Project

General

Profile

Feature #5796

Disable WEB UI from IP except allowed list

Added by saen acro about 5 years ago. Updated almost 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
User Interface
Target version:
-
Start date:
2019-12-20
Due date:
% Done:

0%

Estimated time:

Description

Option is needed to disable brute-force attacks.
Independent from user profile IP access.


Eventual workaround is different from standard :9981 just for administration.
Not shure with one is easy to implement.

History

#1

Updated by Flole Systems about 5 years ago

Fail2Ban would be the better way to prevent bruteforce attacks in my opinion.

#2

Updated by saen acro about 5 years ago

Example?

#3

Updated by Flole Systems about 5 years ago

Download Fail2Ban, install it, configure it, add a "authentication failed from x.x.x.x" log entry to tvheadend, done.

#4

Updated by saen acro about 5 years ago

Not secure for stolen credentials.

#5

Updated by Flole Systems about 5 years ago

You wrote that wanted to prevent bruteforce attacks though, you never mentioned that stolen credentials are a problem for you aswell. Iptables is your friend for that though.

#6

Updated by saen acro about 5 years ago

let's patch will be practical why need to allow possible doors to unwanted person.
In your scenario even you will ban yourself with wrong entered credentials.

about stolen credentials
its easy to download full playlist with credentials from single channel.

#7

Updated by Flole Systems about 5 years ago

So you just want to limit a user to a specific IP or IP Range? That's already possible if I remember correctly.

#8

Updated by saen acro about 5 years ago

Flole Systems wrote:

So you just want to limit a user to a specific IP or IP Range? That's already possible if I remember correctly.

No I want to disable ADMIN UI globaly aka access to "extjs.html" and allow allow acces to admin ip range ONLY
Problem is that HTTP admin UI and streamer are on same port :9981

When some one open
http:/tvh.ip:9981
not to receive credentials window, except when his ip is in allowed ip-s.

#9

Updated by Flole Systems about 5 years ago

So you can just limit all your admin/webui users to the list of allowed IPs. They will still see the window but it doesn't matter what they enter they won't get access.

#10

Updated by kodiaq kodiaq about 5 years ago

+1 - Anyone can access WEB UI on port 9981 than log in without being noticed by admin, because there is no information being logged in the tvh.log file.

Simply there is currently no "traceability" of who accessed the WEB UI on port 9981 and this opens door for various speculations...

#11

Updated by Flole Systems about 5 years ago

The feature already exists, so no need to +1....

#12

Updated by saen acro about 5 years ago

Flole Systems wrote:

The feature already exists, so no need to +1....

Explain where it exists?
pictures video etc.

on individual user can be disabled web ui but it must be reversed.
if TVH have public ip anyone can see login credentials form.

#13

Updated by Flole Systems about 5 years ago

You really need all information spoon fed.... It's literally the first result on Google if you would search for it.

Anyways: See https://docs.tvheadend.org/webui/config_access/

There is even an example to only allow admin access from LAN.

#14

Updated by saen acro about 5 years ago

Are you realy try to understand request I started?

In you suggesting i need to add 0.0.0.0/0,:0/0 to user "*" and bloch access?
it not work
User A can see from IP 10.11.12.13/32
but his ip is dinamical and next time can't access

next suggestion will be "IP Blocking Record's"
cool ic can enter ~8500 /22 records to ban China access

so many solution not to block few simple links

extjs.html
/playlist
/xmltv

user can be happy with

/stream

only
rest use :9982

#15

Updated by Flole Systems about 5 years ago

Please read the page again, including the examples, I am not going to spoon feed the solution to you, a little bit of effort on your side can be expected, especially if it's just reading a wiki page (or just scrolling down to the examples and reading those). I never suggested what you tried, you clearly didn't read the page. The functionality to limit a users access to a list of IPs or IP Ranges is already there, so there is nothing that needs to be implemented.

#16

Updated by kodiaq kodiaq about 5 years ago

@saen acro - Do you mean to have possibility to disable initial "credential prompt" sequence from WEB UI for anonymous IP? Do I get it right?

#17

Updated by Pablo R. almost 5 years ago

It is not related, but it would be interesting to separate the webui from the channel urls. In different ports, for security.

#18

Updated by saen acro almost 5 years ago

kodiaq kodiaq wrote:

@saen acro - Do you mean to have possibility to disable initial "credential prompt" sequence from WEB UI for anonymous IP? Do I get it right?

