Remotely login to Dreambox??
- Thread starter greenore
- Start date
shumifan50
Regular Member
- Joined
- Sep 6, 2007
- Messages
- 521
- Reaction score
- 1
- Points
- 0
- Age
- 75
- My Satellite Setup
- 2xDM7025(DVB-S tuner), DM600SPVR, DM800S, DM500S HD, Triax 90cm with MultiBracket 4 sats.
- My Location
- Europe
This is possible but not recommended as it opens a huge vulnerability. At least enable the SSH server and use putty if you wish to do this. Whatever you do you should not use standard telnet. If you use putty you (by default) would have to port forward port 22 to your dreambox. There are also much nicer ways of doing this with putty, but this will require some googling and reading for you.
fintannl
Regular Member
- Joined
- Jan 11, 2009
- Messages
- 257
- Reaction score
- 0
- Points
- 0
- Age
- 48
- My Satellite Setup
- Single Sat Dish and DM800
- My Location
- Ireland
Personally I use FlashFXP which is a more user friendly solution than Putty. This would mean using port forwarding port 21 (FTP) to your dreambox. As shumifan says its not a great idea. The first thing you would need to do is change your default username and password on your dreambox to ensure no unauthorized access. Search this forum on changing password. Other issue do you have dynamic or static IP addresses with your broadband connection. If you have a dynamic IP address are you using INADYN to track dynamic IP changes. If you have a static Ip address then this is not a prob.
compufunk
Regular Member
- Joined
- May 7, 2008
- Messages
- 1,658
- Reaction score
- 1
- Points
- 38
- My Satellite Setup
-
DM 600-S, VU+ Duo,
Moteck SG2100, Fracarro Penta 85 dish, LG LH3000 42" TV + some computers
- My Location
- NW, Ireland
As shumifan50 says, whatever you do, dont use telnet, us a SSH connection instead for better security.
All you need to do is forward port 22 to your dreambox. If you then want to use an FTP program like FlashFXP, you can tunnel your FTP connection through SSH making it much more secure.
Google "SSH Tunneling" for more info.
FTPS is another option, but I doubt that your DM500 will support that.
All you need to do is forward port 22 to your dreambox. If you then want to use an FTP program like FlashFXP, you can tunnel your FTP connection through SSH making it much more secure.
Google "SSH Tunneling" for more info.
FTPS is another option, but I doubt that your DM500 will support that.
fintannl
Regular Member
- Joined
- Jan 11, 2009
- Messages
- 257
- Reaction score
- 0
- Points
- 0
- Age
- 48
- My Satellite Setup
- Single Sat Dish and DM800
- My Location
- Ireland
DM500 has no issue with FTP. Use it all the time for all my different dreamboxes. Also very nifty for logging into a share and doing an update. I know you only get a 30 day lease on the licence but using regedit on your PC you can extend that that indefinitely
shumifan50
Regular Member
- Joined
- Sep 6, 2007
- Messages
- 521
- Reaction score
- 1
- Points
- 0
- Age
- 75
- My Satellite Setup
- 2xDM7025(DVB-S tuner), DM600SPVR, DM800S, DM500S HD, Triax 90cm with MultiBracket 4 sats.
- My Location
- Europe
FTP is as big a no-no as telnet, from the internet, unless you tunnel it securely.
compufunk
Regular Member
- Joined
- May 7, 2008
- Messages
- 1,658
- Reaction score
- 1
- Points
- 38
- My Satellite Setup
-
DM 600-S, VU+ Duo,
Moteck SG2100, Fracarro Penta 85 dish, LG LH3000 42" TV + some computers
- My Location
- NW, Ireland
I was talking about FTPS, not FTP.fintannl said:
Also, not sure why you would want to use a paid for piece of software like FlashFXP when there are plenty of free and open source FTP clients (and servers) out there. My own preference is FileZilla.
td03-5
.
- Joined
- Dec 21, 2004
- Messages
- 373
- Reaction score
- 0
- Points
- 0
- Age
- 76
- My Satellite Setup
- .
- My Location
- UK
Hi Folks,
FlashFXP was the recommended FTP program by Klona in his well known Dreambox How-To.
I certainly paid the small amount charged for it when I started 6 or 7 years ago! It is a very good FTP tool and I was/am very happy with it. As I use an Asus EeePC most of the time now. I use gFTP (free) instead but I judged how good gFTP was by comparing it with FlashFXP. I am sure there are good free Windoze FTP progs but the only one I have ever used is WS_FTP95.
As for Dropbear SSH, I have been 'playing' with this lately but have not been totally successful. I have started the Dropbear SSH server on my DM7000S (Gemini 4.70) and can easily both locally and remotely establish secure rsakey SSH sessions from Open SSH on my Eee PC to the DM7000.
However, what I have failed to achieve is 'tunneling' (surely the most important aspect of using SSH?)!
When I setup a tunnel to, say, port 80 (either directly or indirectly) from open SSH on the Asus, I get an 'unknown channel' error on the Dm7000 SSH session.
Works fine to establish the password free SSH session between Asus and DM7000.
However, trying to establish the http session by pointing Firefox at:
fails with a grey browser screen and:
from the Dropber server on the DM7000S!
Googling the problem seems to indicate that the Dropbear server for the DM7000S has been compiled without TCP Forwarding support (presumably to keep it small) but this surely makes it small and useless!
Could those who recommend use of Dropbear/SSH please comment or tell me where I have gone wrong?
Many thanks, John.
FlashFXP was the recommended FTP program by Klona in his well known Dreambox How-To.
I certainly paid the small amount charged for it when I started 6 or 7 years ago! It is a very good FTP tool and I was/am very happy with it. As I use an Asus EeePC most of the time now. I use gFTP (free) instead but I judged how good gFTP was by comparing it with FlashFXP. I am sure there are good free Windoze FTP progs but the only one I have ever used is WS_FTP95.
As for Dropbear SSH, I have been 'playing' with this lately but have not been totally successful. I have started the Dropbear SSH server on my DM7000S (Gemini 4.70) and can easily both locally and remotely establish secure rsakey SSH sessions from Open SSH on my Eee PC to the DM7000.
However, what I have failed to achieve is 'tunneling' (surely the most important aspect of using SSH?)!
When I setup a tunnel to, say, port 80 (either directly or indirectly) from open SSH on the Asus, I get an 'unknown channel' error on the Dm7000 SSH session.
Code:
ssh -i /home/user/.ssh/rsakey -L 80:localhost:80 root@192.168.0.24However, trying to establish the http session by pointing Firefox at:
Code:
http://localhost
Code:
root@dreambox:~> channel 4: open failed: unknown channel type:Googling the problem seems to indicate that the Dropbear server for the DM7000S has been compiled without TCP Forwarding support (presumably to keep it small) but this surely makes it small and useless!
Could those who recommend use of Dropbear/SSH please comment or tell me where I have gone wrong?
Many thanks, John.
td03-5
.
- Joined
- Dec 21, 2004
- Messages
- 373
- Reaction score
- 0
- Points
- 0
- Age
- 76
- My Satellite Setup
- .
- My Location
- UK
Hi Folks, I've got it working!
The Gemini 4.70 version of Dropbear is indeed compiled without support for port forwarding (tunneling) in order to save space in a flash image. This makes it of little use for remote access to the Dreambox. However, I have found the attached copy of Dropbear on another forum. This one is slightly larger (173.5KB v 145.4K
than the version in Gemini 4.70 but is OK in Multi-boot where there is plenty of space. This copy of 'dropbear' has tunneling enabled.
NB. This has been tested only on DM7000S, Enigma 1, Gemini 4.70 in FlashWizard Multi-boot.
1. Download the attached file 'dropbearmulti_051.zip' to a convenient folder on your laptop/pc.
2. Un-zip/extract the file 'dropbearmulti' to the same folder.
3. If you wish to retain your existing copy of 'dropbearmulti' as a safeguard, then: rename Dreambox file /sbin/dropbearmulti, to (for instance) 'dropbearmulti.old'.
4. Now, FTP the new copy of 'dropbearmulti' (from the folder on your laptop/pc) to Dreambox folder /sbin.
5. Next: chmod 755 /sbin/dropbearmulti
For remote (internet) access it will be necessary to Forward one port for Incoming traffic on your router.
The default SSH port is 22 but I recommend using something less obvious like 2222, the more obscure the better. Not that the 'attackers' are likely to access anything through SSH but it reduces the 'traffic' (login attempts) on your router and much reduces the size of the router log! I know, I've seen it all on my router log! I've even had Chinese Web IP's logged-in to my Dreambox on straight, non-SSH FTP! So I know that I need SSH!
Set the forwarded port to be handled by the Dreambox LAN IP (in my case 192.168.0.24).
It is necessary to edit the Gemini 4.70 Dropbear start script to:
a. Enable use of the obscure port.
b. Disable password login so that only rsakey (secure) login will be accepted.
6. Using your FTP program (or otherwise) edit the Dreambox file /var/script/dropbear_script.sh
7. Change this part:-
To this:-
Where 2222 is your chosen obscure port number (max 65535).
8. Go to TV connected to Dreambox and press Blue Button on DB Remote, for Gemini 4.70 options.
9. Select option 5. Services / Daemons.
10. Scroll down to 'Dropbear (SSH)'.
11. Press OK.
12. Status should change to 'Running' and Red 'virtual' LED changes to Green.
The next part has only been tried using OpenSSH on an Asus Eee PC 900 running default Xandros Linux (desktop mode).
However, Windoze users will probably manage the next part quite easily using PuTTY.
Other Linux distros will have OpenSSH (or similar) installed by default like the Eee PC.
I will show the commands as typed at a laptop/PC Linux Console prompt.
Locate the Linux hidden folder /.ssh (in the Eee PC this is at /home/user/.ssh) and use this in the cd command.
13. Create the secure key files (rsakey - (Private key file) & rsakey.pub (Public key file).
This will prompt for a 'pass phrase' but none is necessary, just press Enter.
The two key files will now be in the .ssh folder.
The Dreambox should also have a .ssh folder located at /var/.ssh.
14. FTP the file rsakey.pub to Dreambox folder /var/.ssh.
15. Rename the file in the Dreambox /var/.ssh folder from: rsakey.pub - to: authorized_keys
16. chmod 611 /var/.ssh/authorized_keys
I used my FTP program (gFTP) for all three above operations.
Note the USAish spelling of 'authorized_keys'.
Item 16. is also important and the secure SSH session cannot be established with 666 or 644 etc.
We are now ready to launch an SSH secure session between laptop/PC and Dreambox. I have incorporated the following into menu items in the Asus Program Launcher to make it easy for repeated use. I have tried direct port for port access through SSH but it does not work on the Eee PC. However it is easy to use higher number ports on the laptop/PC and have Dropbear/SSH translate them to the correct port on the Dreambox at the other end of the tunnel.
17. To launch the SSH secure session between laptop/PC and Dreambox:
Where:
ssh = the SSH client program
-i = use inetd
/home/user/.ssh/rsakey = send key for establishing session
-p 2222 = use port 2222 to establish the SSH session
-L 7021:192.168.0.24:21 = use Local port 7021 to establish an FTP session with remote LAN IP 192.168.0.24 on port 21
-L 7080:localhost:80 = use Local port 7080 to establish an http session with remote 'localhost' on port 80
root@dreambox_dyndns = the Dreambox user_id (root) and either static Web IP or DynDNS Domain Name.
NB. In the above 192.168.0.24 and 'localhost' both refer to the Dreambox and are interchangeable.
After a short delay the session should be established and a root@dreambox prompt displayed.
Leave this console window open but it may be minimised.
18. To launch an http session through the SSH tunnel, start Firefox and in the URL bar type:
and press Enter.
NB. Here 'localhost refers to the laptop/PC communicating with the Dreambox.
Unless you have declared 'localhost' (in 17.) as a trusted site to the Dreambox then the Login panel will appear.
19. Enter User: root and your Password: Whateveritis
Press Enter and we get an Enigma Webif via an SSH secure session.
20. I have not bothered with a Telnet session as the SSH session itself serves this purpose and Dreambox Console commands may be typed in the Console window established in 17.
What does not work (yet!)!
OK....Clicking the APID in the Enigma Webif does not establish an Audio stream as it would directly but I'll work on that.
Also, I have not yet been able to establish a gFTP session through SSH but again I'm working on it.
I now have only the SSH port (2222 in this example) open and since closing the other ports and moving SSH from 22 to something higher there have been no 'alien' attempts at accessing anything on my network....yipee! Previously the bots would be attempting Telnet, FTP &/or http login every 3 seconds!!
Added bonus:
Now that it's secure, if I add an extra item to the line in 17. above, as follows:
and then in URL bar of Firefox type:
I get the Log-in screen for my router, can log-in and change router settings, open/close ports etc, remotely and SSH securely!
Sorry it's so long but hope it helps someone, good luck.
Best wishes, John.
The Gemini 4.70 version of Dropbear is indeed compiled without support for port forwarding (tunneling) in order to save space in a flash image. This makes it of little use for remote access to the Dreambox. However, I have found the attached copy of Dropbear on another forum. This one is slightly larger (173.5KB v 145.4K
than the version in Gemini 4.70 but is OK in Multi-boot where there is plenty of space. This copy of 'dropbear' has tunneling enabled. NB. This has been tested only on DM7000S, Enigma 1, Gemini 4.70 in FlashWizard Multi-boot.
1. Download the attached file 'dropbearmulti_051.zip' to a convenient folder on your laptop/pc.
2. Un-zip/extract the file 'dropbearmulti' to the same folder.
3. If you wish to retain your existing copy of 'dropbearmulti' as a safeguard, then: rename Dreambox file /sbin/dropbearmulti, to (for instance) 'dropbearmulti.old'.
4. Now, FTP the new copy of 'dropbearmulti' (from the folder on your laptop/pc) to Dreambox folder /sbin.
5. Next: chmod 755 /sbin/dropbearmulti
For remote (internet) access it will be necessary to Forward one port for Incoming traffic on your router.
The default SSH port is 22 but I recommend using something less obvious like 2222, the more obscure the better. Not that the 'attackers' are likely to access anything through SSH but it reduces the 'traffic' (login attempts) on your router and much reduces the size of the router log! I know, I've seen it all on my router log! I've even had Chinese Web IP's logged-in to my Dreambox on straight, non-SSH FTP! So I know that I need SSH!
Set the forwarded port to be handled by the Dreambox LAN IP (in my case 192.168.0.24).
It is necessary to edit the Gemini 4.70 Dropbear start script to:
a. Enable use of the obscure port.
b. Disable password login so that only rsakey (secure) login will be accepted.
6. Using your FTP program (or otherwise) edit the Dreambox file /var/script/dropbear_script.sh
7. Change this part:-
Code:
if [ -r /var/etc/dropbear/dropbear_rsa_host_key ] || [ -r /var/etc/dropbear/dropbear_dss_host_key ]; then
/sbin/dropbear
fi
Code:
if [ -r /var/etc/dropbear/dropbear_rsa_host_key ] || [ -r /var/etc/dropbear/dropbear_dss_host_key ]; then
/sbin/dropbear -s -g -p 2222
fi8. Go to TV connected to Dreambox and press Blue Button on DB Remote, for Gemini 4.70 options.
9. Select option 5. Services / Daemons.
10. Scroll down to 'Dropbear (SSH)'.
11. Press OK.
12. Status should change to 'Running' and Red 'virtual' LED changes to Green.
The next part has only been tried using OpenSSH on an Asus Eee PC 900 running default Xandros Linux (desktop mode).
However, Windoze users will probably manage the next part quite easily using PuTTY.
Other Linux distros will have OpenSSH (or similar) installed by default like the Eee PC.
I will show the commands as typed at a laptop/PC Linux Console prompt.
Locate the Linux hidden folder /.ssh (in the Eee PC this is at /home/user/.ssh) and use this in the cd command.
13. Create the secure key files (rsakey - (Private key file) & rsakey.pub (Public key file).
Code:
cd /home/user/.ssh
ssh-keygen -f rsakey -t rsa -b 2048The two key files will now be in the .ssh folder.
The Dreambox should also have a .ssh folder located at /var/.ssh.
14. FTP the file rsakey.pub to Dreambox folder /var/.ssh.
15. Rename the file in the Dreambox /var/.ssh folder from: rsakey.pub - to: authorized_keys
16. chmod 611 /var/.ssh/authorized_keys
I used my FTP program (gFTP) for all three above operations.
Note the USAish spelling of 'authorized_keys'.
Item 16. is also important and the secure SSH session cannot be established with 666 or 644 etc.
We are now ready to launch an SSH secure session between laptop/PC and Dreambox. I have incorporated the following into menu items in the Asus Program Launcher to make it easy for repeated use. I have tried direct port for port access through SSH but it does not work on the Eee PC. However it is easy to use higher number ports on the laptop/PC and have Dropbear/SSH translate them to the correct port on the Dreambox at the other end of the tunnel.
17. To launch the SSH secure session between laptop/PC and Dreambox:
Code:
ssh -i /home/user/.ssh/rsakey -p 2222 -L 7021:192.168.0.24:21 -L 7080:localhost:80 root@dreambox_dyndnsssh = the SSH client program
-i = use inetd
/home/user/.ssh/rsakey = send key for establishing session
-p 2222 = use port 2222 to establish the SSH session
-L 7021:192.168.0.24:21 = use Local port 7021 to establish an FTP session with remote LAN IP 192.168.0.24 on port 21
-L 7080:localhost:80 = use Local port 7080 to establish an http session with remote 'localhost' on port 80
root@dreambox_dyndns = the Dreambox user_id (root) and either static Web IP or DynDNS Domain Name.
NB. In the above 192.168.0.24 and 'localhost' both refer to the Dreambox and are interchangeable.
After a short delay the session should be established and a root@dreambox prompt displayed.
Leave this console window open but it may be minimised.
18. To launch an http session through the SSH tunnel, start Firefox and in the URL bar type:
Code:
http://localhost:7080NB. Here 'localhost refers to the laptop/PC communicating with the Dreambox.
Unless you have declared 'localhost' (in 17.) as a trusted site to the Dreambox then the Login panel will appear.
19. Enter User: root and your Password: Whateveritis
Press Enter and we get an Enigma Webif via an SSH secure session.
20. I have not bothered with a Telnet session as the SSH session itself serves this purpose and Dreambox Console commands may be typed in the Console window established in 17.
What does not work (yet!)!
OK....Clicking the APID in the Enigma Webif does not establish an Audio stream as it would directly but I'll work on that.
Also, I have not yet been able to establish a gFTP session through SSH but again I'm working on it.
I now have only the SSH port (2222 in this example) open and since closing the other ports and moving SSH from 22 to something higher there have been no 'alien' attempts at accessing anything on my network....yipee! Previously the bots would be attempting Telnet, FTP &/or http login every 3 seconds!!
Added bonus:
Now that it's secure, if I add an extra item to the line in 17. above, as follows:
Code:
-L 7081:192.168.0.1:80
Code:
http://localhost:7081Sorry it's so long but hope it helps someone, good luck.
Best wishes, John.
td03-5
.
- Joined
- Dec 21, 2004
- Messages
- 373
- Reaction score
- 0
- Points
- 0
- Age
- 76
- My Satellite Setup
- .
- My Location
- UK
Hi Folks,
Here are the final parts of the SSH jigsaw for the DM7000S.
First to apologise and correct a couple of errors in my previous post:
Item 16. should read:
chmod 644 /var/.ssh/authorized_keys
and 3 lines further on the line should read:
Item 16. is also important and the secure SSH session cannot be established with 666.
Item 17. the second 'Where:' line should read:
-i = use identity file
Also note that with the system I am about to describe the FTP tunnel of local port 7021 to Dreambox port 21 is no longer required.
As before, most of the answers were in the particular dropbear implementation I was using. I have now found a DM7000 implementation of dropbear that supports both tunneling and SFTP (secure file transfer protocol). I have attached a zip file to this post containing this version of 'dropbearmulti' plus 'sftp-server' (dropbear052&sftp-server.zip).
Follow steps 1 to 4 of my previous post but use the new file dropbear052&sftp-server.zip.
Place both files (dropbearmulti and sftp-server) in Dreambox folder /sbin and then:
and
Now create a new Dreambox folder called 'libexec'
and place a symbolic link to sftp-server in it:
Follow my previous post until you reach 17. which now becomes:
Continue to the end of my previous post and as before we have secure http and a secure console (telnet like) session.
The audio streaming problem is fixed by tunneling the stream port through the SSH link so 17. changes again to become:
This requires my playlist auto edit script 'vlcplsed' which can be found in another thread.
It needs to be modified to change the Dreambox LAN IP to 'localhost' instead of to the 'Dreambox_DynDNS'.
The FTP problem is fixed by using SFTP. I expect PuTTY will easily be able to use this, now that the Dreambox dropbear implementation (attached) includes support for sftp and an sftp-server.
However, for gFTP:
Open gFTP and enter:
Host: dreambox_dyndns Port: 2222 User: root Pass: Dreambox_password click drop-down and change FTP to SSH2
(Where: dreambox_dyndns = your DynDNS Domain Name or Fixed Internet IP
and 2222 = the port you have chosen to open for SSH)
Next:-
Click 'FTP', click 'Options', click 'SSH', in 'SSH Extra Params' enter: -i /home/user/.ssh/rsakey
un-check 'Need SSH User/Pass' and click 'Apply', click OK.
