plugout.net

[riotshield]

Recently I started getting the below error when trying to connect to transmission locally

403: Forbidden
Too many unsuccessful login attempts. Please restart transmission-daemon.

I have not tried to login prior to this error. Should I be worried someone is trying to login to my server or it could be some bug?

[Jocko]

Hi

Did you use a remote app (for exemple from your laptop) ? Those apps use the rpc channel to get informations to follow activity. There is a protection mechanism on this channel against brut force attacks.

So check if your credentials are rightly set on this app

[Cubytus]

I get the same error from time to time. Not sure if I kept a Transmission tab open somewhere on one of my browsers, or if these really are login attempts from the Internet.

In my case, the Transmission data port and control ports are visible from the Internet, mainly to download a file at home when I'm not.

I realize this may not follow security best practices.

What is the recommended way to access Transmission's control panel from the Internet without adding a heavy security layer such as OpenVPN? The LaCie Cloudbox isn't very powerful to begin with and already struggles with just Transmissions and NFS.

[Jocko]

Hi

Yes there are another ways...

You have to
- Enable https protocol on the web server (so set a custom certificate,...)
- Enable the option "proxy gateway". With this option, you can get access to web-interface via the https port :
From WAN, you make a secure request between WAN and the NAS because the request is encrypted (SSL) which relays on your LAN (here your nas itself) the request to transmission server after decrypting it. So credentials, and your actions with transmission are not readable on the WAN ! (and other locations if you are behind a proxy, ie workplace)
- Open https port on your router (and not 9091)

Of course as you open https port which means you can also manage the NAS via its fvdw-sl web interface from WAN, you have to change its default credentials (admin-nas/admin) as they are well-known...

The url to load transmission web-interface is :
https://your-public-ip/transmissioncli or https://your-DDNS/transmissioncli

More detail, here https://plugout.net/fvdw-sl/.help/system_datetime_hlp.htm?v=17.0a#mozTocId594629

[Cubytus]

Thanks for the tip.

So I cut port 9091 from the router's firewall, leaving data port open, and opened the https port (non-standard of course!).

In total, the router lets in traffic for:
[list=]FTP server
Transmission data
HTTPS port (non-standard)[/list]

On my mobile phone, I can get Transmission's admin interface from the WAN over HTTPS, which I don't need and may be a security risk as it sits behind a single password
I get the same interface through plain HTTP (I wish it could redirect non-LAN connections to HTTPS automatically…)

So far three issues remaining:
I can get Transmission's Web interface from the WAN, but it doesn't accept my user/password pair (the ones dedicated to Transmission, just in case anyone was wondering). When accessed from the WAN, Transmission reports an error 401 "Unauthorized user". For the sake of this test, these are the default ones.

The other one: as the HTTPS certificate is a self-signed one, examining the content reveals the LAN-side IP, hostname, which may be a problem.
Emitter name is fvdw, which I understand is by design, but nevertheless should be editable, especially for those who don't have many fvdw-powered NASes.

The third one, perhaps more serious: there should be an option to completely disable fvdw's firmware general admin interface from WAN access, and only leave services the user explicitly wishes to access. It's a bit nonsensical for a user to see "you need to enable service X, otherwise you won't get service Y", even if it makes sense from a computer point of view.