Console security risk

For the console I connect [domainname:23423/console]. This is apparently open to the world to access. I have a User account specified for Mediabrowser access that challenges the user with name and password.

Is there any way to restrict the console to a specified user name and password?

Thanks for any assistance.

[atc98092]

No, at this time there is no security on the console. However, it is not open to the Internet. It can only be accessed from the Internet if you've configured port forwarding for 23423 in your router/firewall to reach your Serviio machine. And there's really no need to do so, since you only need to make configuration changes while you're located at home. I strongly suggest you never port forward the console port.

I'd like to request a feature to restrict console access to the local host machine. Maybe that would be easier than adding account/password security to the console? I found several other requests for console security in the forum, so this seems like a common concern.

The fact that the console is not open to the whole world if you don't forward the ports isn't sufficient. Most people don't want their children, roommates, visitors, etc., to be able to access the console. Also, if you're running it from your laptop and you go out and use a public network, you don't want random strangers being able to browse and access your filesystem. I have a Mac, and there's no way with the standard firewall to block port 23423 but leave open the other ports needed for DLNA. Disabling remote admin should be a basic feature of any server. Thanks for considering it.

[atc98092]

Also, if you're running it from your laptop and you go out and use a public network, you don't want random strangers being able to browse and access your filesystem.

In literally every public WiFi network a security function blocks connected devices from accessing any other connected device, so someone else on the network cannot see your computer, let alone browse it. Even if they could connect to your console they would only be able to view your filesystem folder names. No file names can be seen, and no file can be accessed through the console. I understand your concern but this specific issue isn't possible.

I'm sorry, but that's simply not true. While it's very common to have client isolation, it can't be assumed. Even if the wireless access point has a function for that, it's not always configured that way. Where I live at least, there are many small cafés, a library, and other places where you see a list of other peoples' computers with their Windows file sharing names. Any guide to how to stay safe on public WiFi mentions turning off your file sharing. I don't know how it is with Serviio on Windows, but on a Mac, that involves entering "sudo" commands in the terminal, which is not very convenient. And it doesn't help in situations where you do want to share media, but not allow access to the console.

It's true that someone can only view folder names from the console. But from there, they can turn on DLNA sharing for your whole computer, and that way browse and view all your personal photos or other media. Whether that's a stranger in a café with a poorly configured router, or people you know in your home, work, or student dorm, where client isolation is typically off, it's a serious issue. Finding your intimate photos spread around your office or school, or to your children, or on social media, is not something anyone should experience.

There are posts in the forum expressing concern about the lack of security on the console, going back years. I noticed that you've often downplayed the risk, saying it's "Not really a security danger", or noting that as long as you don't have port forwarding, nobody from outside the local network can access it. The latter is true, but the former assumes that there's no problem with anyone on the local network having full access to the console, and that's not the case in many common situations. A completely unsecured admin console allowing anyone on the local network to get media file sharing access to your entire computer is a real privacy and security risk. All other media servers I know of at least offer password security for the admin console. It would be helpful if you could provide a good solution for this, either with a password or an option to restrict console access to the local host.

[atc98092]

I'm sorry, but that's simply not true. While it's very common to have client isolation, it can't be assumed. Even if the wireless access point has a function for that, it's not always configured that way. Where I live at least, there are many small cafés, a library, and other places where you see a list of other peoples' computers with their Windows file sharing names. Any guide to how to stay safe on public WiFi mentions turning off your file sharing. I don't know how it is with Serviio on Windows, but on a Mac, that involves entering "sudo" commands in the terminal, which is not very convenient.

In Windows any new WiFi connection is first set as Public, which disables file sharing and enables higher firewall restrictions. The user must actively enable file sharing or change the connection to Private. I guess I don't use public WiFi that often with a computer, usually only at hotels, and device isolation is always enabled at those locations.

I understand your concerns, but I personally don't think it's as common as you feel. But that's OK, you take the steps for protection you feel you need. As to adding a login for the console, since I'm not the Serviio developer I don't know how easy/hard it would be to implement. I know it's been asked for before, but I just searched the Serviio Bitbucket site and can't find any official request for it. You might get the developer's attention if you create a ticket there.

https://bitbucket.org/xnejp03/serviio/issues

Ok. What's the point of having a "Feature requests" forum if the developer doesn't pay attention to it? I am taking steps for protection, one of which is to suggest that you fix what seems to me to be a significant privacy/security issue with your product, that no other media server I know of has. I've been evaluating and testing different ones lately to decide which one to use.

Does Windows automatically block Serviio when it joins a public network? If so, that's a nice feature, too bad the Mac doesn't have it. A Mac on a network without peer isolation would have the console accessible to anyone on the network, unless you manually change the firewall settings or disable the server in the Terminal.

I agree that it's not all that common to have public networks without client isolation, but it's not at all true that it "isn't possible" as you replied. I can tell you for certain that there are some hotspots in my area that are like that. Mostly they're small restaurants where the owner has set up the router the same way they have it at home. One of them told me that they had discovered that a neighbor had got on the WiFi was trying to hack people. It might not happen often, but it happens.

What is common though, in my opinion, are situations where people may want to share media with children, schoolmates, roommates, guests, etc., but don't want those people being able to look through all their private photos. It would be nice if you could trust everyone, but you can't.

If you want to tell the developer about it, you can - I'm going to move on now. Thanks for your time.

[atc98092]

Does Windows automatically block Serviio when it joins a public network? If so, that's a nice feature, too bad the Mac doesn't have it. A Mac on a network without peer isolation would have the console accessible to anyone on the network, unless you manually change the firewall settings or disable the server in the Terminal.

I'm just a Serviio user like yourself. Zip asked me if I would act as a moderator here, and that's the limit of my connection with it. Yes, when a Windows network connection is set as Public DNA is blocked, along with any other file sharing. I'm a bit surprised to hear the Mac doesn't do anything like that. My Serviio computers are all desktop PCs, so no traveling around with them. Sorry I can't help further. Zip does monitor this forum for suggestions, but he's a one man show and isn't on here daily.