning, will make it more suitable for less tech savy users to know what they are actually doing.

 

Also the purpose of this post was that hopefully some of those users will read this and go and password protect their users.

[Beardyname 194]

Obscurity != security

 

Also I think those who didn't think of putting a password on their users before forwarding a port, will have no idea what robots.txt is, less how to set it up.

 

 

Although I do agree that it isn't MB's job to do that, I do think they have the potential to.

 

I could not agree more I was just thinking out loud that this should be added as a default for mb3 (No need to have crawlers trying to index stuff anyway)

 

This is one of the most asked for features but until it gets here we can only hope that users know what they are doing (If not they are probably not reading the forums either)

[Luke 36992]

you already have it with the new api security. even without a password anyone who wants to access your content has to go through the api authentication process and obtain a security token. The enforcement of it will be turned on soon once all the clients have been updated.

[DuffMan 0]

Hi Luke,

 

I am not sure how the API is meant to function, but if the users password is blank, which it is by default, and you just select the login, it logs you in fine.

It shows your browser under the security sections with the API key generated next to it.

 

are you saying this behaviour will be changed, or should already be working correctly?

[Koleckai Silvestri 1150]

I think it would be the administrator's task to set passwords on users. If they don't then nothing will prevent them from being used. Same with people opening ports in their firewalls. They need to take responsibility for that.

[DuffMan 0]

it's easy to say that, In reality it works quite different

[Logos302 86]

Personally I think there should be an option to ask for a password on next login.  As well as option for ask for Password when not local.  

[DuffMan 0]

I think the main problem here is that the default behaviour is no password.

[Yogi 367]

I think it would be the administrator's task to set passwords on users. If they don't then nothing will prevent them from being used. Same with people opening ports in their firewalls. They need to take responsibility for that.

Totally agre, it should be the admins responsibility to make sure his oe her own setup is secure as much as they want it to be.

[Logos302 86]

While I agree that is the admin's responsibility there still should be some options to allow for this.  As luke has said they have added tokens which should go along way in allowing for a secure system.  I'm just not sure it's enough, only time will tell.  

[Beardyname 194]

Personally I think there should be an option to ask for a password on next login.  As well as option for ask for Password when not local.  

 

I think the main problem here is that the default behaviour is no password.

 

Both of thees suggestions are quite possible that they will happen, but my bet is that they don't have top priority

 

Read in to it if you wish, but it's quite new software and if you really wish for this to happen find someone who knows how to code and make a pull request!

[DuffMan 0]

Hi Beardyname,

 

Problem is the people who need this don't know that they do.

 

The people who know about this have already either secured their MB with a password, or use something else like a VPN to ensure it isn't accessible from the public.

 

30% of servers on the first page of a Google search is unsecured.  I think that indicates a problem.  I don't want to post that here is it will just make the problem worst.

 

Yogi, I think everyone agree's that ultimately security lies with the person installing the software, however well designed software prevent people form making common mistakes.

 

It looks like this problem being fixed is on the cards, and lets hope for the sake of the less tech-savy users out there that it does get fixed.

[Koleckai Silvestri 1150]

You should write a guide on how people can secure their media network. Then it can be posted on the site. The software itself provides for security already.

[DuffMan 0]

like with any software most people will leave most settings at default. (here)

 

I am merely suggesting the default is that there is a password on the account, where currently it is not.

 

I think there is enough information about the potential risks, I think the problem is that the people don't read it, they just grab the installer and go for it.

 

They only come to the forums if they have a problem and even then they normally enter from a google search rather than a forum browse.

 

SO most people seeing the guide will already know about the risks, and would have already protected themselves.

 

I think this topic have been well and truly covered in this post, so i will stop replying now.

[Riverhouse 0]

So I am a newbie and could use your help on this topic. Where do I set these settings? What do I do for remote access from my iPad and devices so I can watch from these devices at a different location away from home. Firewall/modem settings. Thanks. I agree with the comments about not knowing about robot.txt and things like that. Thanks so much.

 

 

Sent from my iPhone using Tapatalk

[ebr 14898]

Port Forwarding - A guide

 

[Riverhouse 0]

Awesome. Just what I needed. Thank you.

 

 

Sent from my iPhone using Tapatalk