Not in allowed list no access to admin part,
not as now check in user profile to disable UI

Pablo R. wrote:

It is not related, but it would be interesting to separate the webui from the channel urls. In different ports, for security.

This is a part of request, it will be best if is possible to set own port.

#19

Updated by Flole Systems almost 5 years ago

saen acro wrote:

Not in allowed list no access to admin part,
not as now check in user profile to disable UI

This feature already exists! Just read the wiki and configure it.... It might need configuration for each admin user but since this gives even more flexibility and security that's even better.

#20

Updated by saen acro almost 5 years ago

Flole Systems wrote:

saen acro wrote:

Not in allowed list no access to admin part,
not as now check in user profile to disable UI

This feature already exists! Just read the wiki and configure it.... It might need configuration for each admin user but since this gives even more flexibility and security that's even better.

This function work for user A user B can access.
Also to work credentials needed.

Wizard second step ;)

#21

Updated by Flole Systems almost 5 years ago

You need to define it for all users that have access to the Web UI of course. This allows giving each admin access from different ranges aswell, which is superior to your request.

#22

Updated by saen acro almost 5 years ago

ok am bad gui wit know ip:port of you service
frite script to curl 1000 times per second your service
what is your solution

A. firewall
not possible without strict L7 rule
B. firewall with addresses range
client will not see service if its out of allowed range (mobile operator roaming etc)
C. NGINX
not so simple, need powerful pc

D. run vpn concentrator and do it as you suggest.

#23

Updated by Flole Systems almost 5 years ago

So you are trying to mitigate a DOS attack here? In that case an IDS/IPS is the right choice. Or sign up for cloudflare and have them take care of it. Or configure fail2ban. Or super simple: A rate limit iptables rule. Think of your own solutions instead of having someone else spoon feed you.

Originally you wanted to limit access to the Webinterface to a specific IP or a range of IPs, which is already possible. You keep coming up with different scenarios which might cause problems, but those problems are completely out of scope of tvheadend, we can't implement a DOS protection and all that kind of stuff, that should not be part of tvheadend (just like Apache doesn't have it and just like nginx doesn't have it and just like openssh doesn't have it and so on).

#24

Updated by saen acro almost 5 years ago

Am writing slow to understand
Inversion of current function of access is enough
its blocked to all and allowed to accept list

Same as bsd and linux firewall by default
one allow all other block all by default inverted idea both do same at all.

#25

Updated by Flole Systems almost 5 years ago

Again, the feature to limit a users access to a specific IP is already there. Default is allow all but you can also specify a list of IPs and IP Ranges (or both). I already spoon fed you the exact doc page that describes exactly what you want to do as an example. What else should I do to help you?

#26

Updated by saen acro almost 5 years ago

I don want to limit specific user I wont to block all and then to allow specific user.

#28

Updated by Flole Systems almost 5 years ago

Unfortunately we can't help you as you refuse to read the docs and configure accordingly. The feature is already there.

And by the way: #2914 is not a Task as its considered invalid. #4345 is about adding profiles to make configuration easier (it does not mention any additional options), so completely unrelated. While that would make this simpler, what you want is still possible today. #4061 is explicitely for streaming and not for the admin interface.

Please stop trolling around here. And someone please mark this feature request invalid as it already exists and saen acro is just not willing to read and configure accordingly.

#29

Updated by saen acro almost 5 years ago

Actualy you flood without understand what is request for.

#30

Updated by Flole Systems almost 5 years ago

You want to prevent unauthorized access to the Webinterface for example with stolen credentials by limiting the IP addresses that are allowed to access it.

And that is already possible (and there are even more options available for other usecases). You just refuse to configure it. Which is why this feature request can be considered invalid.

#31

Updated by saen acro almost 5 years ago

Please test before suggest.

#32

Updated by Flole Systems almost 5 years ago

Please read the docs before opening a feature request. Or at least read them after someone points out that it already exists. Or at least read them after someone tried to spoon feed you the information.

Anyways, you are the one who wants this feature, I don't care anymore. I pointed out the solution, I even spoon fed it to you but you are refusing to configure it, so you can continue to wait for someone to implement this while it's already there.

And someone please mark this as invalid.

#33

Updated by saen acro almost 5 years ago

i read them multiple times but not satusfy my neads,
you dont want to understand question.

#34

Updated by Flole Systems almost 5 years ago

Ok, then wait for someone to implement this.

Also available in: Atom PDF