Jump to content

By Pass Logn


Michaelv

Recommended Posts

Posted

Most browsers can cache / store the first user/pass combo (I use IE, Firefox, and Opera and they all work); but the admin one is Java and the only way I found in the past (with other Java stuff) was to use an external program to keystroke it in.

Posted

This topic is often discussed among the programmers. It has been decided that there will never be non-password access. As gregoryx stated most browsers can store your name/password and as such access to lights and scenes and (optionally) programs is available from computers you trust.

 

You will still need to enter your username/password when accessing the Administrative Console.

 

Right now you can make the name and password as simple as you like but the fields cannot be empty.

 

File_Menu#Set_Userid&Password

 

Rand

Posted

Don't think for a minute that someone, sometime might hit your router. I surely wouldn't want univited guests on somethingthis important. Maybe even the ISP provider!

 

aLf

Posted

... which implies that you have your ISY on a public IP address (probably not) or have a one-to-one NAT drilled to the ISY's private address through your router or firewall or whatever you want to call it.

 

Just FTR, having an unsecured device with private IP addresses is not exposing it to the world.

 

Oh... or that you don't HAVE a router / firewall in your control... in which case, this should be the least of your concerns.

Posted

The Media Center Plugin they released this week doesn't require a unsername or password, maybe that would work for you if you have MC?

http://forum.universal-devices.com/viewforum.php?f=16

 

You can skip 2 of the 4 "admins" by loging into the admin console directly, rather than going to "My Lighting" first. Either use UD's link to your ISY, or if you know your ISY IP address, just add "/admin" to it:

http://www.universal-devices.com/99i/

http://xxx.xxx.xxx.xxx/admin

Posted

gregory:

 

Could you elaborate on your comments for a not-so-savvy ISYer like myself. Maybe a quick tutorial on the "best & safest" way to set-uo the ISY (and other internet stuff like cameras) would be beneficial to me.

 

aLf

Posted
gregory:

 

Could you elaborate on your comments for a not-so-savvy ISYer like myself. Maybe a quick tutorial on the "best & safest" way to set-uo the ISY (and other internet stuff like cameras) would be beneficial to me.

 

aLf

 

This smells a little like an argument and I definitely don't want to be in the middle of that. javascript:emoticon(':P')

 

That said maybe I can clear up one concept. If you have a high speed internet connection you have a cable modem or DSL router (loosely named but generally accepted) and that device gets 1 IP address assigned to it. You can see this by hitting one of the many web sites that will identify this for you, the first one google found was http://whatismyipaddress.com/ Hit that address from multiple computers on your home network and you will see the same address. This is your public IP address. Each device on your network has a private ip address, to see your private IP address, the one your home network knows about but nobody on the internet knows about, or can get directly to, you can do something "ipconfig /all" in windows.

 

Note, IP addresses are generally either static or dynamic. A static IP address is one that you set up and it never changes, a dynamic one is usually controlled by DHCP, which is a service that dynamically assigns IP addresses as requested. This is common and is a service that could run in multiple places, maybe a server at your ISP to assign your public IP address and maybe a device on your home network to assign your private IP address, such as the device described in the next paragraph.

 

Many people use a "wireless router" or similar device to allow them to connect more than one device to their high speed internet connection. It uses a technology called NAT (Network Address Translation) to do this. It makes all traffic to the internet appear to come from the wireless router (the 1 public IP address you have is associated with it) and then the router handles sending replies back to the proper machine on your internal network.

 

Now lets say a connection comes from the internet to your router via your public IP address. It has no idea where to send it (keep in mind all of your email, web, etc are initiated from a machine inside the network, not from the internet) so by default it just drops it. Let's say you have a web server inside your network that you want to be able to connect to from the internet. You configure your router to pass traffic on port 80 and 443 to the private IP address inside your network. If you do not set that up, commonly called port forwarding, then the router doesn't know where to send the inbound traffic and it drops.

 

This means that a random device behind your router/firewall is not directly accessible from the internet, the router wouldn't know which device the connection is intended for.

 

Some devices will actually interact with your router to set up port forwarding, a slingbox for instance does this very well, but it's something that you need to initiate, usually from the device management interface.

 

That was a pretty generic description but hopefully it helps someone understand the topic a little better. If you are a highly technical person and in the mood to argue we can take it elsewhere, this was meant as a high level description to those who don't understand NAT.

Posted

tazal:

 

By NO means was I looking for an argument! I appreciate your insight on the subject. Some I knew, some I didn't. I wishI had a better "in depth" feel for the router and forwarding. I'm learning as I go. The basics I get, but when stuff happens I have to dig deeper. For instance, I can access items on my "private" side with a cell phone IF the device does not have a port assigned. If the port exists, it can be seen on a 3G network but not on the Edge network? If I assign the same item a private address on Edge without the port, it works. Now that one is way over my head. Also I learned in setting up my ISY99 that an HTTPS site (ISY99) does not require a port in the address, just simply my URL through DYNDNS, why is that? And further, if you had more than one HTTPS item on the Private network, how would the router, route? Is it possible to take security to the next level, on say a camera that has an HTTP address and bring it to HTTPS? Oh and I always figured that it was a 1 in 60000+ shot of someone guessing the port assigned to an item, but in therory, couldn't one after they have your DYNDNS address simply keep trying port #'s until they hit? This is the reason I hate to make any of my cameras public domain as then the DYNDNS address is known. I struggle with this and whether I'm doing it right.

 

Any insight you have on security will be appreciated by me, and I hope others as well.

 

Thanks,

 

aLf

Posted

An address prefixed by HTTP:// implies port 80 unless otherwise specified. HTTPS:// implies port 443. If you have 2 devices on your LAN you want to access via HTTPS, you would either need:

 

- 2 public IP addresses and a router that supports it

- assign the devices unique ports

 

If you have a device that's accessible from one network but not another (3G vs Edge), I would assume either one of the networks is blocking your traffic for some reason or you are experiencing some sort of latency/timeout issue on one of the networks.

 

By defining a custom port for your webcams, you're adding a bit of security because a hacker might not be looking for an open port 551 (for example), but if they see an open port 80 they'll know it's some sort of web server.

 

Regarding hacking techniques, I'm sure I'm not up on the latest and greatest but there are port scanners that will automatically scan ranges of IP addresses and try EVERY port, listing the open ones. Much easier than manually guessing IPs and port #s.

 

That being said, does a hacker care about the webcam pointing in your backyard or even at your child's crib? Probably not, but you never know.

Posted

Why can't this work in a way similar to other HA products out there (i.e. homeseer) where if it is a local IP address, it will allow automatic login, and if the source is off the local subnet, you need to enter credentials. Obviously this would be a user selectable setting, but it is certainly easy to program (look at incoming HTTP header), and it would probably fix it for almost all people asking for this.

Using it in its current form is a problem in my house...\

 

 

 

W

Posted

MikeB answered several of your questions the same way I would, it's very common for phone carriers to allow different types of traffic with different kinds of data plans and certainly with different types of data connections (edge vs 3G). For instance, T-Mobile has at least 2 or 3 different access points (phone proxies) that they give you access to depending on your data plan and each provides different connectivity; one may be just for web traffic(ports 80 and 443) and one may be full IP traffic (all ports) to allow things like VPNs to work. The later would allow non-standard ports for things like webcams.

 

I also agree that using a non-standard port is only going to help if a hacker is doing broad sweeps of many IPs, and maybe not even then. If they were looking at *your* IP for vulnerabilities they will easily can all ports.

 

I use a wildcarded dyndns entry to point *.my.domain at my public IP address. I have my router forward ports 80 and 443 to a linux box running apache where I serve up some web pages. In my apache configuration I have virtual sites listed and redirected to various internal IP addresses according to the HTTP header. It gets a little complicated to understand the first time but it allows me to do things like have my isy and my webcam both run on port 80 and then get to them from the internet via isy.my.domain and webcam.my.domain. Probably more hassle than you are looking for but possible and it allows me to only use port 80 and 443 so even a trimmed down phone connection works.

 

In the last example my isy and webcam would think the traffic is coming from the internal network, my apache server specifically. It's like have two sets of translations, one NAT based on the firewall/router and another HTTP based in apache.

Posted

Bravo, tazal and MikeB, on the well formed responses regarding IP addressing, routing, and the internet connectivity methods! I wouldn't have taken so much time. Thank you!

 

FTR, pretty much ALL attacks start with scans: ping sweep, protocol / port sweep, then trigger follow-ups based on the responses. Oh... and like the ping sweep, low-hanging fruit first - so standard ports after ping sweep, non-standard ports last. Some advanced security devices can block on sweep, pretty much fixing the problems from all but the MOST determined attackers. Since these sweeps are entirely automated, everything gets hit eventually. It's not chance; it's continuous.

 

The reward of the break is the key to what to break into: if you have boring content, you're not a likely candidate. If you have boring content with moderate security, again, not a likely candidate. So cameras that are like everyone else's are not a great candidate for much effort if they have a decent password. No password and they'll get on some list pretty quick. Effort to reward thing.

 

ISY seems like it could end up a decent security target if someone stumbles on it in a scan: messing with someone's lights is an attractively fun thing to do; if you have cameras and I can WATCH the lights and YOU getting pissed off about it, there's no measure to how much effort that'd be worth to break in.

 

 

 

Again, I'm pleased to see MikeB and tazal representing the IP network envrionment accurately. tazal, nice set up.

 

We've been connecting businesses and ISPs to the internet since 1992 or something like that; I/we designed and built products for securing and protecting networks; I'm currently in non-technical role in security and communication services. I run two links into my house: a /29 on SDSL for VoIP and inbound; and cable for cheap and fast data and browsing. I run business class firewalls (whatever model / brand our resident experts are using of late) and load balance / fail-over all traffic to the 'net and VPNs to our offices.

 

 

 

smileyw, I agree. Set addresses for no security would be a decent option. But since control doesn't require it and one can build their own web interface with any amount of control desired - and only the admin requires login - it doesn't seem a big deal.

Guest
This topic is now closed to further replies.

  • Recently Browsing

    • No registered users viewing this page.
  • Forum Statistics

    • Total Topics
      37.1k
    • Total Posts
      371.5k
×
×
  • Create New...