PDA

View Full Version : Tivoweb REMOTE access via Internet



davehazle
09-11-2002, 09:17 PM
I am sure that this would be something that almost EVERY member of this forum would enjoy. I , unfortunately, lack the technical knowledge to do so, but posess the ambition to keep at it.
Ok, What i'm looking to do is obvious in thought, but it seems to be a bit more dificult to achieve.
I want to be able to access my Tivoweb via the internet. The resources I have are as follows.

D-Tivo with Turbonet insatlled on a Linksys Cable/DSL Router
On-line DSL with a DYNAMIC IP address
LAPTOP that can stay on ALL THE TIME connected to network
Website provided by ISP not yet used.


I would like to be able to visit my website and click on a link that takes me to a password screen. Input said password and have tivoweb pop up. If this is not possible with my configuration, Is there another solution? What i want to avoid is PAYING for a dynamic DNS service if i dont have to. I have been trying to do this for a while now, but to no avail. From the information i get in this post, I intend on making a DETAILED HOW-TO for the masses. I wouls like to ask one of the moderators to make this thread sticky until a how-to can be compiled if it is possible.


David

Mjolinor
09-12-2002, 05:15 AM
I think this

http://www.no-ip.com/

is your starting point

davehazle
09-13-2002, 12:48 PM
I have reviewed that site and found that it was usefull in part. I am currently using my web site and building a page. I want my page to have a link to tivoweb (http://My.Dynamic.Ip.:port) and have that port forward to my tivo. Not sure how I am going to do this , but I will keep you all posted.

Ellipse
09-13-2002, 05:05 PM
I can do it, but I do not have the security as tight as I want it...

jmrobins
09-14-2002, 09:42 AM
What you'll need (at least this is what I would do):

A webserver running locally at your house - I recommend apache, and if you are comfortable enough with *nix systems, FreeBSD.
You'll also want to have a program/script that will post your current IP Address to a file, on a remote webserver, every time it changes.



On your tivo, run tivoweb.
On your local webserver (if it is apache) put in the following configuration:
# --- Begin Apache Configuration ------
ProxyPass /tivo/ http://192.168.1.200/
ProxyPassReverse /tivo/ http://192.168.1.200/
<Location /tivo/>
AllowOverride None
AuthType Basic
AuthName tivo
AuthUserFile /usr/local/etc/apache/tivopasswd
require valid-user
</Location>
# ----- End Apache Configuration -----

What this is doing is causing your local webserver to relay requests between itself and your tivo (you may need to change your IP Address above to be your Tivo's Address)

The "<Location /tivo/>" part is specifying that authentication is required and telling the webserver that the file with the username/password pairs is located at: /usr/local/etc/apache/tivopasswd. If you are doing this on a unix system (and likely there is a matching command for Apache on Windows). Use the htpasswd command to create/modify/add users to that file. If you need help with doing that, apache's website apache.org is really decent.

Now on your linksys, you will need to map inbound port 80 (TCP) to your internal webserver's IP Address, and now you should have access to your tivo from the outside world, a place to go and get your current IP Address, and password protection via a proxy-server (The "proxy-server" could likely be a windows-based proxy server other an apache webserver. I just used this method because I like having some extra flexibility and I just happened to have a freebsd workstation here).



Just an idea!

davehazle
09-17-2002, 05:44 PM
I want to build a password script into clicking on an image file , meaning click on the image and you are prompted for a username and password. I will then need a program to update the address that the link that redirects you to via FTP( this could run on the tivo OR on a local machine on my network ). It would need to be updated with the current IP address of my linksys router (dynamic DSL) which would, in turn, forward to htttp://192.168.1.105 on my local network. . Is there a way to do this without setting up my tivo as the DMZ HOST????? Can i use the Port frowarding feature of my router? If so , what would be the approprait configuration for the forwarding? I am HORRIBLE at html, hence the slow progress of this thread. I am not too worried about the security aspect of the system at this time, I am meerly trying to get on my feet with this first.

milhouse
09-18-2002, 03:45 PM
I have a linksys router, and just set it up to forward port 80 to my tivo. From my office I just pointed by browser to my router IP address and I got Tivo web. It was too easy...

Milhouse.

FredThompson
09-18-2002, 08:33 PM
Originally posted by davehazle
.It would need to be updated with the current IP address of my linksys router (dynamic DSL) which would, in turn, forward to htttp://192.168.1.105 on my local network. . Is there a way to do this without setting up my tivo as the DMZ HOST????? Can i use the Port frowarding feature of my router? If so , what would be the approprait configuration for the forwarding?.

