Security procedures for the VU+ Duo

T

Tony Heaton

Vu+ Newbie
Hi Team

I was wandering what security measures I should be taking to make sure my VU+ server does not get hacked or infected.

Any advice welcomed
 
fcxpress

fcxpress

Vu+ Newbie
Hi,

Very interesting topic.
I would say, like on any linux box:

- Change to root password to something including numbers, lower case chars, upper case chars and special symbols such as '$' or '!'
- Enable firewall on your Internet router and define firewall policy rules so that you only allow what you absolutely need to go in and out, all the rest being denied. In particular, do not forward any port from your internet router to your vu+ box unless you absolutely need to do so (e.g. SSH access).
- If you access your box remotely over the Internet, use SSH instead of telnet and force key authentication instead of password auth for SSH.
- disable (already good) or uninstall (even better) any service you don't need (e.g. if you know you're never going to use Windows/cifs/smb shares, disable samba)
- update/patch the package whenever a vulnerability is discovered in a software package installed on your box

Hope this helps.
FCXpress
 
T

Tony Heaton

Vu+ Newbie
Is there no Soft Firewall for these boxes (a bit like Zone Alarm etc.)

Also, should I be running AV software on the box? If so what is recommended?
 
angelofsky1980

angelofsky1980

BlackHole Driver Specialist
a911 said:
How?
Click to expand...

There are some howtos on the web about iptables.
I don't know if the iptables package is included into BH images.

UPDATE: I checked on my Duo: and the iptables binary is not present. I will build the necessary package to implement it on this day.
 
angelofsky1980

angelofsky1980

BlackHole Driver Specialist
angelofsky1980 said:
There are some howtos on the web about iptables.
I don't know if the iptables package is included into BH images.

UPDATE: I checked on my Duo: and the iptables binary is not present. I will build the necessary package to implement it on this day.
Click to expand...

The iptables package needs some kernel modifications. I will talk with Image Coder to implement these options in the next BH image.
 
fcxpress

fcxpress

Vu+ Newbie
Gentlemen,

Unless your VU+ box is directly connected to Internet or to a LAN network you don't trust, you shouldn't be implementing a firewall on your VU+ box but at the edge of your network (i.e. your Internet router).
It's not easy to get familiar with iptables syntax and philosohpy. Also, I recommend to use Firewall Builder (Google for it) as a visual policy editor for your FW rules.
A very good solution is to use an alternative firmware for your router such as openwrt or dd-wrt.

For the AV software it does make any sense: there are no known virus (should I say "yet"...) developed for the VU+. I doubt an AntiVirus sofware would be developed as Virii developers are targeting MS windows. Anyway, you can try to search for clamav which is a linux AV aimed at blocking virus for other systems such as MS Windows but I repeat myself: I doesn't make sense to install it on a VU+ box.

Always keep in mind that the security is must be seen as a whole. Like a chain it is as strong as its weakest link. So there is no sens to implementing firewall rules if you leave default password on.
 
S

streetball

Vu+ Newbie
fcxpress said:
Gentlemen,

Unless your VU+ box is directly connected to Internet or to a LAN network you don't trust, you shouldn't be implementing a firewall on your VU+ box but at the edge of your network (i.e. your Internet router).
It's not easy to get familiar with iptables syntax and philosohpy. Also, I recommend to use Firewall Builder (Google for it) as a visual policy editor for your FW rules.
A very good solution is to use an alternative firmware for your router such as openwrt or dd-wrt.

For the AV software it does make any sense: there are no known virus (should I say "yet"...) developed for the VU+. I doubt an AntiVirus sofware would be developed as Virii developers are targeting MS windows. Anyway, you can try to search for clamav which is a linux AV aimed at blocking virus for other systems such as MS Windows but I repeat myself: I doesn't make sense to install it on a VU+ box.

Always keep in mind that the security is must be seen as a whole. Like a chain it is as strong as its weakest link. So there is no sens to implementing firewall rules if you leave default password on.
Click to expand...
I would appreciate if could assist me on something.
I have a router in my house and several devices connected to it. All the devices within the network can access each other, including my receiver (Vu+ duo). The receiver have attached an external hdd (with usb), which has also other folders. I don't want to have free access to the receiver for many users. Therefore, I am looking for a way to put a user name and a password whenever I connect to the receiver through samba protocol.

I opened the smb.conf file and saw that the security is share. I am not an expert, therefore I don't know what to edit in the file, or maybe in another way, in order to achieve my purpose.

Could you please assist me on the above matter?

Thanks in advance.
 
fcxpress

fcxpress

Vu+ Newbie
When security option in smb.conf is set to share, this means that the samba server (your VU+ box in this case) won't ask for a specific user name to access the share but will only rely on the password. If you have different users on your lan, you whoud change this to
Code: 
security = user

Then you need to create the users accounts on the VU+
Code: 
useradd -s /bin/true user-name
Define a password for each user
Code: 
smbpasswd -L -a user-name
And enable the user
Code: 
smbpasswd -L -e user-name
 
M

meggiedude

Vu+ Newbie
Sorry to open an old link here,
How exactly do you configure Blackhole to
a) add new user/passwd (is it as above for the samba shares for example)
b) use SSH instead of telnet

Basically, back in the day (like many, many years ago) I was a UNIX admin. As such I am uncomfortable with logging onto it remotely via the Openwebif tool via root access.

I did try and switch off telnet in favour of ssh via the Duo menus and for some reason it ignored the command.

I currently have 1.7.6 loaded, I have port forwarding set for one port open for the Vu+ Duo, and my ISP supplies a static IP.
Openwebif works Ok via WWW and LAN with root.
I have an android app loaded on phone for remote access that way, or have the mobile openwebif option if I choose.
I just want to mail the security side down a little.
BTW, the Android app (Dreamdroid) has the option to use SSH it appears, so that seems the sensible thing.

Cheers

MD
 
V

Venc

Vu+ Newbie
This is also my problem and I don't understand why such basic thing isn't compiled in kernel. I will repeat the questions or move to other distro because without this functionality the box is one legged only. Currently I'm using my vu+ box for streaming, network storage etc. and directly watching or recording sat is less important function, so I just want more from the box... (the cpu is very, very strong and do nothing majority of time so why not).
 
You must log in or register to reply here.
Top