Moode Forum
[PROBLEM] Hardening your moOde streamer - Printable Version

+- Moode Forum (https://moodeaudio.org/forum)
+-- Forum: moOde audio player (https://moodeaudio.org/forum/forumdisplay.php?fid=3)
+--- Forum: Support (https://moodeaudio.org/forum/forumdisplay.php?fid=7)
+--- Thread: [PROBLEM] Hardening your moOde streamer (/showthread.php?tid=1483)



Hardening your moOde streamer - Listener - 06-23-2019

The following article got me to thinking:

https://www.zdnet.com/article/nasa-hacked-because-of-unauthorized-raspberry-pi-connected-to-its-network/

The use of default user names and passwords, logins with root privileges, http instead of https, and sudo access without passwords are all serious security concerns. I am no rpi security expert and wonder what other potential security problems there might be in a typical installation. 

My questions are:

What potential security problems exist in a rpi/moOde installation?

What are you doing to harden your streamer?

Best regards,

     John


RE: Hardening your moOde streamer - BigScaryTiger - 06-23-2019

Being able to use https:// would be good... My browsers all complain when I try and connect to http://moode.local


RE: Hardening your moOde streamer - Tim Curtis - 06-23-2019

If you're not connecting a moOde Pi directly to the Internet there is really no need to further secure it but if you want to calm your mind then this article has some configs. I haven't tried them so YMMV.
https://www.raspberrypi.org/documentation/configuration/security.md


RE: Hardening your moOde streamer - Listener - 06-24-2019

(06-23-2019, 06:57 PM)Tim Curtis Wrote: If you're not connecting a moOde Pi directly to the Internet there is really no need to further secure it but if you want to calm your mind then this article has some configs. I haven't tried them so YMMV.
https://www.raspberrypi.org/documentation/configuration/security.md

MoOde has to have Internet access to stream radio, tidal, etc., http ports open to allow client access, and at least lan access to stream from a nas. I notice also that two smb ports are open as well. I read that rpi security article earlier, will implementing any of that interfere with moOde functionality?

Best,

    John


RE: Hardening your moOde streamer - Tim Curtis - 06-24-2019

When a host is directly connected to the Internet its like below. The host obviously has to be secure.

HOST <--> Public Internet

Prolly 99.9% of moOde hosts are not directly connected to the Internet. They are behind a home Router which provides an air gap between the Internet and the hosts behind it, like below.

HOST <--> Router | air gap | <--> Public Internet

The "air gap" performs what is called Network Address Translation (NAT) which maps the Routers public Internet address to the private addresses of the HOSTS behind it. These private addresses are non-routable and so even if it were known that a HOST behind a Router was assigned address 192.168.1.35 no one on the Public Internet could directly address it cos its a non-routable address.

Modern Routers also have Firewalls and other security measures in the "air gap" that protect the Router itself and provide other protections for the HOSTS behind it. 

Given that stock moOde only accesses well known Internet radio stations, moodeaudio.org for updates, Internet time servers and other well known resources,  it would be highly unlikely that any malicious code would be injected from these sites.

-Tim