Now click the 'Connect' icon (two terminals) and the SFTP session should start as easily as an FTP session.
Note, that the SFTP session is independent of the SSH session established (above) for http. gFTP establishes its own SSH session which can run with or without the first SSH session.
Best wishes, John.
Here are the final parts of the SSH jigsaw for the DM7000S.
First to apologise and correct a couple of errors in my previous post:
Item 16. should read:
chmod 644 /var/.ssh/authorized_keys
and 3 lines further on the line should read:
Item 16. is also important and the secure SSH session cannot be established with 666.
Item 17. the second 'Where:' line should read:
-i = use identity file
Also note that with the system I am about to describe the FTP tunnel of local port 7021 to Dreambox port 21 is no longer required.
As before, most of the answers were in the particular dropbear implementation I was using. I have now found a DM7000 implementation of dropbear that supports both tunneling and SFTP (secure file transfer protocol). I have attached a zip file to this post containing this version of 'dropbearmulti' plus 'sftp-server' (dropbear052&sftp-server.zip).
Follow steps 1 to 4 of my previous post but use the new file dropbear052&sftp-server.zip.
Place both files (dropbearmulti and sftp-server) in Dreambox folder /sbin and then:
Code:
chmod 755 /sbin/dropbearmulti [Enter]
Code:
chmod 755 /sbin/sftp-server [Enter]Now create a new Dreambox folder called 'libexec'
Code:
mkdir /libexec [Enter]
Code:
cd /libexec [Enter]
ln -s /sbin/sftp-server sftp-server [Enter]Follow my previous post until you reach 17. which now becomes:
Code:
ssh -i /home/user/.ssh/rsakey -p 2222 -L 7080:localhost:80 root@dreambox_dyndnsContinue to the end of my previous post and as before we have secure http and a secure console (telnet like) session.
The audio streaming problem is fixed by tunneling the stream port through the SSH link so 17. changes again to become:
Code:
ssh -i /home/user/.ssh/rsakey -p 2222 -L 31343:192.168.0.24:31343 -L 7080:localhost:80 root@dreambox_dyndns
or
ssh -i /home/user/.ssh/rsakey -p 2222 -L 31338:192.168.0.24:31338 -L 7080:localhost:80 root@dreambox_dyndnsIt needs to be modified to change the Dreambox LAN IP to 'localhost' instead of to the 'Dreambox_DynDNS'.
The FTP problem is fixed by using SFTP. I expect PuTTY will easily be able to use this, now that the Dreambox dropbear implementation (attached) includes support for sftp and an sftp-server.
However, for gFTP:
Open gFTP and enter:
Host: dreambox_dyndns Port: 2222 User: root Pass: Dreambox_password click drop-down and change FTP to SSH2
(Where: dreambox_dyndns = your DynDNS Domain Name or Fixed Internet IP
and 2222 = the port you have chosen to open for SSH)
Next:-
Click 'FTP', click 'Options', click 'SSH', in 'SSH Extra Params' enter: -i /home/user/.ssh/rsakey
un-check 'Need SSH User/Pass' and click 'Apply', click OK.
Now click the 'Connect' icon (two terminals) and the SFTP session should start as easily as an FTP session.
Note, that the SFTP session is independent of the SSH session established (above) for http. gFTP establishes its own SSH session which can run with or without the first SSH session.
Best wishes, John.
compufunk
Regular Member
- Joined
- May 7, 2008
- Messages
- 1,658
- Reaction score
- 1
- Points
- 38
- My Satellite Setup
-
DM 600-S, VU+ Duo,
Moteck SG2100, Fracarro Penta 85 dish, LG LH3000 42" TV + some computers
- My Location
- NW, Ireland
Sorry I missed your posts till now, I was away for a few days. Good work getting up and running, you've been busy!
The shared keys can be generated by either the server or the client, it doesn't matter either way as long as both server and client are configured to use the matching key sets. So, the shared key can be generated by the SSH server on the dreambox and used by Putty for windows clients.
You can also enforce further restrictions on what IP addresses / networks are authorized to connect using your shared key if your so inclined. These options can be added to your authorized_keys file.
