Is Kodi doing anything to fix this? Unless I’m misunderstanding the vulnerability, this would seem to be a strong reason not to use any of the software remotes / browser interfaces
Everybody also knows the name ‘root’.
Would it be to hard to prompt the installer to ask for a root user and root password?
setting “PermitRootLogin no” in /etc/ssh/sshd_config disables root login, which makes sense, I guess. this option was set to “yes” in my osmc RC installation.
Root login is disabled by default in OSMC anyway.
Thanks for your suggestions. Would you please show us your UFW settings?
Greeting!
Hi,
Well, it all depends on what you want to do. Is your Pi internet-facing? What services are you running that require external connections?
Well, just simple configuration, allowing to ssh from outside and OpenVPN and maybe VNC in the future.
Check your current rules with:
sudo ufw status verbose
Assuming, for example, that you have changed your ssh port to 2244 before installing UFW, it should detect that as the ssh port and leave it open. However you should explicitly open it also:
sudo ufw allow 2244/tcp
OpenVPn uses 1194 by default, so you need:
sudo ufw enable 1194/udp
(or tcp, depending on your client.conf)
For samba you need:to open a range initially, tcp and udp:
sudo ufw allow 137:139/tcp
sudo ufw allow 137:139/udp
I have the museekd daemon running on my pi sending out to port 2012. I want to to connect to this using only one other device, so that I can run a GUI (museeq). To specify these exact requirements you would need:
sudo ufw allow from 192.168.2.4 proto tcp to any port 2012
If you want to block a specific address or port range you need to insert the new deny rule at the top using the “insert” option.
sudo ufw insert 1 deny from 100.3.5.2.1
Always good to have a log of blocked connections for later inspection.
sudo ufw logging low
If you want to disable the ipv6 rules, open sudo nano /etc/ufw/ufw.conf and add this to the end of the file:
IPV6=no
BTW, if you are exposing your ssh port to the internet I strongly advise installing either or both of fail2ban and denyhosts. There are tutorials out there for setting them-up, but if you’re only protecting ssh the default settings are fine.
Great job, Thanks a lot!
Hi, me again sorry. Am running Alpha 4 and do not know when I will be able to update to RC as it’s a remote installation. I have created another user and disabled OSMC user as you suggested, thanks 
I would like to install fail2ban as an extra precaution. Is it as simple as just installing (found a guide here: How To Protect SSH with fail2ban on Debian 7 | DigitalOcean) and that’s it or do I need to install iptables too (read somewhere that it is disabled in OSMC) Also is there any chance I can lock myself out installing fail2ban (excluding multiple login attempts)
Thankyou for your advice
fail2ban is a service that runs in the background and blocks connections according to rules that you set. There is always a danger of locking yourself out, so best to take your time and configure according to you needs. As it’s a pi and not a remote server, locking yourself out is not so tragic, as you just have to connect a sceen and keyboard and you’re back-in.
Here’a good recent fail2ban tutorial:
Thankyou for your advice and the link much appreciated 