For the dynamic IP address issue:

If you use a free redirector (I use dns2go.com) and run the client on a machine on your network, you'll have a URL that will be properly addressed from anywhere on the net. For example, suppose you've gone to dns2go.com, registered and you're running the Windoze client (it's really just an enhanced ping routine with some handshaking) and you've established the name "davestivo." From anywhere on the net, as long as the redirector client is running, http://www.davestivo.dns2go.com will get directed to your system.

For the direction on your side of the broadband connection:

The advanced setup screen of the Linksys router allows you to state explicitly where to route "calls" by port number. You'll see a little note on the right of the screen that lists common ports (21 for FTP, etc.)

Now, the idea of serving HTML and running conditional branching (Java?) on your TiVo is a little bit more complicated, to say the least.

You may be able to find a decent webserver at http://www.webattack.com that will allow you to forward to another port in some way. That does require you to run more stuff on your computers but it also keeps the TiVo far more clean. A decent server would certainly allow you to run whatever scripts you wanted to do authentication of the "user." I've been looking at KF Web Server for a while (http://www.keyfocus.net/kfws) It's free and looks quite powerful.

(I assume you could do all this on your TiVo if you wanted. DNS2GO has a Linux keep-alive client, maybe some of the other services do also.)

Dunno, I haven't tried this yet but it is something very interesting. The ability to securely log into the TiVo from any web terminal sure would make it a lot more friendly.

davehazle
09-19-2002, 10:17 AM
I have it working, but as others have said.... Security IS an issue. As it stands , anyone with the right IP address, a bit of motivation, and a dash of common sence can get into the tivo and cause some major havoc..


Dave

FredThompson
09-19-2002, 04:17 PM
True, but the risk will be severly diminished if you use a hardware firewall of some sort with DHCP (Linksys, for example) because it will be a lot harder for a raw scan to identify your system. Nobody said you have to publicly broadcast the URL.

All you're really talking about is the equivalent of a door lock. Given the box runs Linux, it shouldn't be that tough to add something to do a query/authenticate step.

Actually, I was thinking about Samba and what would be required to make the box look like a Windows drive. That would be cool, a modified Samba and drivers such that extraction would look like copying a file from another computer on the LAN.

Uh...that's starting to drift topics.

I know some super Linux zealots. If you can describe to me what you visualize, maybe they can identify some very simple routines to do query/authenticate. That's just a first step. You'd need help from somebody who knows the box to add them to the FTP/HTTP routines. Or just add it to TivoWeb...

Still, there are quite a few free URL redirectors with Linux clients. Hmm...can probably run one of those with an authentication routine and the box could be standalone.

My comments about using another computer on the LAN as a "gate" was because that would be a LOT easier. You know, it runs the redirector client and authentication routine. After authenticaiton it echoes your commands to a different port on which the TiVo is listening. You'd need some way to signal that box to re-install the authentication routine and stop mirroring. Maybe an added command. Dunno.

Even so, if all you do is create a redirector account and run the client software on your TiVo, combined with a hardware firewall/router, you'll have a lot of protection from attacks which don't involve human engineering.

That might be the quickest route to having a good measure of security. There are certainly enough people around these forums who can make the client work on a TiVo. If they can add a password option to TivoWeb, then life is pretty good. Would still need to do something about FTP access. Hmm...wonder if TivoWeb could be modified to handle that as well...

T_RJ
09-19-2002, 04:35 PM
TivoWeb allready has a password option.
Can't remember exactly how. The instructions are in one the read me files that came with TivoWeb.

FredThompson
09-19-2002, 04:45 PM
So what's the deal about security that has people worried?

Is it FTP access or do they not know about TivoWeb password support (gotta look into that.)

davehazle
09-19-2002, 07:09 PM
I, for one, never know about TivoWeb Password support. So my fear was that someont would stumble (hack) onto my tivoweb page and simple cause chaos by deleting shows, canceling season passes, ect. I will also have to look into this Pasword protection on the TivoWeb console. FTP access would be the only other concern i suppose.

FredThompson
09-19-2002, 08:11 PM
Yeah, I hadn't seen that, either. That would sure solve part of the problem.

