Subsonic plugin security (safe to open to www?)

[UK_Dave]

Hello good folk,

I've been playing around with subsonic over the Xmas break and really quite like it. Currently I VPN to my network when I want to access things remotely and can also connect to subsonic this way.

How safe is the plugin with regards to online security should I wish to just port forward to my subsonic jail rather than VPN to it? This is useful for quickly accessing on devices I don't always use for example a friends phone, tablet, computer or device.

My media directories are read only to the jail and ssh is disabled so I'm wondering what the likely worst case thing a hacker could do if they compromised my administration account for it? If they trashed the subsonic jail it would be an inconvenience but I would accept that risk over the benefit of open access.

I tend to update my freenas box when it emails me to say updates are available.

I would be interested in people's thoughts on the best approach and are there things I could do to improve security if I did want to open it up?

Thanks, Dave

 

[Joshua Parker Ruehlig]

mine's open to the world, so I can use the DSub android app remotely. I'd rather have the convenience and accept the risks then not have easy access.

I think the worst they could do is find an exploit in subsonic/Java, and use that to read whatever data is accessible to your jail.
they could possibly use your jail to access the rest of your network, but it'd be no different then someone on your local network.

 

[UK_Dave]

Thanks for the reply, my thinking was along the same lines but yes if it were compromised they would be on my internal network which made me a little edgy.

Ive only just started using freenas in the last few months, do plugin updates get pulled in with main system updates in case a vulnerability is discovered?

 

[Joshua Parker Ruehlig]

no plugins update separately on the plugins > installed tab, or through an in-app mechanism

 

[Allan Wilmath]

I have not been able to up0date the Plex plug in. It seems plugins do not get updated from FreeNAS. I have seen enough issues posted about updates to plugins that I would not count on updates for plugins.

Unless you use a VirtualBox plug in, all of the plug ins operate as processes on your ass along side other processes. a lot of work has gone in to making it as secure as is possible. But I can see my Plex process is running as root. I would not do it. There are so many layers to a web server that can be exploited, and they are being exploited all of the time. If you really want to then instilling the VirtualBox plug in and then installing linux with web services would be better. Then the virtualization will keep things separate.

The ideal thing would be to virtualize your gateway as well and use something like pfsense and a virtual connection between the VMs. And then your web server could be exposed to the internet only on port 80, and pfSense could block all other ports in and out of your web server. A compromise would only be the web services. Thing is that if anyone gets in to your network, it is trivial for them to take over your router since they can easily brute force the password, if you have even changed the default. And then they can proxy ALL of your traffic. Makes man in the middle attacks easy and allows even encrypted web connections to be monitored remotely.

What you want to do will likely be much easier in the next version of FreeNAS in a more secure fashion, depending on how much Type 1 hypervisor features they incorporate in to version 10.

 

[Joshua Parker Ruehlig]

I have not been able to up0date the Plex plug in. It seems plugins do not get updated from FreeNAS. I have seen enough issues posted about updates to plugins that I would not count on updates for plugins.

Unless you use a VirtualBox plug in, all of the plug ins operate as processes on your ass along side other processes. a lot of work has gone in to making it as secure as is possible. But I can see my Plex process is running as root. I would not do it. There are so many layers to a web server that can be exploited, and they are being exploited all of the time. If you really want to then instilling the VirtualBox plug in and then installing linux with web services would be better. Then the virtualization will keep things separate.

The ideal thing would be to virtualize your gateway as well and use something like pfsense and a virtual connection between the VMs. And then your web server could be exposed to the internet only on port 80, and pfSense could block all other ports in and out of your web server. A compromise would only be the web services. Thing is that if anyone gets in to your network, it is trivial for them to take over your router since they can easily brute force the password, if you have even changed the default. And then they can proxy ALL of your traffic. Makes man in the middle attacks easy and allows even encrypted web connections to be monitored remotely.

What you want to do will likely be much easier in the next version of FreeNAS in a more secure fashion, depending on how much Type 1 hypervisor features they incorporate in to version 10.

have you tried updating your plex plugin from the plugins tab recently?

the plugin middleware layer runs as root, but most plugins (like plex) don't.