If you followed all previous chapters you will have a rock solid remote streaming solution ready by now. Congratulations!
Now lets start to talk a bit about security and then you will need to decide, if you want to go on.
The following steps and considerations are optional (but probably worth it).
Our current solution has two possible flaws:
- your username and password is sent over the internet unencrypted. If someone can catch your wireless traffic (maybe your are using a public hotspot sometimes?), analyses the traffic and extracts the username/password (can be done with automated scripts very easily) he is able to log in into your Squeezebox Server as well and change your settings or remote control your other Squeezeboxes.
Even worse: if you were lazy and used the same credentials as your Facebook or email account, well … I guess I don’t need to write on 😉
- Your Squeezebox Server is accessible from the internet to anyone. There is some tiny possibility someone can hack into this Squeezebox software and might take over your server.
Why might anyone want to hack your server you might ask?
Definitely not for controlling your Squeezeboxes I’d say – but there are many people out there that want to setup some new servers to send spam or do other illegal stuff.
How can we protect against this?
There are two common techniques to create a much more secure channel. One is called ‘OpenVPN’ – some routers support that and your mobile might be able to create a secure ‘tunnel’ through the internet to your router. Due to it’s complexity I won’t go into further details here, Google will be your friend.
Another possibility is to create a ‘SSH-tunnel’. SSH is a technique to connect via an encrypted channel to your server. If you are using a Linux based NAS or server you might already have used it to log in into your server (if you ever used the tool ‘Putty’ on Windows, you are on the right track … )
The good thing about SSH – it can also forward specified ports, which is perfect for our needs.
So from now on I expect you to have a server where you can already login with SSH.
- Update your port forwarding in your router. SSH uses TCP port 22. Any connection from the internet to this port should be forwarded to your Squeezebox-Server.
You can delete the port forwards 9000 and 3483 on your router, we won’t need them anymore.
These were insecure so let’s get rid of of them.
Is SSH on port 22 more secure than Squeezebox-Server on port 9000+3483 you might ask?
And the answer is: definitely – thousands of administrators around the world use SSH around the clock to remotely connect to their respective servers 🙂
- Download an App that can create a SSH tunnel with port forwarding.
Um, well.The only viable option on the market ‘connectbot’ has a bug so it sort of works with Squeezebox-Server but has it’s issues. This issue with ConnectBot seems to be resolved on Honeycomb by the way, but on Android devices below tracks in a playlist are not advancing, when a song is finished.
- Even better might be SSH AutoTunnel and one user reported succes with it in the comments section. It might suffer from the same problems as ConnectBot on pre Honeycomb Android devices (though this has not been verified yet). I’d go with this App first!
Both ConnectBot and SSH AutoTunnel allow you to connect to your SSH server first. Try if you get a connection. After it has been established within Connectbot or SSH AutoTunnel do configure port forwardings for port 9000 and 3483 before trying with SqueezePlayer (read below what to do in SqueezePlayer).
- Another option ‘SSHTunnel (Beta)’ only allows a single port to be forwarded (and we need two).That’s why I wrote my own App ‘SqueezeTunnel’ to care for all the common Squeezebox-SSH-Stuff. You can download it here. Attention: your Android device needs to be rooted, for this tool to work (it comes with it’s own SSH client and wants to install it). Also this App is a quick hack/port of SSHTunnel and most of the SSH related code from the original I don’t understand 🙂
As SqueezeTunnel is a fork of the ‘SSHTunnel’ project protected by the GPLv3 license, you can have a look at the source-code of SqueezeTunnel here.
Here is what you need to configure in SqueezeTunnel once you installed it.
- Host: your dyndns URL (see Part 1 for details) i.e. wow-my-server.dyndns.org
Via this URL SqueezeTunnel is able to find your router and create the tunnel.
- Port: 22 is the default port for SSH
- User/Password: your username/password to login with SSH. This is NOT the username/password you entered in the Squeezebox-Server web-interface. It’s rather the username/password you need to enter, when you connect to your server via SSH.
- Squeezebox-Server Port: typically 9000. But you can change it in case it’s different in your setup.
Now try to create the tunnel with the topmost item ‘Enable/Disable SSH Tunnel’, you should get a new icon in the status bar, hopefully saying ‘connected’.
Now we need to configure SqueezePlayer to use the tunnel.
As the server-address in the SqueezePlayer settings just use ‘localhost’ instead of the DynDNS-URL we used before.
Yes this might sound strange – but the tunnel starts directly on your the AndroidPhone so we don’t need to look elsewhere this time. SqueezeTunnel which should still be running in the background will then take care of the correct encrypted routing through the internet to your Squeezebox-Server.
By the way: you can remove the username/password in the Squeezebox-Server settings now. They won’t give us any more security, the username/password used to establish the SSH connection are much much better and secure.
I really hope this last chapter was not too complicated to understand and you could get great inspiration about making your remote streaming very secure.