Server and HTPC webconsole (4 Viewers)

joz

Portal Pro
March 17, 2008
1,353
306
Home Country
Netherlands Netherlands
Hi all,

I really like how MP is more and more moving towards an online based system.
There are a lot of plugins using online content, I got a lot of 'em running and can't go without any of them anymore (My Trailers, Showtimes etc).
The pulling of content is great but I'd like a bit more serving:) As I use my HTPC as a combination of server and client (web and mp, running 24/7) it's an ideal situation for me.
Since I run a PHP on my HTPC and coming across a great thread here explaining how to access the sqlite databases through PHP, I already have the environment to expose more to the web.

As some of you might have seen/noticed I already played with this whole idea a bit creating a readout for moving pictures database and tv series db. However there's no limit to what can be exposed! Parsing of xml is not that hard either through PHP so editing all kinds of settings within MP is easy. Possibilities are endless.

Please post your ideas about all this; exposing mp content to the web.
If you're as enthioustic as me and wanting to help out, PM me. I can already give you some pointers and tips to go about PHP wise.
I know some people might disagree on this tactic as the install of it all will never be user friendly, however I'm not targeting that audience. As I see it now it would be either PHP or DotNet based.
 

joz

Portal Pro
March 17, 2008
1,353
306
Home Country
Netherlands Netherlands
some of my progress

------EDIT-----

This is the functionality so far;
- Dashboard stating current system temps and hard disk usage per partition
- Control uTorrent through webui, with auto login
- Control emule through webui, with auto login
- For The Record
- My MP DB readout which is a work in progress
- Remote desktop interface
- An xml tidy tool to upload a xml and get it back tidied
- Log readouts for apache and MP. Apache logs have statistics too (unique visits, % compressed content and more)

What I still want to add;
- Restarting apache
- Editing apache's httpd.conf through webinterface. Has to be done through IIS webserver for some obvious reasons (filelocks while apache is running)
- Editing PHP.ini through webinterface
- ForTheRecord auto login
- PHPMyadmin auto login, if possible. Think not though because of cookie problem.
- Remote desktop auto fill in server location etc
- Some more nice statistics on the dashboard such as total movies of mp etc.
- Streaming music of MP music collection
- WakeUp on WAN for my desktop
- Probably some I forgot.
 

Attachments

  • home.jpg
    home.jpg
    121.3 KB
  • fortherecord.jpg
    fortherecord.jpg
    210.2 KB
  • utorrent.jpg
    utorrent.jpg
    145.1 KB
  • emule.jpg
    emule.jpg
    246.6 KB
  • my_mp_readout.jpg
    my_mp_readout.jpg
    196.5 KB
  • remotedesktop.jpg
    remotedesktop.jpg
    139 KB
  • tidy_xml.jpg
    tidy_xml.jpg
    96.9 KB

joz

Portal Pro
March 17, 2008
1,353
306
Home Country
Netherlands Netherlands
little progress update;

First mp web config bit is ready and fully tested, works like a charm. I tested it with enabling disabling plugins. More to come on this part.
Also added the WOL script and extended it with an AJAX ping call to determine when te PC has become responsive.
 

Paranoid Delusion

Moderation Manager
  • Premium Supporter
  • June 13, 2005
    13,062
    2,978
    Cheshire
    Home Country
    United Kingdom United Kingdom
    Joz

    Just want to wish you luck with this, I'm sure once you demonstrate what it can fully do, then more people will take interest :)

    You know what they are like around here, they love alpha's\beta's :)
     

    joz

    Portal Pro
    March 17, 2008
    1,353
    306
    Home Country
    Netherlands Netherlands
    yeah it is, I know, so that part should be taken seriously.

    But people tend to say such things before even considering what they are securing. it's just my htpc. It's not the homelandsecurity or something. I have an image lying around, run daily backups, so hack aways I say. I'm back up and running in no-time.
    I know that's no solution though. For now it's protected behind basic authenticication but will move to an php/mysql based login with md5 encryption or SHA1.

    Besides that, programming the scripts right, especially the ones doing shell_exec's will be important. That's the part of it now that kinda exposes the whole underlying machine to the net. The rest of what runs on it really doesn't.

    I was thinking about detection of hack attacks, through analyzing apache logs btw. Say every 15 minutes check if there's an IP trying to bruteforce the login. If so then deny access to all shell_exec till the admin comes along and turns it back on.

    The apache module Mod Deny could also be something that could work. Besides that if you are really paranoid you can flip the black list idea of mod deny and create a white list. Just allow access from a couple pre defined IPs.

    p.s.
    I already subdued a hackattack couple days ago. Just some random guy trying to brute force it. Bruteforcing logins, even basic autehnticiation ones take time (this guy was going at it for 2 days till I stopped him dead in his tracks). A script could pick that up before something serious is going on (the bruteforce succeeds ;))

    ---EDIT----

    SpudR you made me think (arg, the pain :)), another idea;
    Allow logins only every 5 to 10 minutes. That will make brute forcing unbarable slow.

    I would like to know more of your opinions about security. What can be done to keep the threads to a minimum?
    I will continue down this path even if it's proven to be too unsecure to realese to the public.
    A release will be hard anyways as I have set this up on Apache and PHP, so that will be a minimum requirement.
     

    SpudR

    Retired Team Member
  • Premium Supporter
  • July 27, 2007
    2,657
    718
    Yorkshire, UK
    Home Country
    England England
    I'm doing the white list thing for my remote access - I also have .htpasswd files on all web folders open to the public, but there is nothing sensitive in them.
    You can go mad with security, but it soon gets in the way!
    The best solution is DON'T expose yourself unnecessarily - only open the stuff you NEED to the public domain and set up a strong gatekeeper for the rest :)

    If possible - try the M$ solution - 3 attempts, then increasing times between failed attempts (start with 30 seconds and increase with every failed attempt. reset the counter after 10 minutes of inactivity). This will stall any brute force attempts, whilst still allowing you to have some typos...
     

    jsimmons

    Portal Pro
    December 6, 2008
    126
    2
    Home Country
    United States of America United States of America
    I would really reconsider exposing your system to access from outside your LAN, especially if you're going to allow remote modification of your MP settings.

    There's no such thing as a secure web site. Period. Running a web server is not a trivial task, nor should it be shrugged off by claiming "it's just my htpc". It it's on your LAN, it *exposes* your entire LAN to exploits.
     

    joz

    Portal Pro
    March 17, 2008
    1,353
    306
    Home Country
    Netherlands Netherlands
    I've heard that one before, but how?

    How is my LAN at risk? I do not see it.
    Yes, shell access is one part that's an obvious risk to LAN. But I can just set permissions not allowing anything other than what I want to be able to run. PHP even is limited in what it's able to do thru shell because of security risks. Besides that I believe it's possible on windows to allow certain actions (or disallow) of the shell for specific users.

    How can say some hacker, who's hacking phpmyadmin or my server console get past the confinement of that script? As long as the script has no exploits all is fine.
    I'd like an example if you could provide one, jsimmons. I really don't see any risk at all to my LAN, as long as I'm real careful handeling shell access.

    what's so hazardous about editing MediaPortal.xml thru the web? As long as the script only touches that file, all is fine, right? Well MediaPortal.xml could get screwed over seriously ofcourse, backups are key :) I could also extend that script to write to MediaPortal.xml but always create a backup of the original
     

    pilehave

    Community Skin Designer
  • Premium Supporter
  • April 2, 2008
    2,566
    521
    Hornslet
    Home Country
    Denmark Denmark
    Putting a web-server online from your LAN isn't really a high-security-risk, I don't see how anyone would inject code that is anything but your script-language + SQL/MySQL-queries. Now, while PHP in theory can be used to do file-uploads and downloads (FTP-functions built-in) then you'll still need a running FTP-server with proper rights. Not even a buffer-overflow will expose anything else but your web-application.

    I think it's a bit paranoid, sorry. The risk of being hacked from your personal storage medias like portable harddrives or USB-drives is much bigger. If I REALLY wanted access to something a planted root-kit in a mail or a USB-device is so much easier.
     

    Users who are viewing this thread

    Top Bottom