Hello Guest, if you are reading this it means you have not registered yet. Please take a second, Click here to register, and in a few simple steps you will be able to enjoy our community and use our OpenViX support section.

View Entry Info: 403.6 IP address rejected

Category:
Possible Bug
What ViX Image build number are you using?
Please provide your ViX Team image build number. Menu > Information > About > Build number > ENTER THIS NUMBER e.g. 4.2.028
0
Have you tried a flash WITHOUT settings restore?
Have you tried this? PLEASE SELECT YES OR NO.
No
Have you tried a flash WITH settings restore?
Have you tried this? PLEASE SELECT YES OR NO.
No
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24

Thread: 403.6 IP address rejected

  1. #16

    Title
    Senior Member
    Join Date
    Sep 2013
    Posts
    622
    Thanks
    202
    Thanked 65 Times in 54 Posts
    Quote Originally Posted by SpaceRat View Post
    You mean inside Web TV?
    Or plain streaming links?
    Transcoded or untranscoded?

    Gesendet von meinem Siemens C25 mit Tapatalk
    Assuming that this feature was put in place to secure the box from external attacks when port forwarding. My natural question then is whether the security extends to the streams else I fail to see the point.




    Sent from my iPhone using Tapatalk

  2. #17
    finbarr's Avatar
    Title
    Forum Supporter
    Donated Member
    Join Date
    Jan 2014
    Posts
    211
    Thanks
    45
    Thanked 83 Times in 37 Posts
    Great working again thank you

  3. #18
    SpaceRat's Avatar
    Title
    Senior Member
    Join Date
    Apr 2015
    Posts
    206
    Thanks
    25
    Thanked 79 Times in 52 Posts
    Quote Originally Posted by imish View Post
    Assuming that this feature was put in place to secure the box from external attacks when port forwarding. My natural question then is whether the security extends to the streams else I fail to see the point.
    Yes and no, but more like "no" in Open...

    There are multiple kinds of streaming providers:
    • Dream's streamproxy, also used by VuPlus incl. VTi and probably Black Hole Images, handles untranscoded streaming only (Port 8001)
      This variant also exists on our (OpenViX, OpenATV, OpenHDF, OpenBH, ...) feeds, just "opkg install streamproxy".

      It auths through the Web-Interface running on the same box, which will in most cases be OWIF but if you uninstall OWIF and install Dream's Web-Interface the latter will take the job.
      Auth settings for streaming have been somewhat weakened though, it will still allow external logins or even no auth at all, depending on what you configure for streaming auth inside OWIF.

      The difference is: "Attackers" can only "steal" tuners from you through the streaming port. Worse enough, but that's about it. Your personal risk.
      Through OWIF itself, they could install malicious packages in your box and take ownership of it. A risk for all of us, if the taken machine gets used for spam relaying or DDoS attacks.
    • "PLi streaming" (Streaming inside E2) on port 8001 incl. "multitranscoding" on machines using port 8001 not only for streaming but for transcoding too.
      PLi has integrated a functionally reduced streamproxy inside E2 code in 2011/2012 and all other Open... distros have merged these changes.
      It's now the default in all Open... images, incl. OpenViX, OpenATV, OpenHDF, ...

      It doesn't auth through OWIF (or Dream Webif) at all and thus doesn't honor any of its settings. Nothing OWIF devs can do about this.
      Auth for this variant of streaming isn't set up inside OWIF but somewhere inside E2 ("Extras" settings or something like that) and is limited to "yes" or "no".
      Sadly, some vendors (skylake (Mut@nt and AX Quadbox), Xtrend, ...) have integrated their transcoding here.

      As mentioned above, you can still revert to the streamproxy variant by installing the package "streamproxy" in OpenATV, OpenViX, ...
      But note that "streamproxy" can not handle transcoding, so streaming on machines using "multitranscoding" on port 8001 will lose transcoding capabilities.
    • transtreamproxy (Transcoding on separate port, in most cases 8002)
      This is VuPlus' and Dags' (Edision, iQon Force, ...) way of implementing transcoding. "transtreamproxy" is based on "streamproxy" code, extended for transcoding support on these machines.

      This way of transcoding also uses auth through OWIF (or Dream Webif), so that the settings from OWIF or Dream Webif will apply.


    So in short:
    You can safely install the package "streamproxy" on all machines
    - not doing transcoding at all
    - using a separate transcoding proxy on a different port (8002)
    to get auth through OWIF with all its settings on both, streaming and transcoding.

    Machines with multitranscoding (streaming and transcoding on the same port) can not use the package streamproxy as it would break transcoding.
    In this case, E2 settings for streaming auth will apply and they are functionally limited.
    Receiver/TV:
    • Vu+ DuoČ 4*S2+2*C / 1.8TB HDD / OpenATV 6.1@Samsung 50" Plasma
    • AX Quadbox 2400 / 2*S2/2*C / 930GB HDD / OpenATV 6.1@Samsung 32" LCD
    • Vu+ SoloČ / 465GB HDD / OpenATV 6.1
    • Vu+ SoloČ / 230GB HDD / OpenATV 6.1
    • DVBSky S2-Twin-Tuner PCIe@Samsung SyncMaster T240HD (PC)
    Pay TV: Redlight Mega, Brazzers TV Europe, XXL, HD-, Sky
    Internet: Unitymedia 1play 100 / Cisco EPC3212 + Linksys WRT1900ACS + Fritz!Box 7390 / IPv4 (UM) + IPv6 (HE)

  4. The Following 2 Users Say Thank You to SpaceRat For This Useful Post:

    alexandrerpo (19-08-19),imish (27-11-16)

  5. #19
    SpaceRat's Avatar
    Title
    Senior Member
    Join Date
    Apr 2015
    Posts
    206
    Thanks
    25
    Thanked 79 Times in 52 Posts
    General suggestion:

    "Joe Average" is advised not to open OWIF (or Dream Webif), ftp, telnet, streaming (and transcoding) by using port-forwarding at all.
    Note that HTTP, ftp and telnet transfer plain passwords, unencrypted!, over the internet!

    Instead you should use a VPN, many routers (e.g. AVM Fritz!Box) already offer this feature itself.
    If your router doesn't offer it, your NAS might and if that doesn't, you can use OpenVPN on the E2 box itself (Which is probably the hardest variant to set up).


    Once you are logged into your LAN using a VPN, you can use any service on any machine in your home network just as if you were at home.
    If there are no other reasons (like children) for setting logins, you can then even save the hassle of logins entrirely, just keep your VPN credentials/key files safe.


    Another safe variant is the ssh access of your box using key pairs.

    Execute the following commands to generate and install a key pair on your E2 box:
    Code:
    dropbearkey -t rsa -f ~/.ssh/id_rsa
    dropbearkey -y -f ~/.ssh/id_rsa | grep "^ssh-rsa " >> ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/*
    chmod 700 ~/.ssh
    chmod 700 ~
    You should now be able to login to your box using the private key file id_rsa located in /home/root/.ssh of your box (See the instructions of your ssh client on how to use key auth).

    If this succeeds, make the content of /etc/default/dropbear read
    Code:
    DROPBEAR_EXTRA_ARGS="-s"
    This will disallow password logins for ssh entirely (let alone logins with empty passwords, which is the default for all oe-a images) (The only way to recover from ssh login problems would then be telnet).

    You can transfer the file /home/root/authorized_keys to other boxes too, to use the same key file for multiple boxes, but make sure to adjust the file rights after copy:
    Code:
    chmod 600 ~/.ssh/*
    chmod 700 ~/.ssh
    chmod 700 ~
    With ssh, you have everything you need:
    • ssh gives you shell access, just like telnet but secure (when using key auth)
    • ssh gives you file access, either using scp (secure copy) or sftp (FileZilla supports sftp, you can access your box' files just like you could using ftp).
    • ssh allows to tunnel ports from the remote machine (= your E2 box) to your local machine.
      You can for example tunnel port 80 of your E2 box to port 80 of your smartphone and port 8001 of your E2 box to port 8001 of your smartphone.
      As long as the tunnel is established, you can login to your E2 webif using address "http://localhost" on your smartphone and use streaming, just as if your smartphone would be your E2 box.


    The free app "ConnectBot" (https://play.google.com/store/apps/d...org.connectbot) has the necessary capabilities of using key auth and port tunneling on Android.

    Personally, I use VPNs for machines which I permanently maintain and ssh tunneling for machines that I sometimes maintain.
    Receiver/TV:
    • Vu+ DuoČ 4*S2+2*C / 1.8TB HDD / OpenATV 6.1@Samsung 50" Plasma
    • AX Quadbox 2400 / 2*S2/2*C / 930GB HDD / OpenATV 6.1@Samsung 32" LCD
    • Vu+ SoloČ / 465GB HDD / OpenATV 6.1
    • Vu+ SoloČ / 230GB HDD / OpenATV 6.1
    • DVBSky S2-Twin-Tuner PCIe@Samsung SyncMaster T240HD (PC)
    Pay TV: Redlight Mega, Brazzers TV Europe, XXL, HD-, Sky
    Internet: Unitymedia 1play 100 / Cisco EPC3212 + Linksys WRT1900ACS + Fritz!Box 7390 / IPv4 (UM) + IPv6 (HE)

  6. The Following 3 Users Say Thank You to SpaceRat For This Useful Post:

    Alankellyeire (08-05-17),timofee (28-11-16),Valiant (27-11-16)

  7. #20

    Title
    Senior Member
    Join Date
    Sep 2013
    Posts
    622
    Thanks
    202
    Thanked 65 Times in 54 Posts
    Thanks for the informative post.


    Sent from my iPhone using Tapatalk

  8. #21

    Title
    Senior Member
    Join Date
    Nov 2011
    Posts
    245
    Thanks
    98
    Thanked 43 Times in 32 Posts
    Bumping an old thread, but is there any way to add another subnet? I live in another country to my parents and have a site-to-site VPN running between our houses and want to go back to streaming the box over it. Is there any way I can just add my subnet to an allowed list somewhere?

  9. #22
    SpaceRat's Avatar
    Title
    Senior Member
    Join Date
    Apr 2015
    Posts
    206
    Thanks
    25
    Thanked 79 Times in 52 Posts
    There is no such thing as an "allow" or "deny" list.
    But you can go to Extensions -》 OpenWebif and set "Allow access from VPNs" to "Yes".
    That will allow access from all private addresses instead of only the same subnet.

    Gesendet von meinem Siemens C25 mit Tapatalk
    Receiver/TV:
    • Vu+ DuoČ 4*S2+2*C / 1.8TB HDD / OpenATV 6.1@Samsung 50" Plasma
    • AX Quadbox 2400 / 2*S2/2*C / 930GB HDD / OpenATV 6.1@Samsung 32" LCD
    • Vu+ SoloČ / 465GB HDD / OpenATV 6.1
    • Vu+ SoloČ / 230GB HDD / OpenATV 6.1
    • DVBSky S2-Twin-Tuner PCIe@Samsung SyncMaster T240HD (PC)
    Pay TV: Redlight Mega, Brazzers TV Europe, XXL, HD-, Sky
    Internet: Unitymedia 1play 100 / Cisco EPC3212 + Linksys WRT1900ACS + Fritz!Box 7390 / IPv4 (UM) + IPv6 (HE)

  10. #23
    SpaceRat's Avatar
    Title
    Senior Member
    Join Date
    Apr 2015
    Posts
    206
    Thanks
    25
    Thanked 79 Times in 52 Posts
    A bit more detail about the behaviour:

    Scenario:
    Box has IPv4 192.168.178.25/24 (That means IPv4 192.168.178.25 inside a /24 subnet, which equals network 192.168.178.0 with a 255.255.255.0 netmask).
    You also have a guest WLAN/LAN running with network 192.168.180.0/24 and a remote LAN with network 192.168.1.0/24 connected through a VPN.

    Box also has IPv6 2001:db8:affe:1:0212:34ff:fe56:789a/64

    Default behaviour ("Access from VPNs allowed" = no):
    Even with auth disabled, OWIF will accept connections from the box' own networks 192.168.178.0/24 and 2001:db8:affe:1::/64, but not from any other network.

    Behaviour with "Access from VPNs allowed" = yes:
    Even with auth disabled, OWIF will accept connections from all private address space, meaning
    192.168/16
    172.16/12
    10/8
    fc00::/7
    this includes, but is not limited to, the network 192.168.178.0/24 ... it also includes your VPN connected remote LAN 192.168.1.0/24 but also the guest (W)LAN 192.168.180.0/24, as they are both in private IPv4 address space from 192.168/16.
    and connections from the same subnet, in this case 2001:db8:affe:1::/64, plus all IPv6 private space (ULA) from fc00::/7.

    With auth, access is possible from everywhere (once allowed in your router/firewall), but it is strongly discouraged to use it for direct external access even with auth.
    Passwords for HTTP are sent in plain text (unencrypted) and can be recorded from anyone in the same network (connected to the same WiFi hotspot for example).

    OWIF only enforces the bare minimum "protection", it is still mostly optimized for convenience or rather laziness.

    Keep in mind that OWIF without auth can already be used to bypass the pin protection on XXX channels through streaming or gain full control - incl. reading that PIN - by injecting new IPK packages through OWIFs package manager.

    Please think twice if it's really too much demanded to set a password for user root or better create a new user on the box and enable auth.
    I really don't get the problem that many users appear to have with it, I have done it from day one with an E2 box on as having a Linux system without a password set simply feels wrong.
    Receiver/TV:
    • Vu+ DuoČ 4*S2+2*C / 1.8TB HDD / OpenATV 6.1@Samsung 50" Plasma
    • AX Quadbox 2400 / 2*S2/2*C / 930GB HDD / OpenATV 6.1@Samsung 32" LCD
    • Vu+ SoloČ / 465GB HDD / OpenATV 6.1
    • Vu+ SoloČ / 230GB HDD / OpenATV 6.1
    • DVBSky S2-Twin-Tuner PCIe@Samsung SyncMaster T240HD (PC)
    Pay TV: Redlight Mega, Brazzers TV Europe, XXL, HD-, Sky
    Internet: Unitymedia 1play 100 / Cisco EPC3212 + Linksys WRT1900ACS + Fritz!Box 7390 / IPv4 (UM) + IPv6 (HE)

  11. The Following 5 Users Say Thank You to SpaceRat For This Useful Post:

    Alankellyeire (08-05-17),Bangord30 (25-01-17),ghostivv (29-01-17),Silent (21-01-17),Valiant (20-01-17)

  12. #24

    Title
    Senior Member
    Join Date
    Nov 2011
    Posts
    245
    Thanks
    98
    Thanked 43 Times in 32 Posts
    Forgot to reply here to say thank you! I manually edited the file to enable VPNs so I could do it remotely and can now access it fine.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.