Thank you for your donation!


Cloudsmith graciously provides open-source package management and distribution for our project.


*HELP* Secure Moode Audio Player from other People
#1
Question 
Hello to all, 

iam new to this forum and have my first question.
How it can be done to secure the Moode Audio Player from other people in the same wifi/network?

My player runs in a office network with many other people in the same network (up to 50 mobile devices) and i do not want that anyone can controls the device outside from my department.


First networkscan lists open ports -> ngix (80 & 443) , ssh (22), mpd (6600) and airplay (5000).

SSH are protectet with a passwort (change it already). Airplay i have edit the config file from shairport and add a passwort. Works great.

Does anyone have an trick to protect the mpd server? If i edit the mpd config and insert a passwort the webgui can not open playlists and control the mpd server.
Last step, the webgui. I know basicly on apache to create virtual hosts with htpasswd file, make redirect to https and import an self signed ssl certificate (to protect the password input if anyone scans the network with wireshare) - but not on ngix (i can google it thats not the problem but i want to know if it works flawless with the gui after i protect the ngix webserver).

Other idea that i had was to protect the hole pi with iptables and mac filterlist, that only certified mac´s can interact with the pi network interface. (i know its not realy hard to spoof the mac with wireshark, but basicly it would be enough protection for me)

Setup: Raspberry 4 with Hifiberry DAC on release 6.7.1 2020-07-22

Thanks for helping.
Best regards
Patrick

and by the way: Nice work with moode 7 @ MoodeAudio Team
Reply
#2
(10-17-2020, 09:36 PM)PatiTati Wrote: Hello to all, 

........... snip ....................
How it can be done to secure the Moode Audio Player from other people in the same wifi/network?

My player runs in a office network with many other people in the same network (up to 50 mobile devices) and i do not want that anyone can controls the device outside from my department
............ snip ......................

I know I'm not helping... but I cannot but wonder:
- how is it possible that any user can can connect their non-company devices with unrestricted access to your company network
- whether you may find yourself in 'hot water' for not abinding to your employer's Ts & Cs (surely the Network and the IT Security  chaps'n'chapesses are monitoring any consistent traffic on the network)

just saying... Angel
Reply
#3
(10-18-2020, 06:04 AM)CallMeMike Wrote:
(10-17-2020, 09:36 PM)PatiTati Wrote: Hello to all, 

........... snip ....................
How it can be done to secure the Moode Audio Player from other people in the same wifi/network?

My player runs in a office network with many other people in the same network (up to 50 mobile devices) and i do not want that anyone can controls the device outside from my department
............ snip ......................

I know I'm not helping... but I cannot but wonder:
- how is it possible that any user can can connect their non-company devices with unrestricted access to your company network
- whether you may find yourself in 'hot water' for not abinding to your employer's Ts & Cs (surely the Network and the IT Security  chaps'n'chapesses are monitoring any consistent traffic on the network)

just saying... Angel

I know what you meaning. But This network is only and explicit a network for non company devices. For privat use. For our company devices we have a separate restricted ssid with different vlan.
Reply
#4
I got it... I can only think of a rather convoluted method of re-directing the traffic from a password-protected host to the actual RPi running MoOde... a bit of a fuss...
Reply
#5
Hey,

To protect mpd server you could set mpd to listen only on localhost:

In /etc/mpd.conf
Code:
bind_to_address "localhost"

Instead of:
Code:
bind_to_address "any"

To make this permanent:
Code:
 moodeutl -q "UPDATE cfg_mpd SET VALUE = 'localhost' WHERE PARAM = 'bind_to_address'"

For webgui password protecting, check here:
http://moodeaudio.org/forum/showthread.php?tid=341
Reply
#6
(10-18-2020, 07:48 AM)TookaFace Wrote: Hey,

To protect mpd server you could set mpd to listen only on localhost:

In /etc/mpd.conf
Code:
bind_to_address "localhost"

Instead of:
Code:
bind_to_address "any"

To make this permanent:
Code:
 moodeutl -q "UPDATE cfg_mpd SET VALUE = 'localhost' WHERE PARAM = 'bind_to_address'"

For webgui password protecting, check here:
http://moodeaudio.org/forum/showthread.php?tid=341

Hey TookaFace,

thats for your help. That's not exactly what I'm looking for, but at least one possibility.
Unfortunately, with this setting I cannot control the mpd with an app myself.
Most MPD apps have the option of entering a password in the connection manager.

If there is currently no other option, I will implement your suggestion.

For webgui protection i have found this thread already but i think its outdated with the commands insinde. "ONLY FOR 6.4.1" & "The previous workaround is no longer working. In fact the workaround kill the player."

Thank you for your efforts
Reply
#7
Oh, I missed that you updated the thread to "6.4.1 or higher". I'll try it today. Thanks a lot!
Reply
#8
You still can control with moOde Web Ui protected by password with Nginx, but yeah if you want to control with a MPD app then it will not work.
Reply
#9
Thats okay for me. Control the MPD with an app is not important for my project but nice to have if it´s works. Maybe other forum members has a solution for that?

It would be cool if you could set a password for the MPD server in the web ui MPD config Tab and the web ui would be able to handle it.
But i think thats in normal private use not necessary and to much code to implement this...

*edit* I don't know if there is a market for it, but it would also be cool if there would be a commercial version of moode, in which functions to secure the audio player were integrated. A kind of kiosk mode for commercial projects.
Reply
#10
(10-18-2020, 10:40 AM)PatiTati Wrote: ....................... snip .........................

*edit* I don't know if there is a market for it, but it would also be cool if there would be a commercial version of moode, in which functions to secure the audio player were integrated. A kind of kiosk mode for commercial projects.

      FREE FOR ALL software getting 'monetised'...?  A can almost see a few people getting up in arms Undecided
Reply


Forum Jump: