Security breach

Hi,

I have Serviio running the mediabrowser at a remote dedicated server (not local) at port 23424 (all other ports that serviio listens to are configured to be closed off by the firewall)
yet im able to establish a connection to my dedicated server using the ServiiWP windows phone application and control this serviio server without entering any authorization password which i have setup for the mediabrowser! this means that everyone who knows my remote server ip could just mess up my serviio settings and toggle it on and off without any authorization!! this cant be right?!

How can i turn this off? i just want to stream my video content through the mediabrowser - i do not want my serviio server to be controllable through the worldwideweb!

Thank you very much!

That's a good question !
my solution is to block the port 23423 on my dedibox, but is not very good solution.

[zip]

Yes, close 23434 on the firewall to disable devices connecting to the box.

[atc98092]

You might use a different port on the firewall, and forward it to the Serviio server at the correct 23424. That way just knowing the IP address wouldn't be enough for someone to connect. They'd also have to know the port you are using.

Zip, if he closes 23424 (without using some other port with a redirect) there's no way to access MediaBrowser, is there?

thanks for the fast feedback guys! but i see people throwing in multiple different port numbers while my server's firewall only is configured to accept incoming connections from port 23424 (mediabrowser)
BUT at the same time i see that the ServiiWP app uses port 23423 to control my server which cannot be the case because i only allowed 23424 in my server's firewall, every other port should be refusing the connections!!

I will have to confirm if my firewall is doing it's job like it should because i start to doubt that now, it might be an error on my end.

Firewall config: http://puu.sh/jeIzw/54290b8f2d.png

[DenyAll]

The firewall you show is Windows Application firewall. It should have one entry for Serviio Console and two for Serviio Server. This is not where you should be looking....

Before discussing can I establish a few things:

• When you were using your ServiiWP windows application, was the phone connected to your internal WiFi network (most people setup their phone to use WiFi when in range, and 3G/4G when not)? If so, this is how it is meant to work - the SeriiWP app will then let you control Serviio from the comfort of your lounge. Its not a security breach as you are on your internal LAN (even if you use your external address most routers are smart enough to route the data purely within your network);
• Have you checked port 23423 and 23424 using a port checker - eg: http://www.yougetsignal.com/tools/open-ports/. If you are setup correctly, then port 23423 should be closed and port 23424 should be open.

If the port checker tells you that port 23423 is open, you need to check your port forwarding settings in your router.. not the Windows Firewall. It is these settings that control access from the big, bad internet.

How to do this depends on your router, which you may need to check the manual or troll the web for - but you need to confirm three things:

• That you do not have a port forwarding for port 23423
• That your router is not in DMZ mode
• If the above two check out, then try disabling UPnP and test - if this is happening though it would point to some other issues, so come back to us/

I just found the problem. Appearently the Serviio server software added automaticly 3 rules to the windows firewall on installation? there were 3 serviio firewall rules that allowed serviio to broadcast on all ports - those rules I did never add to the firewall myself.

After removing those 3 firewall rules that were automaticly added by the Serviio server software(?) and only allowing port 23424 the ServiiWP application could not connect to my remote dedicated server anymore to control it and i still could use the Mediabrowser without problems.

So maybe it would be a good feature request that Serviio let the user know upon installation that it automaticlly will add rules to the windows firewall to prevent future confusions like this!

Thanks.

Its not a security breach as you are on your internal LAN

That's the thing, the media server is located at http://www.worldstream.nl - not at my local LAN network. I noticed that multiple DLNA Master+ titled members on this forum confuse WAN with LAN as if they never heard of dedicated server renting.
Please do not assume that everyone is running servers only at local networks.

After having said that I still am thankful for the advice you provided - it would've been useful for people who run their servers locally.

Thanks.

[DenyAll]

No, not confused, I just didn't pick up on the fact that you were running a remote server. I am a telecommunications engineer by trade, so know a little bit more than the average joe about WANs and LANs, hosted environments and security architectures - it's simply that I should have read the OP more thoroughly.

The general principles within my post however still stand. It is the role of the router (or dedicated hardware firewall in a business environment) to protect your server from the Internet - in your case this should be undertaken by your service provider. Relying on an application firewall, particularly one as weak as Windows Firewall, for this functionality is not good practice.