TivoDvlpr
09-20-2002, 12:54 AM
If you edit the tivoweb.cfg file, you can add a username= and password= lines and it will authenticate. This should be combined with blocking all ports except port 80, otherwise your telnet and ftp would be vulnerable.

I use windows internet connection sharing to accomplish this.

Everything you need is in the tivoweb readme file.

tivoKlr
10-01-2002, 03:37 PM
So, I have apache running, and i can pass through to the tivoweb via the /tivo/ proxy stuff, but when i'm in the tivoweb page, the page looks funny, no colors or bg or stuff, and when i click on any of the links it looks to my apache server for the pages rather than the tivo...

I'm so close here, any help would be most appreciated.

p.s. i'm an apache *****, so slightly explicit information/instructions would be great.

tivoKlr
10-02-2002, 12:10 AM
this is the error message i see when i try to connect via the proxy

Proxy Error
The proxy server could not handle the request GET_/tivo/ui/.

Reason: Host not found

when i go to mydomain.com/tivo/ it displays the tivoweb indexpage, minus the stylesheet, but the links are all wrong. they are pointing to mydomain.com/ui or mydomain.com/whatever, when they should be pointing to 192.168.1.200/ui...

just a litte more info

Nitz
10-10-2002, 12:12 AM
I would port ford something like yourtivo.dns2go.com:6980 to my internal tivo ip at port 80. Some other port than 0 to 1000 is really a good idea.

FredThompson
10-10-2002, 12:55 AM
DNS2Go just went pay at $20/year. dyndns is still free.

ibx100
11-03-2002, 09:51 PM
Originally posted by davehazle
I have reviewed that site and found that it was usefull in part. I am currently using my web site and building a page. I want my page to have a link to tivoweb (http://My.Dynamic.Ip.:port) and have that port forward to my tivo. Not sure how I am going to do this , but I will keep you all posted.

Have you seen this unmaintained mini HOWTO
giving a few ideas on creating on-the-hoof
HTML containing your current IP address which
is then uploaded to your homepage and redirects
any hits to your dynamic IP? (Hack #12)..

http://www.ibiblio.org/pub/Linux/docs/HOWTO/unmaintained/mini/Dynamic-IP-Hacks

Regards :)
ibx100

Torg
11-05-2002, 01:02 PM
What jmrobins posted was correct. Well partialy



On your tivo, run tivoweb.
On your local webserver (if it is apache) put in the following configuration:
# --- Begin Apache Configuration ------
ProxyPass /tivo/ http://192.168.1.200/
ProxyPassReverse /tivo/ http://192.168.1.200/
<Location /tivo/>
AllowOverride None
AuthType Basic
AuthName tivo
AuthUserFile /usr/local/etc/apache/tivopasswd
require valid-user
</Location>
# ----- End Apache Configuration -----


What this will do is tell Apache when it does a
GET /tivo/ to actuly fetch its contents from http://192.168.1.200/. It does not do anything with the contents however. This will lead to all the links fromt he tivo being refernced as if it were on the Apache server.

To fix this you need something that can modify content on the fly. Apache can't do this itslef so you need to add a caching proxy server. If this sounds terribly diffcult, it is.

What you can do instead is make a VirtualHost from the Apache server. Since you only have one name for your box simply Vhost it off a differnt port.
Now every GET request will map correctly to your tivo. (NOTE you MUST use a webbrowser with HTTP2.0, HTTP1.0 will not work).

If you need informaiton on how to set up a VirtualServer it is in the documentaiton for TivoWeb.

lonaman
02-26-2003, 04:55 AM
http://tivohelp.swiki.net/29

This website gives great information on how to access your TiVo away from home. There is a very easy method that creates an encrypted connection using the Orenosp SSL/HTTP Proxy Server. You will have to use a dynamic DNS server such as www.no-ip.com. I have attached Orenosp v0.3.6. All the information you need is contained on the website and in txt files.

jhigh
02-27-2003, 09:41 PM
Has anyone tried running dynamic dns on a tivo? What driver and service did you use? I have a PIX501 at home, so I can create a real vpn session. The only PCs that stays up all the time are the Tivos. They would make perfect dynamic dns clients.

mgs1000
03-04-2003, 12:03 AM
This is what I do, it's not pretty, but gets the job done.

I have a MacOSX box at home that I have SSH telnet access to. I ssh to the Mac to get in through my router, and then I use Lynx to access Tivoweb on my Tivo. Obviously, I don't get to see any graphics, but I don't need to. I works just fine to remotely schedule show or check the other stuff.

I also run a webserver on my Mac, and I average about 700 hits/day, 99% of which is from the code red/nimda virus attacks. I really wouldn't want to open my tivo to that. Even if the virus doesnt work on my tivo, I am worried that all those requests will slow my tivo down when I am using it, and possibly cause some instability in tivoweb.

Stephen
03-04-2003, 05:07 PM
Simpler Solution


Install remotely anywheres on your computer via some port that work allows out. (Ex port 80) this program allows https communication so it is secure. Then it is just like sitting at your computer. No haveing to mess with apache and web settings. And all you need is a web browser to access your tivoweb

SR712
03-15-2003, 12:22 AM
I am trying to also gain access to my TiVo from the outside. I have tried to forward port 80 to the TiVo IP, but my cable system blocks that port. So, I tried to change the TiVoWeb port to something else, like 8080, in the tivoweb.cfg file, but it never seems to change from port 80. I am running TiVoWeb ver 1.9.3. with mfsstreamweb. Any help would be appreciated.

SR712
03-15-2003, 02:18 PM
Never mind. I found the line in httpd-tt.tcl where that is determined.

Martlet
03-15-2003, 03:18 PM
Originally posted by mgs1000
I have a MacOSX box at home that I have SSH telnet access to. I ssh to the Mac to get in through my router, and then I use Lynx to access Tivoweb on my Tivo. Obviously, I don't get to see any graphics, but I don't need to. I works just fine to remotely schedule show or check the other stuff.


There's a nicer way on OS X, on your remote machine:

ssh -N -L 8080:<tivo's IP address>:80 <username>@<home Mac IP address> &


Then just HTTP://<tivo's IP address>:8080/

I'm not sure what it's called, but there's a OS X GUI app that does this for you... so you can click to enable/disable it.

My brother found this one out, and uses it when he's not on the local wireless net. The GUI toggle app is nice for a laptop.

vu2vu
12-12-2003, 06:12 AM
I found a pretty cool php script today. You need a webserver with php support in order to get this working. If you are running this script on a server that is not on your lan remember to set your firewall to only accept incomming connections on port 80 from the server you are hosting the script on. Unless you do this, this script will provide you no protection at all. If your lazy like me and dont' want to input the address everytime you connect just bookmark the entire link with the hashed url. On my webserver I have a password protection enabled on the directory and a index.html that redirects me to the hashed url. Just a reminder to those who have forgotten if your tivoweb is password protected you want to input this into the url box of gurl.php http://user:pass@yourtivo.com

AVD
12-18-2003, 11:53 PM
Originally posted by SR712
I am trying to also gain access to my TiVo from the outside. I have tried to forward port 80 to the TiVo IP, but my cable system blocks that port. So, I tried to change the TiVoWeb port to something else, like 8080, in the tivoweb.cfg file, but it never seems to change from port 80. I am running TiVoWeb ver 1.9.3. with mfsstreamweb. Any help would be appreciated.


if 80 is blocked then 8080 is probably also blocked. I use 8881.

using dyndns.org (my linksys has dyndns support builtin and its free) i forward port 8881 to the static tivo address on my home lan.

i go on my PC from work and type the URL http://xxx.ath.cx:8881/
(but it somthing other than xxx)

works like a charm. Hopefully the SPI firewall will stop a dedicated portscan on my lan before it reaches 8881.

TechFarmer
12-19-2003, 06:28 AM
Originally posted by AVD
Hopefully the SPI firewall will stop a dedicated portscan on my lan before it reaches 8881.

SPI will not necessarily stop a port scan. Anti-intrusion is what detects a port scan and blocks all ports, wheter they are open or not. Here (http://www.snapgear.com/glossary.html) is a glossery of features that explains the difference between the two. SPI can generally log and detect scans, but it will not necessarily block or hide open ports that are supposed to function.

Anyone who opens their firewall port 80 and points it to their Tivo is asking for trouble. My firewall logs show all types of scans. Your best bet is an encrypted, password protected proxy between Tivo and the internet. The tivohelp.com article mentioned earlier is excellent:

http://tivohelp.swiki.net/29

Foos
01-12-2004, 06:04 PM
I haven't been able to get SSL working on my server (that's a tricky beast), but what I've got should provide pretty good protection, especially since I'm running more than one website at this IP. You have to know the server name to even get to the authentication screen.

