Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato. this is through a tp-link router that has as security the following enabled
my concern is that someone could access the kodi box and then access my main box which is on the same network. what extra steps should i take to make the jump from the kodi box to what else is on the network difficult?
i realise that the likelihood of anyone targeting me is extremely low.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
milomak wrote:my concern is that someone could access the kodi box and then access my main box...
Not understanding why you seem to imply the Kodi machine might be more accessible or vulnerable than the main box.
milomak wrote:...make the jump from the kodi box to what else is on the network difficult?
The above statement seems to also imply the Kodi machine is less secure for some reason.
I would only suggest to ensure taking the basic local lockdown steps necessary to satisfy your need. Better detail on the security posture and use case(s) for the local network itself, not just the 2 boxes in question would lead to better ideas.
For example, if the machines listed in your sig is all there is and you are the only user, I wouldn't worry much more about it at all.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
So if you're wanting to secure or verify security WRT this external access, you need to research and evaluate the security profile/posture/vulnerability status of the service you are forwarding this port to from the Internet.
The fact you appear to be running it on Sid would raise my old-school network security eyebrow, so to speak. I would never recommend running an Internet-facing service on a testing platform, just as a general best practice.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
My router has several choices for security level. As an experiment I set it to maximum. It did not inhibit my ability to access the Internet. It's an easy experiment.
Allowing remote root login is not, generally speaking, a "good idea." You have alot of ports open, so that IP looks interesting to every passing malware bot out there. If I were you, unsure of my security posture, then yeah, I'd be worried.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
One thing to look into is packet filtering. ipfilter is the classic Linux packet filter and is often used for firewalls. I set up a Trendnet TEW732BR with LEDE/OpenWRT and ipfilter. I was able to write a simple filter rule to block router/modem access to all devices on my LAN except my workstation that has a static IP.
This is going take some reading and likely re-provisioning of your present network.
Something fishy is going on here.
How is your ssh server exposed to the outside?
Are you port- forwarding to it with your router?
Why are there auth failures originating from your own external IP? (If they are just random connection attempts from "the net", which are very common, it should show the originating IP, not your router's).
dilberts_left_nut wrote:Something fishy is going on here.
How is your ssh server exposed to the outside?
Are you port- forwarding to it with your router?
Why are there auth failures originating from your own external IP? (If they are just random connection attempts from "the net", which are very common, it should show the originating IP, not your router's).
as stated in the op
i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
milomak wrote:i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
Please allow me to re-phrase what Dilbert seems to be wondering about: Sounds like you are misconscrewing the function of DDNS and the concept of access. DDNS merely provides a public roadmap to your system which, In your case unfortunately, appears to lead to a system with plenty of "access" enabled, and little understanding of how to control or utilize that access.
I really don't get why you would want Internet access to a Kodi box in the first place. I typically watch TV from my living room Lazy Boy. You are either a troll or a very misguided Kodi user. This will be my last response in this thread, sans full OP disclosure. Hints about what you are trying to do just don't cut it.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
i have set it up such that i can through a ddns type service access sabnzbd, sonarr and couchpotato.
How?
through portforwarding
so assume i use username.ddnsservice.com. then pointing to that site and using one of 3 ports i have selected will access sonarr, couchpotato or sabnzbd.
username.ddnsservice.com:xxx1/2/3 ---> forwards to one of the sonarr, couchpotato or sabnzbd services.
the port in my screenshot is not one of the ports i use to forward. but is the actual port that was trying to access the kodi box.
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid