Calibre server wont start ...help please

[chaley]

Quote:

Originally Posted by SensualPoet

So far so good -- another computer BEHIND the firewall has access using the 192.168.x.x:8787 and correctly grabs the calibre index. But I still can't figure out how to make a computer on the OUTSIDE of the router see 99.230.x.x:8787 which is the address of the machine running Calibre (according to: http://www.whatismyip.com/).

Welcome to the wonderful world of Network Address Translation (NAT), IP (Internet Protocol) addressing, and DNS (Domain Name System) management.

The 192.168 IP address is in a private IP address space, which means that the router you are using is doing NAT. NAT translates IP addresses in requests from the private side of the router to the public address, changing some things (ports) in the process, and vice versa. One consequence of this is that a machine with a private IP address is not visible from outside unless a) it has opened a channel, or b) the router has been told to forward requests. You need to do the second.

Your router will have a setup screen/system, probably available through the internal web (probably 192.168.0.1 ). Somewhere in there you will find the ability to 'forward' ports from the outside to the inside. For example, on my Netgear DB834, it is done by setting up an incoming firewall rule. With some other routers, you can define a particular internal machine to get all packets. Check your router's documentation.

There are 3 gotchas to be aware of. The first is the you might be using DHCP on your router, meaning that internal addresses are dynamically allocated when an internal machine connects. This could break port forwarding, because the address of the machine being forwarded to could change. The easiest way to resolve this is to make an 'address reservation' for the machine in the router, so that it always gets the same address. Alternately, give the machine a fixed IP address that is not in the router's DHCP space.

The second is similar, but for your router. Your ISP might allocate IP addresses dynamically, meaning that your router's external IP address might change. This will make accessing your router (and thus your server) from the outside problematic, because you will not know the correct IP address. The easiest way to solve this problem is to use dynamic DNS, which allocates your router a name (e.g., foo.dyndns.net) and maintains the association between this name and the correct IP address.. Your router will almost certainly have support for one or another of the dynamic DNS systems. Dyndns is common.

The third is security. Be aware that you are opening your computer to network attacks by bad guys anywhere in the world. Some of the bad guys are very smart, and if there is a security hole on your computer, they will find it. To protect yourself, only open the ports you really need open.

[theducks]

Charley, you need to do something about the label below your name

That was excellent advice.

I will add to you third point.
Be constantly aware of the status of your Anti-virus/anti-malware product when you have a port open to the outside.

One of the first things the bad guys do is block updates if they can't just kill it outright.

[Starson17]

Quote:

Originally Posted by theducks

Be constantly aware of the status of your Anti-virus/anti-malware product when you have a port open to the outside.

Assume the following:
1) Only a single port open
2) The open port number is randomly selected
3) Calibre responds on that port
4) The bad guys are not specifically targeting the user - they don't know in advance about any of 1-3

To successfully attack, the bad guys would need to scan to find the open port, identify the responding software (IIIRC, Calibre uses CherryPy) and exploit a vulnerability (possibly requiring them to crack the user/password).

Is there any way of estimating how likely any of that is? I occasionally see port scans in my logs, but never on the port I use for Calibre. Even if they did find my port, are there any known CherryPy vulnerabilities they could exploit?

I'm simply curious about relative risks. There are lots of good reasons to run AV software, so I do that as a matter of course. It's just that, on the surface, this particular risk seems relatively low.

Has anyone seen any studies where they watch to see what happens during a scan-the-ports type of attack? Do attackers then try to identify the responding software and match it to known vulnerabilities? Or are attacks like this uncommon? I know I'd probably go for the low hanging fruit and attack standard ports, standard software, default passwords, etc. before going after Calibre.

[chaley]

Quote:

Originally Posted by theducks

Chaley, you need to do something about the label below your name

Probably, but that is the way I often feel these days.

Quote:

Originally Posted by Starson17

Assume the following: ...
4) The bad guys are not specifically targeting the user - they don't know in advance about any of 1-3

Targeting a user is infrequent. Targeting an application happens all the time.

Quote:

To successfully attack, the bad guys would need to ...

This process is called footprinting. There are malware tools generally available that try to identify the software that responds on a port. On the server I run for my family, I get 100's of probes per day.

Quote:

Is there any way of estimating how likely any of that is? ...

No, other than to say 'not likely'. The flip side is that a penetration needs happen only once, then the tool sets are updated and the script kiddies go nuts with it.

Quote:

Has anyone seen any studies where they watch to see what happens during a scan-the-ports type of attack? ...

Yes. I have participated in some of them.

The vast majority of attackers are running automated tools found on the web. These can generally be ignored, because a) the attackers don't know what they are doing, and b) the vulnerabilities exploited are usually old. For example, my server is probed many times per day by common SSH dictionary attach daemons that appear to be clones of each other. One way to identify a clone it probes with the username 'fluffy' (!), a daily occurrence.

Security by obscurity, which is what you are doing by picking a random port, can work rather well to hide known applications. It doesn't work against a determined attacker. The music and ebooks industry has learned this, because they depend upon obfuscation to keep their DRM encryption keys secret. We know how well that works.

As for port scans, my server has been fully scanned more than once. When I lived in Malaysia, my home router was fully scanned at least once per week, something that doesn't happen where I am now. Twice application-specific attacks on my server have succeeded, once because my son didn't keep some app up to date (and I didn't know he installed it), and once because of a zero-day attack.

The danger comes from bad guys who pay attention and know what they are doing. These combine port scans with footprinting, then do vulnerability probes based on what they find. Vulnerabilities are shared within this small community, as are maps of machines with open ports.

The above notwithstanding, it would be very surprising if some random port (not below 8999!) on a particular home machine is probed by a tool that is smart enough to identify the software behind it. However, I have been surprised before, so I believe that a bit of constructive paranoia is called for, but not so much that I don't use my computers for what they are good for.

[Starson17]

Quote:

Originally Posted by chaley

On the server I run for my family, I get 100's of probes per day.

I see a similar number when my ftp server is up on port 21, but I never seem to see probes on my Calibre port.

Quote:

Security by obscurity, which is what you are doing by picking a random port, can work rather well to hide known applications.

Exactly. It's not that obscurity is a strong defense, it's just that there are so many other tempting non-obscure targets, why waste time.

Quote:

As for port scans, my server has been fully scanned more than once.

Interesting. That's what I wondered about. I haven't seen any complete scans. Occasionally I've seen some ranges scanned. Any thoughts on whether the script-kiddie tools can identify CherryPy/Calibre?

Quote:

Twice application-specific attacks on my server have succeeded

Were they running on a known port for that particular application? That's where I feel most vulnerable - installing an app that needs to run on a particular known port. If someone later finds a vulnerability in that app, and knows the port, scanning addresses isn't hard.

Quote:

The above notwithstanding, it would be very surprising if some random port (not below 8999!) on a particular home machine is probed by a tool that is smart enough to identify the software behind it. However, I have been surprised before, so I believe that a bit of constructive paranoia is called for, but not so much that I don't use my computers for what they are good for.

That's my attitude. I want access to my books, so I'm going to run the content server and protect it with reasonable methods.

[kovidgoyal]

Dunno about windows but on a unixy system run the server as a user with restricted permissions and read only access to your calibre library. That should help with making the server more secure.