Hiya there,
New to the usenet scene and just have a quick question.
I just recently started using sabnzbd (http not ssl'd) and did the port forwarding (on non standard ports) to allow for remote access outside of my network.
I have a non standard (unused elsewhere) username and password for the sabnzbd/sonarr interface.
Obviously i'm using ssl for both indexer and my usenet provider, just not within the sabnzbd/sonarr client. I'm really only using it for nzb360 on my phone, so i'm really only accessing it through the api key.
I'm just curious how secure this setup is at this moment. I know there are ways to secure it with apache and reverese proxy but i'm just curious if any of this is necessary.
is there any history of someone exploiting the software to gain access to an individuals machine?
Are there any other things i should be aware of and I should do to prevent people from doing any damage to my computer?
Accessing Sabnzbd Remotely Question
Forum rules
Help us help you:
Help us help you:
- Are you using the latest stable version of SABnzbd? Downloads page.
- Tell us what system you run SABnzbd on.
- Adhere to the forum rules.
- Do you experience problems during downloading?
Check your connection in Status and Interface settings window.
Use Test Server in Config > Servers.
We will probably ask you to do a test using only basic settings. - Do you experience problems during repair or unpacking?
Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Re: Accessing Sabnzbd Remotely Question
Weak passwords are the main threat.
We are not aware of weaknesses of the API itself.
Note that I mean this literally: "we are not aware".
Personally I access it only over a VPN connection.
WIth release 1.0.0 you can close the API a bit further.
Config->General->Internet access : set to "API (no config)".
We are not aware of weaknesses of the API itself.
Note that I mean this literally: "we are not aware".
Personally I access it only over a VPN connection.
WIth release 1.0.0 you can close the API a bit further.
Config->General->Internet access : set to "API (no config)".
Re: Accessing Sabnzbd Remotely Question
Ahh, I see.shypike wrote:Weak passwords are the main threat.
We are not aware of weaknesses of the API itself.
Note that I mean this literally: "we are not aware".
Personally I access it only over a VPN connection.
WIth release 1.0.0 you can close the API a bit further.
Config->General->Internet access : set to "API (no config)".
Well that's reassuring to know. I would do a VPN, but I find I access sabnzbd (nzb360) through my phone a lot, and I usually also chromecast with my phone, so it's just a slight hassle having to turn it on and off all the time.
If i'm only accessing the client through api from my phone, I dont need to worry about someone sniffing for my username/password right?
Thank you so much for the quick reply.
Re: Accessing Sabnzbd Remotely Question
Utilities usually use the API key and not your username/password.
As long as you do it over an HTTPS connection, it's not snoopable.
However, there's a bit of a catch.
Since SABnzbd cannot have a valid HTTPS certificate (unless you buy one yourself),
most utilities will just accept invalid certificates.
This leaves you open to potential man-in-the-middle attacks.
That's mostly a worry when using public WiFi spots.
What an attacker gains by stealing your API key is very small,
especially if you set security to API-without-config access.
As long as you do it over an HTTPS connection, it's not snoopable.
However, there's a bit of a catch.
Since SABnzbd cannot have a valid HTTPS certificate (unless you buy one yourself),
most utilities will just accept invalid certificates.
This leaves you open to potential man-in-the-middle attacks.
That's mostly a worry when using public WiFi spots.
What an attacker gains by stealing your API key is very small,
especially if you set security to API-without-config access.
Re: Accessing Sabnzbd Remotely Question
Ahh I see.shypike wrote:Utilities usually use the API key and not your username/password.
As long as you do it over an HTTPS connection, it's not snoopable.
However, there's a bit of a catch.
Since SABnzbd cannot have a valid HTTPS certificate (unless you buy one yourself),
most utilities will just accept invalid certificates.
This leaves you open to potential man-in-the-middle attacks.
That's mostly a worry when using public WiFi spots.
What an attacker gains by stealing your API key is very small,
especially if you set security to API-without-config access.
Well i went ahead and set up the HTTPS option that sabnzbd offers. Obviously when access it from my machine I get the unverified crossed out https on my browser.
So just to reiterate and conclude my original question. Generally speaking, with the default SSL provided by sab and only accessing within a non public network, my information and sab server should be pretty safe correct? I shouldn't need to worry about someone trying to access my machine without my permission?
i Am using port 9090 which I dont know if I should choose another one or not.
Re: Accessing Sabnzbd Remotely Question
The safety comes from your home router which will not allow incoming requests.Zifnab13 wrote:Generally speaking, with the default SSL provided by sab and only accessing within a non public network, my information and sab server should be pretty safe correct? I shouldn't need to worry about someone trying to access my machine without my permission?
If all SABnzbd UI traffic is in-house and you have no intruders, it's perfectly safe.