WebIF - can it be accessed from the WAN?

[Wallace]

Sorry to 'butt-in'. I like to dabble, just because I can, not that I have a need.

I have enabled SSL in the WebIF and forwarded TCP port 443 (SSL) in my router to my Humax IP address.

Provided the Humax is switched on, I can access the WebIF from anywhere. I Simply type https://routerIPaddress, and I go straight to my Hummy.

I am only 'playing' as RS satisfies my needs. But my question is, am I leaving my network exposed doing this?

 

[makem]

You don't need a full VPN to access your Humax remotely - you only need to forward the ports that are of interest, typically 23 (telnet) and 80 (http). I wouldn't bother trying to forward 21(ftp) due to the slow speeds you would get.

This is best done using PuTTY. You need to port forward from your router to the ssh service (22) on the Humax and then set up a tunnel under the PuTTY SSH settings. First, get SSH working remotely, then add a local tunnel to 127.0.0.1, from port 80 to port 80 and save the config. Close your PuTTY session and restart it and then point your browser to http://127.0.0.1 and you should see the WebIF. It's surprisingly straightforward once you have done it a couple of times. You don't need to bother with SSL either because the SSH session is already encrypted. If you want to do the same with telnet, then make sure that the ports are 23 at either end of the tunnel and then telnet to 127.0.0.1 (windows systems don't normally have telnet open so that should be fine).

What you are doing with this setup is you are telling your computer to echo the service that is at the other end and to make it appear like it is actually running on your machine.

Once you are happy with the basics of SSH, you should do 2 more things:
1) Change the port to something that isn't guessable, because hackers go looking for open SSH services
2) Disable keyboard authentication and use keys instead, even if a hacker or 'bot finds the port, they're not going to get in unless they are really lucky (the odds of winning the UK and euro lotteries on the same week are probably more likely)

snip>
First, get SSH working remotely, then add a local tunnel to 127.0.0.1, from port 80 to port 80 and save the config.
snip>
I have SSH working using the settings in webIF. But don't know how to 'add a local tunnel'. Can you assist?

snip>
because hackers go looking for open SSH services
snip>
Is my current SSH service open?
I have not yet changed the port but will do so.

snip>
Disable keyboard authentication and use keys instead
snip>
The SSH I am using uses a certificate and a password.

Thanks for your input.

 

[Sam Widges]

In the SSH config, in the left-hand window select Connection>SSH>Tunnels. In the box that says Source port, type "80". In Destination, type "127.0.0.1:80", then click "Add". Make sure that the "Local" radio button under Destination is checked. Finally, go back to the top level and save the details. After that, every time that you set up a new session, the tunnel will be there.

If you can access SSH remotely, then it is open. Running it on a different port is important so that they can't find it easily, and preventing keyboard authentication (username and password) is the next hardening step. You need to confirm that username/password authentication is actually disabled by not using keys and seeing what happens.

 

[oijonesey]

But my question is, am I leaving my network exposed doing this?

I'm no expert but I'd have to say surely yes you are. If something did hit your routers IP address then the person at the other end would be in your hummy just like you can. Presumably then they would be able to find a clue about the first three elements of your local IP addresses which would then mean only 256 others to check (starting with those nearest to that of the Hummy) to find any other devices on your network. Including your PC which would be where you type all your usernames and passwords and stuff.

At best the on board username option on the webif would slow them down getting into the Hummy but might still give them some clues about your local IP address structure to get them closer to your PC.

Or p'raps my lack of knowledge is now blisteringly apparent and none of this is true!!

 

[makem]

In the SSH config, in the left-hand window select Connection>SSH>Tunnels. In the box that says Source port, type "80". In Destination, type "127.0.0.1:80", then click "Add". Make sure that the "Local" radio button under Destination is checked. Finally, go back to the top level and save the details. After that, every time that you set up a new session, the tunnel will be there.

If you can access SSH remotely, then it is open. Running it on a different port is important so that they can't find it easily, and preventing keyboard authentication (username and password) is the next hardening step. You need to confirm that username/password authentication is actually disabled by not using keys and seeing what happens.