Scrubbed for security, of course



<VirtualHost *:80>
ServerAdmin adminaddress@yourserver.tld
ServerName tivo.yourserver.tld # could use yourid.dyndns.org or similar
ErrorLog logs/tivo-error_log
CustomLog logs/tivo-access_log common
ProxyPass / http://192.168.xxx.yyy/
ProxyPassReverse / http://192.168.xxx.yyy/

<Location />
AllowOverride None
AuthType Basic
AuthName "DirecTiVo"
AuthUserFile "/path/to/Apache/passwd/tivo"
Require valid-user
</Location>
</VirtualHost>

TechFarmer
01-14-2004, 04:27 AM
I haven't been able to get SSL working on my server (that's a tricky beast), but what I've got should provide pretty good protection, especially since I'm running more than one website at this IP. You have to know the server name to even get to the authentication screen.

Scrubbed for security, of course

Yeah, that should be pretty secure by requiring both the proper host header and the correct username / password. Someone would have to go through a lot of trouble to get around that.

David Bought
01-14-2004, 03:48 PM
Yeah, that should be pretty secure by requiring both the proper host header and the correct username / password. Someone would have to go through a lot of trouble to get around that.

Wrong, all they would need to do is sniff the wire somewhere between you and the gateway. Any network admin along the path could do this in seconds.

Mod_ssl is easy to set up. You're safe with a self signed certificate if you verify it properly on the remote end or manually add it to the browser. See if tdlp.org or apache.org has a howto.

Sleeper
01-16-2004, 12:57 AM
Mod_ssl is easy to set up. You're safe with a self signed certificate if you verify it properly on the remote end or manually add it to the browser. See if tdlp.org or apache.org has a howto.

Rather than having a secure web server proxy, you could set up the secure web server/proxy on your tivo. Has anyone attempted this?

TechFarmer
01-16-2004, 10:52 AM
Any network admin along the path could do this in seconds.

I agree completely. The likelihood of one of someone in the chain filtering through a huge number of packets just to find the password for a tivoweb server is highly unlikely but it is definitely possible.


Mod_ssl is easy to set up.

Unless you're using Windows. You have to recompile Apache to include SSL because the default binaries do not include that module. Once you get past that, it is relatively straightforward.

For someone using Windows, the orenosp reverse proxy server is the easiest option because it is relatively easy to configure and it has a semi-automated process to create self-signed SSL certificates.

lonaman
02-03-2004, 01:53 AM
I use Smoothwall (open source feeware software at smoothwall dot org) on an old Pentium 200 (cheap option for a firewall). Then you can connect to the Smoothwall over SSH with a program like PuTTY with it configured to forward a specified port (xxx) to your Tivo. Then point your browser to localhost:xxx and you have a secure ssh connection to your Tivo. Works for me.

tungsten2k
02-05-2004, 07:14 AM
i just vnc over ssl to my windows box and fire a browser at http://tivo :D

paulc123
02-20-2004, 07:58 PM
I thought I would share what I do since I find it very simple, secure, and effective.

If there is any box at all that you can ssh into from the Internet into your home net, this will work. For me, it's my firewall, which is a linux box allowing inbound ssh.

putty will support this on windows all day long, and every winblows system has a copy of putty, right? Just look under tunnelling. You want to map a local port (80?) to the tivo IP, port 80.

From an *nix box on the net: ssh mysite.com -L 80:internal.tivo.ip.address:80

Bam-o! http://localhost is now your tivo. -L says to map the local port 80 over the ssh tunnel to your remote host, and then to the ip and port listed. Everything is encrypted over the ssh tunnel, so it's secure. The local webserver will dissappear when you terminate the ssh session. :cool:

PS- if you're running an apache webserver, proxying tivo.mysite.com to the tivo is easy. how to make it authenticate first is where I got stuck. PM me if you know a trick. thx. the proxy lines that work:
<VirtualHost *> # tivo.mysite.com ?
ProxyPass / http://192.168.yoursubnet.yourtivo/
ProxyPassReverse / http://192.168.yoursubnet.yourtivo/
</VirtualHost>

jakerome
02-29-2004, 09:33 PM
Has anyone tried running dynamic dns on a tivo? What driver and service did you use? I have a PIX501 at home, so I can create a real vpn session. The only PCs that stays up all the time are the Tivos. They would make perfect dynamic dns clients.

