Securing OSMC for remote access

okay, i really want to have access to my RPi2 from my workplace, at least to add some torrent files for downloading, having ssh access, etc.

so far i’ve enabled fail2ban from here: http://raspberrypihelp.net/tutorials/48-raspberry-pi-ssh-security-fail2ban
but haven’t port forwarded ports yet.

i am considering enabling SSH With Two-Step Authentication http://www.sbprojects.com/projects/raspberrypi/ga.php , anyone has experience with this one?

or this is overkill?

regards

It’s not really recommended to make OSMC internet facing, as it is not designed to be a hardened server OS and has a publicly known default user account and password (osmc/osmc) and password-less sudo to root.

However if you absolutely must, port forward only SSH and make sure you change the osmc password to something impossible to guess. (No common words etc) There are no other user accounts enabled by default (not even root is enabled) but be aware that third party packages you install might potentially create other user accounts.

I would also recommend putting SSH on a random high port when forwarding from your router so that it is not subject to constant script kiddy password brute force attacks as they tend to only target the default ssh port.

A VPN would be a better option but is obviously a lot more work to set up.

Do NOT port forward to the Kodi web interface (there are known exploits for it) or ftp/samba.

thanks for reply.

i disabled Kodi web interface, and not planning enabling it back, i don’t need it.
all i think of to access is either SSH (yes, on a custom port) and Torrent app webinterface (again, custom port with user/password auth).

Be aware that the torrent app web interface is a potential security hole. OpenSSH server (which we use) is well tested and hardened and as long as it’s configured sensibly and the password isn’t short or guessable should be pretty secure, a web interface for a random torrent app is not likely to be well tested or secure, quite the opposite probably. Not to mention that it probably sends your web interface username and password in the clear using HTTP basic authentication. If it were me I wouldn’t do it.

You could use ssh port tunnelling to connect to the torrent web interface - that way the web interface is tunnelled through the encrypted ssh session, and only someone who has ssh login credentials can even get at the web interface at all. Most common ssh clients such as Putty support port tunnelling.

http://howto.ccs.neu.edu/howto/windows/ssh-port-tunneling-with-putty/

1 Like

thanks, that’s quite interesting and seems to be okay for my usage!

configured that. great stuff! thx for pointing it out!