As af123 pointed us to the HTTPS web server in 'settings', perhaps he can confirm if it is open. Username/passoword authentification is not disabled. I am concerned about security because I will be one of maybe 20 europeans in a city of 10 million. I am well known, having been subject of newspaper articles (see my web page). As soon as it is known I am there maybe half the population will try to access my computer lol.

With respect to:
snip>
Finally, go back to the top level and save the details.
snip>
Is saving the details necessary to use the facilty or just to save for future use?

snip>
After that, every time that you set up a new session, the tunnel will be there.
snip>
Does that mean every time I access the LAN remotely?

Sorry to be such a dunce but when I was your age (probably) I was making radios at home with valves, pencil thick resistors and wiring as thick as chicken wire lol.

 

[Sam Widges]

As af123 pointed us to the HTTPS web server in 'settings', perhaps he can confirm if it is open. Username/passoword authentification is not disabled.

Authentication for SSH is different to authentication for WebIF. Once you have a well authenticated SSH tunnel in place, you don't need to rely on other security mechanisms - just make sure that nothing can work if the SSH tunnel breaks or you might then end up sending information unprotected and not realise that the tunnel has dropped.

I am concerned about security because I will be one of maybe 20 europeans in a city of 10 million. I am well known, having been subject of newspaper articles (see my web page). As soon as it is known I am there maybe half the population will try to access my computer lol.

I know what you mean.

With respect to:
snip>
Finally, go back to the top level and save the details.
snip>
Is saving the details necessary to use the facilty or just to save for future use?

It just makes life easier. You can enter the details for each PuTTY session every time if you want, but if you get it wrong and forget to close a window, it can get unnecessarily confusing.

snip>
After that, every time that you set up a new session, the tunnel will be there.
snip>
Does that mean every time I access the LAN remotely?

This is not about accessing the LAN, it is about accessing WebIF through a secure tunnel. Every time you open SSH to the remote end, you should be able to point your browser at http://127.0.0.1 and see the webif.

Sorry to be such a dunce but when I was your age (probably) I was making radios at home with valves, pencil thick resistors and wiring as thick as chicken wire lol.

You'd be surprised: Black Hole might include me in his list of BYTs, but in my case, the 'Y' bit is overly optimistic!

 

[Wallace]

@oijonesey
I forgot to mention that I have enabled password protection in the WebIF.

As I say, I was/am only playing. It's only any good if the Hummy is on 24/7 and that isn't going to happen.

That's where RS comes in. Very, very handy!

I will keep quiet, sorry to have hijacked the thread, it just seemed very related to the thread.

 

[makem]

Ok, I like most people, enjoy learning so I would like to carry on if you don't mind Sam.

Steps carried out:
1. Open Putty, scroll down to SSH/Tunnels
2. Enter 80 port and destination 127.0.0.1:80 make sure 'Local' radio button is checked and select Add
3. Scroll up in LH pane and select Session
4. Highlight 'Default Settings' and select Save (Found how to do by our friend google)
5. Close Putty via the 'x'
6. Open Putty and while in 'Session', select Load (checked that tunnel settings were in place)
7. Select 'Open' button (I am assuming this 'opens' a session)
8. Browse to http://127.0.0.1:80

At this point I get a can't connect error

I will be googling to try to find the reason

I find that after selecting 'Open' I should get a new window to log on. I don't get a window. So on with google
Now find I should enter 'localhost' and port (22 already set) so fwd 22
Now Putty opens a window complete with Putty Fatal Error - Network error: connection refused.
Considering waiting for guidance now lol

 

[Sam Widges]

You probably aren't giving the IP address of either the Humax or the router in the "Host Name" box.

Start your testing by tunnelling port 80 through a direct ssh connection to the Humax and, when that works, set up port forwarding through the router and get that working. Save the tunnel details in sessions for each because it will allow you to have different settings for different connections - for instance I recommend that you use an obscure port number when connecting from the outside.

Remove that bit about the tunnel to port 22, it's not needed and would either break the connection or lead to unpredictable behaviour.

 

[makem]

I am really surprised that with what appears to be such simple settings I cannot get it right.

Router ports fwd to 192.168.x.x: 21; 22; 23; 80 currently

Steps carried out:
1. Open Putty, enter 192.168.x.x in the host name and port 80
2. Select radio button SSH
3. Scroll down to SSH/Tunnels
4. Enter 80 port and destination 127.0.0.1:80 make sure 'Local' radio button is checked and select Add
5. Scroll up in LH pane and select Session
6. Enter a name for saved settings and select Save
7. Close Putty via the 'x'
8. Open Putty and while in 'Session', highlight named session and select Load
9. Select 'Open' button
At this point putty opens a blank window (no dialogue at any time)
10. Browse to http://127.0.0.1:80
Error - unable to establish conection

Can't get further

 

[Sam Widges]

Are you trying to connect from outside or inside the network?

You need to get it working inside your network first (sorry if you are doing this, but I need to check).

 

[makem]

From inside

No sorry m8 I owe you a few pints

 

[Sam Widges]

I've just had a closer look at your steps above and I think I know the first problem - in step 1 leave the port as 22 - you are setting up a connection to port 22 that will allow you to fake a connection to port 80 (that's the tunnel setup bit).

Leave the rest the same and let me know how you get on.

 

[makem]

I've just had a closer look at your steps above and I think I know the first problem - in step 1 leave the port as 22 - you are setting up a connection to port 22 that will allow you to fake a connection to port 80 (that's the tunnel setup bit).

Leave the rest the same and let me know how you get on.

Network error connection refused - from putty

Ive added pics of the settings

 

[Sam Widges]

It's working at this end. Sometimes it helps to follow someone else's instructions, so here's what I did...

Open PuTTY and type the IP address of the Humax into the "Host Name" box, make sure that the SSH radio button is selected - don't change the port number.
In the LH window, open the config for Connection>SSH>Tunnels
In Source Port, type "80" and in Destination type "127.0.0.1:80". Make sure that the "Local" radiobutton is checked and then click on "Add"
Go back to "Session" in the LH window.
Type a name into the Saved Sessions window, e.g. "Hummytest" and click on "Save"
Close any windows that are open to the target box, or just restart PuTTY to be really sure.
Double click on the Saved Session and you should get a login prompt - the default credentials are "root" and "humax"

If that works, then point a browser at http://127.0.0.1 and you should see the WebIF.

 

[makem]

It's working at this end. Sometimes it helps to follow someone else's instructions, so here's what I did...

Open PuTTY and type the IP address of the Humax into the "Host Name" box, make sure that the SSH radio button is selected - don't change the port number.
In the LH window, open the config for Connection>SSH>Tunnels
In Source Port, type "80" and in Destination type "127.0.0.1:80". Make sure that the "Local" radiobutton is checked and then click on "Add"
Go back to "Session" in the LH window.
Type a name into the Saved Sessions window, e.g. "Hummytest" and click on "Save"
Close any windows that are open to the target box, or just restart PuTTY to be really sure.
Double click on the Saved Session and you should get a login prompt - the default credentials are "root" and "humax"

If that works, then point a browser at http://127.0.0.1 and you should see the WebIF.

My setting are exactly as shown in the pics in the above post , except that the 192.168.x.x is replaced by the humax ip address on the LAN and the same as you say above.

I get the same error when I double click the saved session name.

 

[xyz321]

Do you have the dropbear-ssh package installed and with a status of "on" under "Service Management"?

 

[makem]

No, dropbear-ssh is in the available packages - not installed

Installing it (waiting for the dl to complete)

Looks like the server is not available again

 

[Sam Widges]

Makem, could you clarify something. Above, you said "I have SSH working using the settings in webIF. But don't know how to 'add a local tunnel'." - what exactly do you mean by "working"?

 

[makem]

I have attached a picture of the setting.