I just want to raise this question again, seeing as it's been about a year. I'm in the same boat-- the TiVo is the only computer I have which is on all day, especially when I'm out of town. Now that I've set up password access for TiVoWebPlus, and it's on port 8000 from the outside, this is really the next step. Has anyone tried compiling the Linux DynDNS.org clients for TiVo? Do they work? I'll volunteer to test them on my S1 DTiVo if someone posts a compiled version.

cojonesdetoro
03-02-2004, 05:34 PM
Do they work? I'll volunteer to test them on my S1 DTiVo if someone posts a compiled version.

dyndns.org supports dynamic IP updates via a web browser. You can probably get wget or http_get to work. If not you might be able to write a simple tcl script to do it.

The problem is that there is no encryption. Anyone along the way can sniff your dyndns password and subvert your domain. It's unlikely but definitely possible.

I personally go the "SSH with loopback port forwarding" route with SecureCRT for windows and a Linux bastion host. I'm also thinking of implementing some sort of 'port knocking' (google it, it's a cool technique)

EDIT: BTW, All I do is ssh to my Linux box and the following three URLs access my Tivos

http://127.0.0.1:81
http://127.0.0.1:82
http://127.0.0.1:83

jakerome
03-10-2004, 05:38 PM
Well, I found one client at ez-ipupdate, written in C. I don't have access to a compiler, but maybe someone can volunteer to build this for the Series 1 DTiVoes.

http://ez-ipupdate.com/

I found a couple others that were perl-based and python-based, but I don't think either are installed in TiVo Linux. Is that correct?

TechFarmer
03-10-2004, 11:08 PM
You can probably get wget or http_get to work.

Is there a version of wget for series 1 tivos? I could only find a binary for an S2.

lgkahn
03-13-2004, 03:49 AM
I have password security on tivoweb plus so far so good.. and have a firewall blocking access to the tivo but would like to open it up so I can get at it from the road.. without haveing to vpn in first.. but I need to be able to lock down telnet and ftp first... anyone know how to force them to use username and passwords...
thanks

cojonesdetoro
03-15-2004, 03:21 PM
Is there a version of wget for series 1 tivos? I could only find a binary for an S2.

I have wget for SA1. I think I got it from the oztivo site but am not sure. If anyone needs it, send me a PM. If anyone knows of an 'offcial' place to download it, that would be better.

jakerome
03-15-2004, 03:27 PM
I have password security on tivoweb plus so far so good.. and have a firewall blocking access to the tivo but would like to open it up so I can get at it from the road.. without haveing to vpn in first.. but I need to be able to lock down telnet and ftp first... anyone know how to force them to use username and passwords...
thanks

Well, I have the same situation. On my router, I just opened up one port (port 8888) and redirected it my tivo at port 80; this way, only the TiVo Web Plus port is open.

so the link on the outside looks like: http://tivo.dnsaddress.com:8888/, which points to http://192.168.0.100:80 on my LAN. Telnet points to my desktop CPU, and I have all other ports turned off.

SI 800-830-6080
03-16-2004, 04:56 PM
Well, I found one client at ez-ipupdate, written in C. I don't have access to a compiler,

Try: http://gcc.gnu.org/

It is 100% Free, you will like it.

cojonesdetoro
03-16-2004, 06:04 PM
rc3105 recently posted a message suggesting the use of zipslack for a quick-n-dirty Tivo development system without the need to reformat your PC HDD. It was actually a great suggestion. Go search rc3105's posts with the keyword 'zipslack'.

BubbleLamp
03-16-2004, 06:18 PM
Try: http://gcc.gnu.org/

It is 100% Free, you will like it.
Gee, now how is it possible that a newbie like yourself is posting in the EXPERT section. What would DB think of that? (Oh wait, you are DB.) In that case, shouldn't you be banned??

SI 800-830-6080
03-16-2004, 06:22 PM
Gee, now how is it possible that a newbie like yourself is posting in the EXPERT section. What would DB think of that? (Oh wait, you are DB.) In that case, shouldn't you be banned??

What's your problem man? This is my first day here and some of the people are so rude. I don't understand the animosity, did I do something wrong?

cojonesdetoro
03-16-2004, 06:26 PM
(Oh wait, you are DB.)

Ha! I'm glad I wasn't the only who thought that. I guess a personality that obnoxious just sticks out like a sore thumb.

SI 800-830-6080
03-16-2004, 06:28 PM
Ha! I'm glad I wasn't the only who thought that. I guess a personality that obnoxious just sticks out like a sore thumb.

The moderator staff can confirm that I do not have any other accounts on this board. You are confusing me with somebody else.

BubbleLamp
03-16-2004, 06:39 PM
The moderator staff can confirm that I do not have any other accounts on this board. You are confusing me with somebody else.
Why, because you have a different IP address? Please. Go blow smoke somewhere else DB.

SI 800-830-6080
03-16-2004, 06:52 PM
Why, because you have a different IP address? Please. Go blow smoke somewhere else DB.

If you want to accuse me of something, do it now and state your proof.

Right now you are acting like a bully for no good reason. Quit picking on the new users.

StanSimmons
03-16-2004, 08:13 PM
If you want to accuse me of something, do it now and state your proof.

Right now you are acting like a bully for no good reason. Quit picking on the new users.
Your style of posting ("Wrong,...") as well as your accusing people of service theft is VERY much like a guy who has been plagueing this board for a long time.

Do a search for David Bought if you want to see why your style is pissing people off. Just for the record, I think you are him too.

captain_video
03-17-2004, 09:11 AM
This guy is actually David Bought with a different user name. Hey DB, weren't you warned by Vadim about posting DTV phone numbers in these forums? No doubt you have spoofed someone else's identity like you did at a different website. You claim to do nothing wrong yet you continue to practice your lowlife underhanded tactics to undermine the integrity of this forum. Why don't you go back under the Tivo guy's desk and do what you do best. :D

TiVOBell
03-17-2004, 05:24 PM
Your style of posting ("Wrong,...") as well as your accusing people of service theft is VERY much like a guy who has been plagueing this board for a long time.

All that's missing is "BWAHAHAH" or some such nonsense.

It's him.

cojonesdetoro
03-17-2004, 08:01 PM
Getting back to the subject at hand...

Has anybody implmented a port-knocking technique. I think this technique coupled with encryption would create a rock-solid bastion for Tivo access. Right now I use the SSH forwarding method but an thinking of using a SSL-enabled Squid reverse proxy that only listens after I port-knock the proper sequence AND with PGP encrypted data in the kock-packet's payload (EDIT: :-/ Ahem... knock-packet, that is..). You can include something that changes like the current date and some other stuff signed/encrypted with your private PGP key. If/when i implement something I will post it here.


http://www.portknocking.org/

cali
03-17-2004, 09:31 PM
I have a dsr704 hacked with 3.1b SW.
I had to hack the ax drivers for the adapter to work. For some reason I cannot access it from the outside.....even with port 80 forwarded. The router does not show this tivo as a 'client" but surprisingly you can ping it, and load tivoweb from the inside....but the outside is dead.......

Does anyone have any suggestions?
Why would the adapter not show up on the router?

lgkahn
03-17-2004, 10:01 PM
what adapter.. I have a dsr704 I used sleeper iso it is running 3.1.1b also and I have the linksys us.b 200m adapter and it is working fine with the ax driver and I didnt have to do anything special at all to it.. I did notice that if I change the connection from the switch to behind the wireless it sometimes was not seen outside the local subnet until I rebooted the tivo.. and all the switches.. switches keep a mac address table and I think the tivo may also and that is why you may need to reboot it and also power down and up your switches when moving stuff around.. .hopefully this helps..

Sleeper
03-18-2004, 12:14 AM
Getting back to the subject at hand...

Has anybody implmented a port-knocking technique. I think this technique coupled with encryption would create a rock-solid bastion for Tivo access

Cool idea. I was thinking about running the reverse proxy right on the Tivo but I don't like the idea of the Tivo being port scanned. This would solve that problem.

sanderton
03-18-2004, 06:07 AM
All getting a bit OTT isn't it? I run a SSL reverse proxy plus the TiVoWeb passoword and I though I was being paranoid!

cali
03-18-2004, 07:49 AM
what adapter.. I have a dsr704 I used sleeper iso it is running 3.1.1b also and I have the linksys us.b 200m adapter and it is working fine with the ax driver and I didnt have to do anything special at all to it.. I did notice that if I change the connection from the switch to behind the wireless it sometimes was not seen outside the local subnet until I rebooted the tivo.. and all the switches.. switches keep a mac address table and I think the tivo may also and that is why you may need to reboot it and also power down and up your switches when moving stuff around.. .hopefully this helps..

Its an SMC2209 adapter....USB2.0. I had some hard times getting it to work but it does now, but only on the inside.
I know its not my connections/permissions because right now I am at work and can access another tivo on the same router....but this one( usb adapter) shows up in the DHCP client list......

