How safe is OSMC if online?

I put my RPi2 running OSMC (RC) behind an ASUS RTN12-D1 router and can access it perfectly from the outside (SSH, FTP, HTTP) via portforwarding to the standard ports, as I am planning to use the external HDD of the RPi2 as webstorage. I can nicely login via PUTTY from the outside, the password of user ‘osmc’ was changed to a quite complex one.
Is this this safe, or stupid (or something in between)?
Thanks a lot & best wishes!

I had thought that changing the osmc user would cause problems, so in my case I created a new user with sudo privileges and allowed only this user to login via ssh.

In /etc/ssh/sshd_config you should disable root logins and at the end of the file put (assuming user is larry):

AllowUsers larry

Also. in the same file, change the default SSH port from 22 to something else. (but remember to open this port in your firewall).

I also turned-off password logins altogether and use a keyfile instead.
Most importantly, set-up a firewall! I am using UFW - simple to use and effective.

No harm to install fail2ban either, but the above steps should provide some reassurance.

Its also useful to look in your ssh servers logs every once in a while to check that you aren’t being bruteforced in case you don’t install fail2ban :-).

An entirely different route (no pun intended) is to install a VPN server and connect through that when you use SSH thus only allowing outside connections on the VPN port. There are a lot more script kiddies bruteforcing SSH logins than OpenVPN!

Regards

VPN is a good idea, but I think ssh is fine as long as you take the basic precautions. No need to be super paranoid. Script kiddies are only looking for vulnerabilities. A good firewall will repel all but the most determined cracker, public/private keys will make it impossible for them.

Imagine their disappointment when, after all that work, they realise they have cracked a rapberry pi. Look for kippo vids on youtube - hilarious.

BTW, since November I’ve been tracking connection attempts to my server and you’d be surprised how much nefarious activity is out there. I donlt advertise myself but I get about 300 blocked connections per day - most from China. Apparently this is normal.

Here’s a list of the most alluring ports. The lesson is: you are constantly under attack, so always use a firewall and use non-default ports for ssh.

8118/TCP 10316 blocks
9064/TCP 8199 blocks
23/TCP 7537 blocks
43767/UDP 4352 blocks
8080/TCP 2053 blocks
22/TCP 1735 blocks
3128/TCP 1511 blocks
3389/TCP 1373 blocks
13814/UDP 1207 blocks
5060/UDP 1158 blocks
8090/TCP 1098 blocks
1433/TCP 911 blocks
443/TCP 899 blocks
1900/UDP 813 blocks
3306/TCP 645 blocks
8123/TCP 558 blocks
25/TCP 539 blocks
53/UDP 482 blocks
1080/TCP 429 blocks
123/UDP 402 blocks
81/TCP 299 blocks
5900/TCP 283 blocks
8088/TCP 278 blocks
19/UDP 274 blocks
4899/TCP 226 blocks
8081/TCP 223 blocks
110/TCP 221 blocks
21/TCP 182 blocks
53413/UDP 174 blocks
8000/TCP 168 blocks
161/UDP 166 blocks
135/TCP 159 blocks
1723/TCP 146 blocks
21320/TCP 134 blocks
9200/TCP 129 blocks
1434/UDP 119 blocks
7001/TCP 112 blocks
10000/TCP 110 blocks
1521/TCP 107 blocks
9797/TCP 107 blocks
8180/TCP 101 blocks
1024/UDP 99 blocks
49152/TCP 98 blocks
8888/TCP 97 blocks
32764/TCP 90 blocks
5916/TCP 90 blocks
11211/TCP 88 blocks
9090/TCP 85 blocks
17/UDP 82 blocks
623/UDP 77 blocks

Thanks a lot for your reply. However, is it really necessary to have another firewall on the Pi if it is behind the firewall of my router? I thought that the router itself already blocks everything except port 22 which is being forwarded to the Pi via the portforwarding feature of the router …

Not absolutely necessary (depending on your network setup), but it’s an extra layer of protection at no performance cost.
If you put your pi on the DMZ then a firewall is essential.

I wouldn’t recommend port forwarding to OSMC - it’s not really designed to be internet facing.

Having said that, if you do you MUST change the password for OSMC to something hard to guess - as everyone knows the default password…

It’s perfectly safe (and recommended) to change the password for the OSMC user, changing anything else about that user (group memberships, home directory, UID/GID, deleting the user etc) will cause problems though, as kodi and some other services run as the osmc user.

Adding an additional user account (with a hard to guess password) is fine as well, but keep in mind that depending on file permissions that other user may not be able to access your media files if they are in /home/osmc.

If you are port forwarding the http server for kodi (strongly not recommended) make sure you change the web server password in Kodi itself.

Do not do this!

Thanks for your hints. However, fail2ban fails to install via simply trying ‘sudo apt-get install fail2ban’ …
It states:


Suggested packages: python-gamin mailx system-log-daemon
Recommended packages: iptables whois python-pyinotify
The following NEW packages will be installed: fail2ban
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 0 B/165 kB of archives.
After this operation, 577 kB of additional disk space will be used.
dpkg: warning: ‘ldconfig’ not found in PATH or not executable
dpkg: warning: ‘start-stop-daemon’ not found in PATH or not executable
dpkg: error: 2 expected programs not found in PATH or not executable
Note: root’s PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin
E: Sub-process /usr/bin/dpkg returned an error code (2)


I guess, it’s not that simple, is it?

echo $PATH please

output is:
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
thx!

Can you sudo -s

and echo $PATH as well?

Sam

osmc@osmc:/$ sudo -s
root@osmc:/# echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

it then says …

Something wrong with your path. Here is mine:

osmc@osmc:~$ sudo -s
root@osmc:/home/osmc# echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin:/opt/vc/bin

Are you sure you installed the RC build and not one of the earlier images, and didn’t upgrade from an earlier image ?

What other software have you installed or customisations have you made ? Something has changed your path…

ldconfig is in /sbin which seems to be missing in your path…

Well, no, I cleanly installed RC with the standard installer …
I did only add another user and added him to the /etc/ssh/sshd_config (as stim suggested above), then I tried to install fail2ban with the result posted above.

However, my /etc/sudoers does contain:
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

UPDATE:
on http://unix.stackexchange.com/questions/146748/what-do-you-do-when-you-try-to-sudo-and-roots-path-has-gone-kerblooey
they state
“As the ‘Note:’ hints at, this is usually caused by $PATH being set wrong. One way that happens is when you run dpkg -i without root” … maybe I did taht, I can’t remember.

dpkg -i should not run as non-root!

Having updated $PATH to /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin everything now worked OK.
Thanks for your kind help!

Hi, sorry to thread jack. Just a query about remote access, I have changed the default SSH port and the OSMC user password to a long password letters/numbers etc. Pi is behind router firewall. Is this sufficient, I am concerned installing a firewall/fail2ban will potentially lock me out?

I think that the fact that everybody knows the username “osmc” might be particularly unsecure. I modified the sshd_config (sudo nano /etc/ssh/sshd_config) as osmc via ssh and added a line:
AllowUsers otheruser osmc
where “otheruser” is a user which I added by myself before. This restricts ssh access to users “osmc” and “otheruser”. After having assured that “otheruser” can sucessfully login, I removed “osmc” from the AllowUsers list.
You can always switch to “osmc” from “otheruser” via: sudo su osmc

1 Like

Great, thanks for the advice :slight_smile: