Difference between revisions of "Outside Access"

From LinuxMCE
Jump to: navigation, search
(Removed old PLUTO info and update to reflect current availability of options in LinuxMCE)
m (Enabling Remote Assistance: small typo)
 
(26 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
{{Versioninfo}}
 +
{| align="right"
 +
  | __TOC__
 +
  |}
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:Admin Website]]
 
[[Category:Admin Website]]
  
 
[[Image:OutsideAccess.jpg|thumb|200px|Outside Access Admin Page]]
 
[[Image:OutsideAccess.jpg|thumb|200px|Outside Access Admin Page]]
If both of these boxes are unchecked, then it will not be possible for anyone to access any part of your system from outside the home unless you manually make changes to the firewall in the Advanced section.
+
In the [[LinuxMCE Admin Website]]-->Wizard-->Security-->Outside Access section, one (or both) of the following boxes must be checked to allow users to access your system from outside the LinuxMCE LAN or outside the home:
  
Check the first box if you want to be able to access the LinuxMCE Admin website from outside your home.  Once checked, you will be able to go to any internet browser anywhere and go to the URL <nowiki>http://youripaddress/pluto-admin</nowiki> to reach the site.
+
*''Allow outside access to the website''
 +
:This allows access from any web browser through port 80, the default used by all browsers.
 +
*''Allow outside access to the website on port (-port#-)''
 +
:You can select a private port to use. Any external firewalls must be set to forward this port to your Core.
  
==2 Potential Problems==
+
These two options are disabled by default at installation, for security reasons.
===Knowing your IP Address===
+
The first is that to access your home system you need to know the ip address that globally identifies your computer, and put it in the "youripaddress" on the URL.  But most residential DSL and cable internet services do not provide their customers with a static ip address--it changes all the time.  To fix this problem, a domain name should be assigned to the core. This can be done by going to [http://dyndns.org/ dyndns.org] and creating an account and domain name for this machine. The username and password you created at dyndns.org can be entered into the web admin, so that if it changes, the core will automatically contact DynDNS to update its information appropriately.  
+
  
This can be changed from '''Advanced > Network > Dynamic DNS Settings'''
+
==Accessing the Admin page from the Internet==
 +
Once checked, you will be able to access the Admin Website from any browser of the Internet using the the URL:
  
 +
:*''<nowiki>http://youripaddress/pluto-admin</nowiki>''
 +
 +
::*where youripaddress is either the actual IP address of your home (in the format  ''223.244.16.155'') or is the domain name assigned to your home (such as ''www.myrobothouse.org'').
 +
 +
::*where youripaddress is in the format ''223.244.16.155:3080'' if you have specified to use port 3080, as detailed above.
 +
 +
==Accessing the Web Orbiter from the Internet==
 +
 +
Similarly, You will be able to access the Web Orbiter from any browser of the Internet using the the URL:
 +
 +
:*''<nowiki>http://youripaddress/pluto-admin/weborbiter.php or http://youripaddress/lmce-admin/weborbiter.php</nowiki>''
 +
 +
==Potential Problems==
 +
===Dynamic IP Addresses===
 +
You must know the IP address for your home. Most residential DSL and cable internet service providers do not provide their customers with a static IP address and the IP address frequently changes -- a dynamic IP address.  A free service called [http://dyndns.org/ dyndns.org] allows you to register a domain name for your home. DynDNS keeps a constantly updated database that links the registered domain name with an IP address. A background utility on your Core sends information to DynDNS whenever the IP address changes, which is updated in the DynDNS database.
 +
 +
The username and password you create at dyndns.org can be entered into the [[LinuxMCE Admin Website]]-->Advanced-->Network-->Dynamic DNS Settings.
 +
 +
Whenever your IP address then changes dynamically, the Core will then report the updated IP address to DynDNS, which will continue to link your domain name with the new IP address.
 +
 
[[Image:dyndns_settings.png]]
 
[[Image:dyndns_settings.png]]
  
===Secure Connection===
+
If, for example, you registered a domain name called ''robothouse.dyndns.org'' at DynDNS.org, you could access your Admin website by the URL:
The second problem is that if you check that box the connection will not be secure and it would be possible for someone to "listen" to your communication and intercept your password, thereby being able to control your house. To solve this you can obtain your own SSL secure certificate from a company like Verisign.  This is what banks and online merchants use to encrypt confidential financial transactions.  With a secure certificate you would access your web site with an "https://" instead--the s means secure.  Everything would be secure and encrypted using the same method you use to access online banking and other secure sites. However setting up your own secure certificate can be costly and complicated.
+
 
 +
:*''<nowiki>http://robothouse.dyndns.org/pluto-admin</nowiki>''
 +
 
 +
===Connection Security===
 +
Connections to LinuxMCE from the Internet are not intrinsically secure, since data is sent as plain text. It would be possible for someone to "listen" to your communication and intercept your password and thereby be able to control your house.
 +
 
 +
To solve this you can obtain your own SSL secure certificate from a company like Verisign.  (This is what banks and online merchants use to encrypt confidential financial transactions.) With a secure certificate you could access your web site with an "https://" instead of "http://".  Everything would be secure and encrypted. However setting up your own secure certificate can be costly and complicated.
 +
 
 +
===Choosing the port===
 +
 
 +
You may find that your ISP blocks incoming connections on port 80. (Port 80 is the port internet browsers use to connect to a web server.)
 +
 