Is there a way to force the router to "see" the tivo?

AhoyMatey
03-18-2004, 09:37 AM
The way I access my Tivo over the web is to use Remote Desktop in WinXP (or Terminal Server in w2k server). I know it's a bit off topic, but that way I don't have to worry about the tivo being vulnerable on the web. Once I'm on the machine, I can access bash too if needed...

cojonesdetoro
03-18-2004, 12:21 PM
Tivo but I don't like the idea of the Tivo being port scanned.

Never let your Tivo listen for direct connections. It's trivial to bitch slap a Tivo to the ground using nmap.

cali
03-18-2004, 01:28 PM
The way I access my Tivo over the web is to use Remote Desktop in WinXP (or Terminal Server in w2k server). I know it's a bit off topic, but that way I don't have to worry about the tivo being vulnerable on the web. Once I'm on the machine, I can access bash too if needed...

See I got that taken care of...I block all outside access via router, unless its from my PC at work.
Also I turn it off at the router when not in use. If I need to access the tivo...pull up the router and turn on the virtual server :)

Sleeper
03-18-2004, 11:38 PM
Never let your Tivo listen for direct connections. It's trivial to bitch slap a Tivo to the ground using nmap.

Yeah, I agree. I just hate the idea of routing traffic through a PC. Not that I haven't done it in the past. I guess the best solution is to use a PC on a card and a micro version of Linux like the Linux Router Project. Hang the thing on the wall and forget about it.

jonnytivo
03-24-2004, 08:23 PM
Sleeper,

Just want to say thank you for all of your work here. You made it very simple for me to take my HDVR2 and open it up for telnet, ftp, tytools, tivoweb, more space, etc.... Of course, I still needed a few pointers while tweaking things and this forum provided everything I needed. So, I'd like to give back.

This is the method I have been using for Secure Tivoweb Remote Access via Internet and from reading all the options out there, this makes the most sense to me *if you have a PC thats running all day behind your firewall/router*

I have SSH server software running on a PC on my LAN (which is behind a router using NAT). I have port forwarding enabled on the router to take a random port of my choosing and forward it to port 22 on my PC running the SSH server.

With that setup, I can use a program like putty-ssh on any computer anywhere on the internet to SSH into the PC on my LAN. In the putty connection settings, I tell it to forward port 80 requests from my current workstation to the IP address of my tivo on my LAN. Once the SSH connection is established, I open a web browser and type "localhost" and my tivoweb appears. This method can also be used to access the telnet and ftp functions of the tivo unit as well. (just change the port forward setting in the ssh client)

This works quite well and seems like a secure method to access the tivo without putting an extra load on it.

An added benefit of this method is that you not only are able to access your tivo in a secure manner, but you can access other servers on your LAN as well.
-JonnyTivo

noel-pilot
06-01-2004, 04:23 PM
I have read through this and numerous other posts on remote access of tivoweb and my netgear router is still defeating me!

I have signed up to the no-ip.com service which seems pretty good, now when I goto xxxxxxx.no-ip.org it brings up my router home page (after entering the password) I have setup the routers firewall settings to forward incoming attempts on numerous different ports to the tivo's ip address, however there is nowhere to specify what port to forward on. I have tried using incoming ports of 80, 243, 15000 and lots others. however every time I enter xxxxxxxx.no-ip.org:port number the window brings up syntax error!

I understand the security issues of having an open port, I just want to be able to access the tivo remotely then I will look at other options of security etc etc.

Hope someone has some ideas, (the router is a DG834G wireless adsl modem/router/access point)
Thanks

cojonesdetoro
06-01-2004, 05:03 PM
type 'route' at the command prompt and see if there is a 'default' entry. If there is, make sure it has your router's 'inside' address. Use the route command to set it:

route add default gw {inside address of DSL router}

Stewie_G
04-28-2007, 11:37 AM
If you edit the tivoweb.cfg file, you can add a username= and password= lines and it will authenticate. This should be combined with blocking all ports except port 80, otherwise your telnet and ftp would be vulnerable.

I use windows internet connection sharing to accomplish this.

Everything you need is in the tivoweb readme file.


I agree, editing the tivoweb.cfg to require a username and password is the equivilent to locking the door. Like any other burglar, it's easier for a black hat to look for an unlocked door. :cool:

Unless of course they're reeeeeeeeeally bored. :eek: