Possible openly accessible SSDP server on servers running QB

QuickBox / QB

QuickBox is much more than a ‘seedbox installer script’, it is a simplistic approach to achieving easy seedbox and services management from a beautifully designed dashboard. Allowing users the ability to interact with their seedbox and server on a professional grade level.

https://quickbox.io

GNU General Public License v3.0

737 stars 171 forks source link

Possible openly accessible SSDP server on servers running QB #127

Closed ghost closed 6 years ago

ghost commented 6 years ago

I just recived this notice from my VPS provider Contabo.

https://pastebin.com/tN744eQD

I run Quickbox with Rutorrent, Sonarr,Radarr,Emby and Nextcloud. Nothing else. A quick scan revealed that i dont have any of this ports opened.

Using the suggested method of checking if a SSDP server is running: tcpdump -n -A host 173.249.**.***

Result: 21:09:36.485254 IP 192.168.1.3.58002 > 173.249.**.***.1900: UDP, length 97 E..}..@.@..............l.i..M-SEARCH * HTTP/1.1 Host:239.255.255.250:1900 ST:upnp:rootdevice Man:"ssdp:discover" MX:3

Is QB using any SSDP servers? How can we future investigate this? Thanks!

ghost commented 6 years ago

Verifing this again, it seems that Emby has a upnp server 20:40:17.231088 IP 173.249.**.***.55717 > 185.70.107.18.23308: UDP, length 377 E...hw..@."......Fk...[.....HTTP/1.1 200 OK EXT: DATE: Wed, 14 Mar 2018 19:40:17 GMT CACHE-CONTROL: max-age = 600 ST: urn:schemas-upnp-org:device:MediaServer:1 SERVER: Unix/4.12.14.41214 UPnP/1.0 RSSDP/1.0 USN: uuid:944b4ade45fd42bcaaba9302bc427693::urn:schemas-upnp-org:device:MediaServer:1 LOCATION: http://[IP]:8096/dlna/944b4ade45fd42bcaaba9302bc427693/description.xml

Accesing ip/8096/dlna/944b4ade45fd42bcaaba9302bc427693/description.xml displays the XML. Even if DLNA is disabled. For now i just disabled emby completly.

JMSDOnline commented 6 years ago

I added a function to block the most specific targeted port at 1900. However, if upnp is in play by a media server, then we'll have to look closer at how to target the specific request port and block it... assuming it would have no ill effects on the media server itself.

According to this you can block any UPNP/DLNA settings and it should resolve. However, it was stated they would post an update to address this, but that was the end of it.

The basic port 1900 should be blocked by an opening function in the setup here: https://github.com/QuickBox/QB/blob/master/setup/quickbox-setup#L203-L208

If that isn't working, then I'll need to review other possible solutions. I am pretty sure CSF (if installed) would block this port as I have it blacklisted in the config by default. Again, I'll need to play with this one for further resolve... if possible on our end.

I guess this is being resolved: https://github.com/MediaBrowser/Emby/issues/3173