I just installed RP-1.0.1 on my RPi 2B. I didn’t enable SSH, but it is running, and the default username and password is root/rasplex. The root user is of course a superuser.
Not only are you not prompted to change the root password, you are prevented from doing so by the absence of passwd.
I can’t see why this isn’t horribly insecure. Am I missing something?
You should be able to disable SSH if you want to, look in the System Settings menu.
Guys this is serious. How can I escalate this?
SSH is enabled by default, as Knightorc states you can turn it off after initial boot through System Settings. Can’t really see that this is ‘serious’. If you like you can raise an issue as described in the ‘sticky’ at the top of the forum, as you have missed this I’ll provide the link https://forums.plex.tv/discussion/89379/readme-getting-help-and-reporting-issues-with-rasplex#latest
Regards
It took me less than 5 minutes to find RasPlex installs on the web. I really shouldn’t have to spell this out.
Spell what out ?
We’ve already told you that you CAN disable SSH.
It’s a simple option in the RasPlex submenu:
System Settings > Services
So just disable SSH then, if you hate it that much.
As for finding RasPlex devices with SSH acces on the Internet, that can only happen if those RasPlex devices are connected directly to an ISP without any intervening NAT-capable router, or if someone has defined port-forwards for ‘everything’ (which is basically the same thing). Either way is obviously an improper usage. Like all home computers the RPi should be connected to a normally secure LAN.
Best regards: dlanor
I would prefer a way to change the default password myself without a custom compile. Just because I prefer a more secure setup if possible and I manage some remote PI’s on networks I cannot control.
But I don’t feel like the SSH password is a serious issue. But I would be more worried if I was using a college campus network or some sort of group network that had parties on it I couldn’t necessarily trust. Such as a frat house or large roommate situation.
I lived in a nerd party house once and one of the roommates friends thought it was fun to try and break into my systems. I just put a firewall between the house LAN and my computers. Problem solved.
@dlanor said:
Spell what out ?
We’ve already told you that you CAN disable SSH.
With respect, that’s not the point. The point is that it’s insecure by default.
Sure, it’s not supposed to accessible from the internet, but the fact is that people are going to are already misconfiguring their networks and are exposing themselves to compromise. It took me less than a minute on shodan to find exposed RasPlex installs.
Other distros recognize that not everyone is an expert; that not everyone realizes the consequences of their actions and people can make mistakes, and therefore adhere to the principal of “secure by default”. I.e. You have to go out of your way to make things insecure.
Put another way, how would you feel if your phone, your laptop, or your TV provided root access to anyone else on your home network?
Anyway, I’ve said my piece. I’ll leave it at that.
@as2003 said:
Put another way, how would you feel if your phone, your laptop, or your TV provided root access to anyone else on your home network?
I would feel OK with that on my home network, I have sufficient security in place to prevent access to anyone outside my home network.
Regards
PS my phone, laptop and TV all have password access so would be little use to anyone else.
Base security theory applied, @as2003 , you are correct. I think the better question though, is why has the Rasplex or Openelec team gone out to their way to make it difficult to change the root password? Removing the basic control of security of the unit is what doesn’t make sense to me. Why prevent the root password change capability at all?
The RasPlex team has done nothing of the sort.
It’s just a feature of how the OpenELEC system was made, which the RasPlex team has not modified (as yet).
Also, unless I’ve misread the documentation, there is a way to provide fully secure SSH access using digital keys rather than passwords, with passworded access being fully disabled. You just need to modify some system scripts and add those keys yourself. But personally I’ll never bother with that, as I’d never dream of connecting my RPi directly to Internet, without a NAT capable router between them.
Best regards: dlanor
But why was Openelec made that way? Obviously it was done for a reason. I’d just like to know what the reasoning was to remove the ability to change the Root password. But I suppose that’s a question for the openelec forums.
This thread has the answer. It was a design choice having to do with the limits imposed by squashfs.
http://openelec.tv/forum/90-miscellaneous/64348-changing-root-passwd
@dlanor
Thanks for pointing out the custom certificate options. In addition, you’re right about disabling SSH being the best option available for those concerned or in situations requiring more security on the PI itself.
I have some family remote to my server who are not computer savy other than connecting a computer to a wifi network. They may think it’s a good idea to put it on a public Wifi network. These PI’s have VPN connections back into my home network so it’s more concerning for me that I mitigate the risk of their PI’s being compromised and posing risk to me.
@benjaminwolf:
Those remote RPi units are of course a problem, as you don’t have direct control over where and how they are connected or configured. (Though you probably did at some time, having set up their VPN access…)
That last part confuses me a bit, as I don’t understand why you’d need or want those RPi units to connect through VPN at all. The main thing that differs with regard to Plex access is that units on the same LAN may get PMS access without security checks, which is yet another security lapse, so I doubt that you’d want to do that. Why don’t you just let them reach your PMS the normal way instead (mediated by Plex login) ?
That would eliminate any risk of a compromised RPi being able to access your LAN.
Best regards: dlanor
@dlanor
It’s really just remote administration. I can have them enable SSH and view their log files, drop a theme in, or adjust a Keyboard.xml file. I usually test a new Rasplex version then upgrade the remote clients by dropping it into the appropriate folder. Or in a recent experience, turn their CEC back on when I swapped hardware out and forgot to change the settings before driving 200 miles home. ( thanks @NedtheNerd 
)
Most of my users I share my server with are either very old or very disabled. Two of my users are completely bodily disabled due to a genetic disease which causes them to barely be able to use a simple remote.
With users like this, it’s just easier to administrate when I can access the PIs where ever the are.
From a security standpoint, though, leaving the server port open on the internet does open you up for possible attacks. Running the OpenVPN client with SSH and Samba disabled is a more secure system. Provided you trust the PI’s are physically safe enough.
I understand the situation of you and your plex users and agree that a VPN solution is the best way to enable you to handle their RPi configuration and maintenance.
So as I see it, this makes the installation and use of custom certificates the only fully secure option (once you also disable the SSH password usage as well as SMB). But another method that could be almost equally secure would be to ensure that all of those users have proper NAT-enabled router connections to the Internet, thus blocking hacker access to the SSH servers at either end.
Personally I would recommend doing both.
(Install certificates at once, and ensure NAT connection whenever you visit any of them again.)
Best regards: dlanor
