[mythtv-users] Securing Mythweb?

Fri Sep 15 11:03:33 UTC 2017


On 09/14/2017 10:14 PM, Hika van den Hoven wrote:
> Hoi Jim,
>
> Friday, September 15, 2017, 12:07:05 AM, you wrote:
>
>
>
>> On 09/14/2017 01:56 PM, Peter Bennett wrote:
>>>
>>> On 09/14/2017 10:19 AM, Jim Abernathy wrote:
>>>> I notice that the header on the wiki about Securing Mythweb is tagged
>>>> as outdated.
>>>>
>>>> https://www.mythtv.org/wiki/Securing_MythWeb
>>>>
>>>> Are there some easy instructions for putting a strong password on my
>>>> mythtv system so I can setup programs to record while away from home?
>>>>
>>>> I can set my port forwarding in my DSL box so I can get to Mythweb
>>>> when away from home, but it goes straight to the mythweb page.  I
>>>> need to protect it.  When I’m gone from home all computers on the LAN
>>>> are turned off except for the mythtv box. So I just need to protect
>>>> my mythtv recordings and setup.  Once I get back home, I stop the
>>>> port forwarding.  I only do this once or twice a year and it’s only
>>>> open for a few weeks at a time.  So I don’t really want to install a
>>>> VPN, etc.  I figure I can have a really good password to protect
>>>> mythweb at least for the short period I’m gone.
>>>>
>>>> Ideas? I need to do this rather quickly, thus the avoidance of VPN
>>>>
>>>> Jim A
>>>>
>>>>
>>> What I do is set up xrdp on my home system. This lets you login like
>>> "Remote desktop" on windows. you can login from windows machines
>>> remote desktop or from linux using Remmina. I open the remote desktop
>>> port and once logged in I can run a browser, run mythfrontend, etc. It
>>> gives more control over the system.
>>>
>>> Note I use xubuntu with xfce window manager on the backend. Other
>>> window managers such as unity do not work with this (at least last
>>> time I tried).
>>>
>>> Another option is to open a ssh port, then you can do port forwarding
>>> of the browser. This works:
>>>
>>> ssh -p 10022 -L 10080:serenity:80 -C peter at xxx.xxx.xxx.xxx
>>>
>>> assuming port 10022 is the external port that maps to the ssh port 22,
>>> serenity is the name of your backend, peter is your user id and
>>> xxx.xxx.xxx.xxx is your external ip address.
>>>
>>> Then just use url http://localhost:10080/mythweb in the browser on the
>>> remote machine after connecting with ssh.
>>>
>>> I think these methods are safer than putting an http password because
>>> to be secure over http you really need ssl and that is painful to set
>>> up. Remote desktop and ssh are already secure and require your Linux
>>> password.
>>>
>>> Also it is recommended not to use the standard port numbers when
>>> exposing remote desktop, ssh or http.
>>>
>>> Peter
>> I'll play with this, but I may have to set ssh permissions or turn on
>> features.  I have the default ssh.  I also am running mythbuntu 16.04,
>> so I think that is xubuntu and xfce or close to.
>> Thanks,
>> Jim A
> The only way to create a relatively secure access is tunneling or vpn.
> Create a tunnel from your laptop to your network.
> I have one both from my laptop and my android device. As far as those
> devices know they are inside my network and unless someone grabs my
> key...
> This way you can do anything from your vpn connected device without
> the application being any the wiser.
> Beside that I have setup mytweb with ssl and passwords through ldap
>
> Tot mails,
>    Hika                            mailto:hikavdh at gmail.com
>
> "Zonder hoop kun je niet leven
> Zonder leven is er geen hoop
> Het eeuwige dilemma
> Zeker als je hoop moet vernietigen om te kunnen overleven!"
>
> De lerende Mens

I would love to have the VPN setup, but as I investigate it's a 50 step 
process, that requires some expertise that I don't have.
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://lists.mythtv.org/mailman/listinfo/mythtv-users
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org