If you have a Linux box up and running all of the time, you might be interested in looking into DenyHosts _http://denyhosts.sourceforge.net/. When you set it up, it willl automatically deny all login attempts from an IP address after N failed login attempts (I think its 5 by default). Its an additional layer of security I like to use where I have to provide remote services. It blocks out those Chineese/ Russian etc IP addresses you mentioned, though the blacklist seems to just keep growing
. It will at least help to prevent brute forced logins.
The shared keys can be generated by either the server or the client, it doesn't matter either way as long as both server and client are configured to use the matching key sets. So, the shared key can be generated by the SSH server on the dreambox and used by Putty for windows clients.
You can also enforce further restrictions on what IP addresses / networks are authorized to connect using your shared key if your so inclined. These options can be added to your authorized_keys file.
If you have a Linux box up and running all of the time, you might be interested in looking into DenyHosts _http://denyhosts.sourceforge.net/. When you set it up, it willl automatically deny all login attempts from an IP address after N failed login attempts (I think its 5 by default). Its an additional layer of security I like to use where I have to provide remote services. It blocks out those Chineese/ Russian etc IP addresses you mentioned, though the blacklist seems to just keep growing
. It will at least help to prevent brute forced logins.I wouldn't say useless. I've been using SSH to remotely connect to my Dreambox(s) since I first bought one. A default setup gives all the functionality of a telnet connection without the risk.td03-5 said:
td03-5
.
- Joined
- Dec 21, 2004
- Messages
- 373
- Reaction score
- 0
- Points
- 0
- Age
- 76
- My Satellite Setup
- .
- My Location
- UK
Hi @compufunk,
Thanks for your reply and extra information.
For me, the biggest security improvement was moving the SSH port away from 22 and to an obscure high number. These Chinese (I've not seen any Russian but I'm sure you're right) 'bots' only seem to check the known standard ports (well there are so many open ones and they know what service to expect). Even if the SSH server goes into 'deny mode' the log-in attempts will still be seen by the router and port forwarded to the Dreambox (or other PC running the SSH server). This quickly fills the routers log, unless you turn off logging for port forwarding. At the moment, I have a nice quiet router log with only my own log-in to Dreambox or Router plus NTP, DynDNS and router BB drop events. As I currently have a BB drop problem (under investigation by BT), it was annoying that some of these events were lost because of so much 'alien' traffic!
You are of course right that basic SSH does give a Telnet style console but alone that is rather basic and probably the last choice of the average user for communicating with the Dreambox. I use FTP as my file manager so that was the most important one for me. Next was getting HTTP working for both the Enigma Webif but perhaps more importantly for me music streaming.
I can now use my DreamSwitch (StreamSwitch) system remotely, whereas before I dared not as it has no authentication on the http ports it uses. I run VLC on my laptop with an xspf playlist of favourite Satellite stations (radio or audio of tv channels). Just like my playlist of internet radio streams (or indeed mixed internet/Dreambox), I double click a station in the playlist, the Dreambox switches to that channel and streams it, double click another and it closes the first stream switches to the new channel and streams that, etc.
Best wishes, John.
Thanks for your reply and extra information.
For me, the biggest security improvement was moving the SSH port away from 22 and to an obscure high number. These Chinese (I've not seen any Russian but I'm sure you're right) 'bots' only seem to check the known standard ports (well there are so many open ones and they know what service to expect). Even if the SSH server goes into 'deny mode' the log-in attempts will still be seen by the router and port forwarded to the Dreambox (or other PC running the SSH server). This quickly fills the routers log, unless you turn off logging for port forwarding. At the moment, I have a nice quiet router log with only my own log-in to Dreambox or Router plus NTP, DynDNS and router BB drop events. As I currently have a BB drop problem (under investigation by BT), it was annoying that some of these events were lost because of so much 'alien' traffic!
You are of course right that basic SSH does give a Telnet style console but alone that is rather basic and probably the last choice of the average user for communicating with the Dreambox. I use FTP as my file manager so that was the most important one for me. Next was getting HTTP working for both the Enigma Webif but perhaps more importantly for me music streaming.
I can now use my DreamSwitch (StreamSwitch) system remotely, whereas before I dared not as it has no authentication on the http ports it uses. I run VLC on my laptop with an xspf playlist of favourite Satellite stations (radio or audio of tv channels). Just like my playlist of internet radio streams (or indeed mixed internet/Dreambox), I double click a station in the playlist, the Dreambox switches to that channel and streams it, double click another and it closes the first stream switches to the new channel and streams that, etc.
Best wishes, John.