 +
Try changing the port from 80 to something else, like 3080. You would need to access your web site like this:
 +
 
 +
:*''<nowiki>http://youripaddress:3080/pluto-admin</nowiki>''
  
If you do check the box to allow outside access, you may find that even if you know your ip address you still cannot access your server because your ISP blocked incoming connections on port 80.  Port 80 is what internet browsers use to connect to a web server.  You can try changing the port from 80 to something else, like 3080.  If you do, then you will need to access your web site like this: <nowiki>http://youripaddress:3080/pluto-admin</nowiki>.  If that still doesn't work, you may need to talk to your ISP.
+
===Enabling Remote Assistance===
  
The '''Allow outside access''' is mainly used when you want tech support to be able to help you configure or troubleshoot.  There is no 'back door' to LinuxMCE, and LinuxMCE staff have no way to connect to your system unless you check this box.
+
The "Remote Assistance" feature can be used to allow developers access to your core.
  
'''This Feature is still an Option but LinuxMCE does not offer Tech Support'''
+
There is no 'back door' to LinuxMCE. No remote access is allowed if this feature remains disabled.
  
If you request tech support and you want to allow LinuxMCE to access your system, check the box and then type in a password. You will then give the support rep the password, and with that password, the support rep will be able to login to your system, inspect the logs, look at your configuration, and run diagnostics.  As soon as you uncheck the box or change the password the connection your Core will immediately drop the connection and the support rep will not have access anymore. When you enable remote access, the connection the support rep uses to access your system is secure and encrypted using a protocol called SSH.
+
To allow remote access, click on "enable" and wait for your support code to appear (in red). A remote user would need to know both of them to login.  As soon as you disable this option again the Core will immediately drop the connection.  Remote assistance connections are encrypted using SSH and therefore are secure. On every enable the support code changes, so a developer knowing your old code can't login again without having the latest generated code.

Latest revision as of 23:22, 25 May 2012

Version Status Date Updated Updated By
710 Unknown N/A N/A
810 Unknown N/A N/A
1004 Unknown N/A N/A
1204 Unknown N/A N/A
1404 Unknown N/A N/A
Usage Information
Outside Access Admin Page

In the LinuxMCE Admin Website-->Wizard-->Security-->Outside Access section, one (or both) of the following boxes must be checked to allow users to access your system from outside the LinuxMCE LAN or outside the home:

  • Allow outside access to the website
This allows access from any web browser through port 80, the default used by all browsers.
  • Allow outside access to the website on port (-port#-)
You can select a private port to use. Any external firewalls must be set to forward this port to your Core.

These two options are disabled by default at installation, for security reasons.

Accessing the Admin page from the Internet

Once checked, you will be able to access the Admin Website from any browser of the Internet using the the URL:

  • http://youripaddress/pluto-admin
  • where youripaddress is either the actual IP address of your home (in the format 223.244.16.155) or is the domain name assigned to your home (such as www.myrobothouse.org).
  • where youripaddress is in the format 223.244.16.155:3080 if you have specified to use port 3080, as detailed above.

Accessing the Web Orbiter from the Internet

Similarly, You will be able to access the Web Orbiter from any browser of the Internet using the the URL:

  • http://youripaddress/pluto-admin/weborbiter.php or http://youripaddress/lmce-admin/weborbiter.php

Potential Problems

Dynamic IP Addresses

You must know the IP address for your home. Most residential DSL and cable internet service providers do not provide their customers with a static IP address and the IP address frequently changes -- a dynamic IP address. A free service called dyndns.org allows you to register a domain name for your home. DynDNS keeps a constantly updated database that links the registered domain name with an IP address. A background utility on your Core sends information to DynDNS whenever the IP address changes, which is updated in the DynDNS database.

The username and password you create at dyndns.org can be entered into the LinuxMCE Admin Website-->Advanced-->Network-->Dynamic DNS Settings.

Whenever your IP address then changes dynamically, the Core will then report the updated IP address to DynDNS, which will continue to link your domain name with the new IP address.

Dyndns settings.png

If, for example, you registered a domain name called robothouse.dyndns.org at DynDNS.org, you could access your Admin website by the URL:

  • http://robothouse.dyndns.org/pluto-admin

Connection Security

Connections to LinuxMCE from the Internet are not intrinsically secure, since data is sent as plain text. It would be possible for someone to "listen" to your communication and intercept your password and thereby be able to control your house.

To solve this you can obtain your own SSL secure certificate from a company like Verisign. (This is what banks and online merchants use to encrypt confidential financial transactions.) With a secure certificate you could access your web site with an "https://" instead of "http://". Everything would be secure and encrypted. However setting up your own secure certificate can be costly and complicated.

Choosing the port

You may find that your ISP blocks incoming connections on port 80. (Port 80 is the port internet browsers use to connect to a web server.)

Try changing the port from 80 to something else, like 3080. You would need to access your web site like this:

  • http://youripaddress:3080/pluto-admin

Enabling Remote Assistance

The "Remote Assistance" feature can be used to allow developers access to your core.

There is no 'back door' to LinuxMCE. No remote access is allowed if this feature remains disabled.

To allow remote access, click on "enable" and wait for your support code to appear (in red). A remote user would need to know both of them to login. As soon as you disable this option again the Core will immediately drop the connection. Remote assistance connections are encrypted using SSH and therefore are secure. On every enable the support code changes, so a developer knowing your old code can't login again without having the latest generated code.