Restrict Access?

[Laptop765]

Hey everyone, I'm in college and GBPVR saved my life because for the first few weeks I was going crazy without being able to record TV shows for future watching. Finally got a PVR-150 to record on desktop. Anyway, I have a question and hopefully there's a solution. The school doesn't want any servers just openly running on their network because of security reasons [not to mention bandwidth.] I was wondering if it were possible to restrict the GBPVR web interface to 2 MAC addresses [my laptop hardwire and my laptop WAN] and to disallow all other access so I'm not in violation of rules [they said I could limit by MAC address.] Another option would be authentication, but I don't know if the GBPVR interface is enough, maybe something equivilant to the apache .htaccess/.htpasswd scheme. Thanks in advance for any help.

[stefan]

Don't you have a router/firewall? That one could see to it that only your personal LAN has access.

[Laptop765]

I'm on my school's network. My GBPVR desktop is hard wired into the school's network and my laptop is chained through my desktop which has 2 NICs because I don't think they want us running 2 comps on the network. I'm not aware of any freeware firewall software which can accomplish this.

[stefan]

Ah, I see... No, I can't think of a way to accomplish this without a hardware router/firewall...

[Laptop765]

OK, thanks. Would you happen to know if Apache itself features this functionality (MAC restriction), because I read about the ApacheCLI thing and wouldn't mind setting that up.

[stefan]

I don't think so, but it would be fairly straight forward to only allow binds from one or two certain ip addresses, so if you have static ip addresses that you need to access the server from this should be possible.

[wtg]

If I understand correctly, you want your laptop and only your laptop to be able to access the web interface running on your desktop, regardless of whether it's connecting hardwired to the desktop or coming in remotely via your school WAN, right? From what it sounds like, you don't want gbpvr's web interface being visible on the WAN except to your laptop. It's theoretically possible, but will take some experimenting on your part.

You may be able to pull this off using ssh tunneling and a firewall. Basically you configure your firewall to block access to gbpvr's webserver from the school wan, but allow access from your local network (the nic you plug your laptop into) and the localhost (the server itself). Connecting hardwired is easy then, since the firewall allows the local network access. Connecting from the WAN, you set your firewall to open the secure shell port, and configure your ssh daemon to forward traffic to the local gbpvr port, after authentication. Since the forwarding is done by a local process, the firewall doesn't block it and your traffic to and from the server is encrypted.

Sounds easy, right? I've not configured ssh tunneling myself, but I know people do it. Here's a link to configuring it for VNC access, which probably isn't much different. http://www.shebeen.com/vnc_ssh/ There are a number of free ssh windows servers and clients that support ssh tunneling (I like the PuTTY client, myself), and you'll find other resources for how to configure ssh tunnelling if you simply google for it.

On Linux you could do this with a software firewall and a port knocker, but unfortunately I can't find an implementation of a knocker daemon that runs on Windows. Lots of Linux implementations, and some Windows port knocker clients, but no Windows servers that I can find.

If you do work something out, post back and let us know what you do.

Good luck,
Tim

[stefan]

That would probably work. However, that makes you open up an ssh server on the gbpvr machine, still possibly violating the school policy, if it is indeed "no servers allowed". But that would also make icq and other stuff illegal, I guess.

What you would do on the client would be this

ssh -L {portnumberyouwanttouse}:localhost:{portnumberofgbpvrwebserver}{usernameongbpvrserver}@{gbpvrserver}

Then, in your webclient you enter:
http://localhost:portnumberyouwanttouse/gbpvr/bla/bla (I don't remember the url to the gbpvr server, but hopefully you understand)

Now, for the problem on how to configure an ssh server on your windows machine, I don't know =) Maybe someone else (I only open tunnels from my windows client, I've never set up an ssh server)

[stefan]

Hm... the :p is supposed to be ': p' (but without the space and without the quotes)

[wtg]

That would probably work. However, that makes you open up an ssh server on the gbpvr machine, still possibly violating the school policy, if it is indeed "no servers allowed".

Of course Stefan is correct, but should be able to configure ssh's prompt when you connect to something that isn't revealing, so instead of an ssh banner and "user:" prompt, you might not echo anything, or just a few spaces. That way if the school used a port scanner to find open servers, it wouldn't find anything it recognized. You could also configure it to use a non-standard port, making it less likely for your school to find it. It's unlikely they scan all net connections for all possible ports because it takes way too long since there are 64k ports. Instead they probably just scan for known, standard ports. They probably wouldn't even find gbpvr's port since it's uncommon, but if they did it returns enough info to make it clear you've got a server up. You should be able to configure sshd to be real quiet until you're authenticated.