[mythtv-users] Securing Mythweb?

[Nate Bargmann]

* On 2017 18 Sep 04:42 -0500, Jim Abernathy wrote:
> When I’m away, the port forwarding is turned on for the Mythtv backend and all other computer on the network are powered down.

What I do is have SSH set up for private key authentication only (no
root login permitted).  Out of necessity since the ISP blocks incoming
access to port 22, I map some high port above 1024 coming from the ISP
in my OpenWRT router to port 22 to the IP of my MythTV box.  Once that
is functional and you can log in remotely and get a shell prompt from
your laptop or whatever move on to the next step.

I find it very useful to maintain a "hostname" for SSH in the
~/.ssh/config file for each machine I log into.  Each entry looks
something like this:

Host video
     HostName 1.2.3.4
     Port 4022
     user username
     IdentityFile /home/user/.ssh/id_video


The next step is to create an SSH tunnel (I also set this up as a Bash
alias so I wouldn't forget):

      ssh -f video -L 2280:localhost:80 -N

Note that 'video' is parsed by SSH and it looks for a matching entry in the
aforementioned config file.

Executing the alias brings up the tunnel and then from a browser all I
need to do is open 'localhost:2280/mythweb/' to access my MythTV Web
server.

The advantage is that everything goes through the SSH tunnel and is
authenticated and encrypted and many fewer headaches than trying to
secure Apache and access to mythweb directly.  On my MythTV box I have
the firewall setup to only allow port 80 access from my LAN but SSH
access from anywhere.

HTH,

- Nate

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://www.n0nb.us
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20170918/cd3908c5/attachment.sig>