# tivoweb password



## Comjunkie (Oct 22, 2002)

ok ok so i know i've been very stupid/ lucky to have tivoweb running without a password for two years without problems....but now someone seems to know the ip address and is using tivoweb to remotley access the tivo..very worrying when the tivo tries to change channel when you're watching...now i see in the recording history that several/many of my recordings have "been cancelled by someone in your household"

so i have added a username and password to the tivoweb.cfg file but when i access tivoweb from the LAN i get straight on without entering a username or password

my questions are
1. in the config file should there be a space after the = sign
2. should the username and password be in "" quotes

ps i have rebooted tivoweb and the tivo


please help


cheers


----------



## Pete77 (Aug 1, 2006)

The Username and Password should not be in quotes in the tivoweb.cfg file. And it should be:-

UserName = username

and

Password = password

i.e. note the use of Caps and the spaces.

To further throw your hacker off the trail you might also want to change to:-

Port = 443.

You can in fact still access TivoWeb using a normal HTTP browser if you Port forward port 443 on your router to the internal IP address of your Tivo but very few hackers seem to bother hacking on Port 443.

You might also want to configure Ljay's module for logging external attempts to access your Tivo across the web in your httpd log:-

See www.ljay.org.uk/tivoweb/tivo_httpd.html


----------



## Comjunkie (Oct 22, 2002)

ok so i got the password prompt to work..it rejects bad passwords but when the right password is entered i jjust get a blank screen now...the tivo is secure but no tivoweb


----------



## dbradbu3 (Dec 29, 2006)

Not such a stupid post.
It serves as a reminder, and I hadn't password protected my Tivoweb either.
Now have, so thanks for the learning experience.


----------



## Pete77 (Aug 1, 2006)

Comjunkie said:


> ok so i got the password prompt to work..it rejects bad passwords but when the right password is entered i jjust get a blank screen now...the tivo is secure but no tivoweb


Have you tried rebooting the Tivo using the menus and System Reset? If you just changed the tivoweb.cfg file and did not reboot this is probably why you now have an issue.


----------



## AWT (Aug 25, 2005)

Personally, I'd set the port up high (40,000 ish) - there aren't so many _standard_ ports up there and most portscan(er)s don't tend to waste their time in the high numbers.

A better way is to get a decent firewall/router where you can set a port forwarding rule to forward external traffic to the TiVo *and* set it to only allow connections to the TiVo port from your work address (or wherever you want to access it from). Unfortunately, there are more home routers that don't do that than those that do.


----------



## TCM2007 (Dec 25, 2006)

Are you sure someone was connecting to your TiVo? Seems broadly unlikely someone would log in just mess with your recordings!

Do you have anything else non default in the config file?


----------



## Comjunkie (Oct 22, 2002)

pretty sure someone was messing...one day we watched as the the ouija board was selected and backdoor codes were enabled.!!!...pretty weird...soon as I unplugged the tivo from the network it stopped being messed with

cheers


----------



## Pete77 (Aug 1, 2006)

AWT said:


> Personally, I'd set the port up high (40,000 ish) - there aren't so many _standard_ ports up there and most portscan(er)s don't tend to waste their time in the high numbers.
> 
> A better way is to get a decent firewall/router where you can set a port forwarding rule to forward external traffic to the TiVo *and* set it to only allow connections to the TiVo port from your work address (or wherever you want to access it from). Unfortunately, there are more home routers that don't do that than those that do.


The snag with that somewhat ultra high security approach is you then can't get access to your Tivo on the move from web cafes, friends or relatives houses etc.

I have been using Tivoweb with just username and password and port forwarding enabled on Port 443 for 19 months now with no issues. I check the httpd log periodically (the one that ljay's add on utility adds log functionality for) and there is only an attempt to access my Tivo by an IP address on the web once every few days and its always a different one. They only ever try a couple of times at most on the one day and that IP address does not recur. That suggests comparatively little to worry about.


----------



## ColinYounger (Aug 9, 2006)

Pete77 said:


> you then can't get access to your Tivo on the move


Eh? I have my TiVo on a high port number and I can get through to it fine via http://mytivo:numberofport.



> That suggests comparatively little to worry about.


I think that's a risky comment to make. But you carry on with your happy little world and I'll protect my TiVo.


----------



## Pete77 (Aug 1, 2006)

ColinYounger said:


> Eh? I have my TiVo on a high port number and I can get through to it fine via http://mytivo:numberofport.
> 
> I think that's a risky comment to make. But you carry on with your happy little world and I'll protect my TiVo.


Many web cafes and offices are locked down to only using port 80, port 443 and a few other standard ports for outbound access and not any old port number under the sun.

Since none of us who use just username and password for protection yet seem to have had our Tivos hacked from the web I think you may be overstating the likely risk.


----------



## ColinYounger (Aug 9, 2006)

Pete - Re: overstating and no hacks yet.

That's probably due to the service providers recently switching to NATing so that you have another level of security above your own router. 

In other words, the major suppliers (NTL, BT) have stopped the wild, wild web from just scanning through IP addresses on their network. You'll only get that sort of attack now from someone inside that network - and their traffic monitoring spots it quickly and terminates the contract of the offending person (portscanning is against most SAs).

I recently tried an experiment with a honeypot machine (no patches, firewall or router - like what a novice user would connect up) on the real internet.

Within 30 seconds it was discovered.
Within 2 minutes there were trojans and spyware appearing.
12 minutes from connection the machine rebooted and could not be recovered.

THAT's why I would rather be paranoid.


----------



## Pete77 (Aug 1, 2006)

My broadband ISPs have been Freedom2Surf, Lixxus, NewNet and Entanet who may not be using any of the lock down features against port scanning you suggest.

Surely adding username and password adds a lot of protection unless you are unlucky, using port 443 instead of port 80 further reduces the risk and then the fact that if this is penetrated its a limited features Linux box rather frustrates the vast majority of hacking programs. And its only the http Tivo interface that is available on the web and not the raw file system that can only be accessed through FTP or Telnet.

Obviously someone could delete all your recordings if they were so minded though but Tivoweb Unerase ought to be able to get them back again.


----------



## ColinYounger (Aug 9, 2006)

I'll point you to the OPs description of what was happening to him as for what can happen.

But the point here, Pete is that you were saying it's not worth changing the port number because you can't get through to the TiVo. My reply was that you CAN, and your statement was misleading.

BTW, I can get to my TiVo from my friend's house as well. <smug>


----------



## Pete77 (Aug 1, 2006)

ColinYounger said:


> But the point here, Pete is that you were saying it's not worth changing the port number because you can't get through to the TiVo.


I actually said it is extremely worthwhile changing the Port number to Port 443 instead of the default Port 80 as most of the worm and other internet scanning activity then disappears.

Unusual port numbers will be blocked in many offices and web cafes if not at your friends house.


----------



## worm (Feb 10, 2005)

I read Pete's original comment as indicating that you couldn't access your TiVo from friends, webcafes etc. if you restrict external access to certain IPs.



AWT said:


> A better way is to get a decent firewall/router where you can set a port forwarding rule to forward external traffic to the TiVo *and* set it to only allow connections to the TiVo port from your work address (or wherever you want to access it from).





Pete77 said:


> The snag with that somewhat ultra high security approach is you then can't get access to your Tivo on the move from web cafes, friends or relatives houses etc.


This is perfectly correct. Although you could allow web access to your router's config which you could then change to allow access from an alternative site when you are there - but life's too short for all that faff isn't it? And somehow allowing web access to a router config seems to open up a whole host of security issues


----------



## Pete77 (Aug 1, 2006)

worm said:


> This is perfectly correct. Although you could allow web access to your router's config which you could then change to allow access from an alternative site when you are there - but life's too short for all that faff isn't it? And somehow allowing web access to a router config seems to open up a whole host of security issues


I have external configuration access to my ADSL modem router but the unusal port it is allowed through would probably be blocked by many web cafes.

Also could you necessarily find the IP address of the web cafe or other connection you were connecting from.


----------



## ColinYounger (Aug 9, 2006)

Just for fun, I went to my local web cafe and tried to get access to my TiVo. I had to negotiate with the owner to allow me to only try one web address for 1 minute 'to check something works'. Luckily, they had Costa coffee there as well so the guy agreed for a pound and a coffee (and as long as he could watch).

It worked.

You owe me a pound and a cup of coffee, Pete.


----------



## Pete77 (Aug 1, 2006)

ColinYounger said:


> You owe me a pound and a cup of coffee, Pete.


Depends on the web cafe.

Some will allow you to access any port on a specific IP address or URL and some won't. Therefore you cannot guarantee access to your Tivo on some small Greek island that only has one web cafe.


----------



## ColinYounger (Aug 9, 2006)

OK - all I'm hearing now is 'blah blah blah'.

What we're all agreeing on is that port number changes are Good and having username and password is good.

All the rest is 'blah blah blah' and polluting the thread.


----------



## Pete77 (Aug 1, 2006)

ColinYounger said:


> OK - all I'm hearing now is 'blah blah blah'.
> 
> *What we're all agreeing on *is that port number changes are Good and having username and password is good.


I totally disagree with your own simplistic attempt to suggest that your own point of view on an issue and what suits you personally must become everyone's point of view.

If you use a non standard port number you won't be able to gain access to Tivoweb from any possible computer you might use and obviously if you limit the IP addresses that can access your ADSL modem router that the Tivo is linked to then you will only be able to gain access on those particular computers.

Always using a username and password is of course extremely sensible and it would be very unwise to grant external web access to your Tivo and not do so.


----------



## cwaring (Feb 12, 2002)

Anyone else tried this? https://gotomydvr.com/ Seems to work okay, if a little slower than direct access.


----------



## Pete77 (Aug 1, 2006)

cwaring said:


> Anyone else tried this? https://gotomydvr.com/ Seems to work okay, if a little slower than direct access.


Seemed to be a Beta.

No explanation on how it works if you don't first register your details?


----------



## cwaring (Feb 12, 2002)

Pete77 said:


> Seemed to be a Beta.


It is. So what? It works 

I think it's someone (or group of someones) from over on the US forum that's doing it.

Here's a bit from the page you can't see without registering:



> Welcome to the DVRupgrade remote access site, unofficially known as gotomydvr. If you have a networked TiVo from DVRupgrade with TiVoWeb or TiVoWebPlus installed, and our special client, you can register and access your TiVo remotely from anywhere in the world using our exclusive technology. Once the client is installed and started on your TiVo you only need to ensure your TiVo is registered with our service to use the gotomydvr technology.


----------



## Pete77 (Aug 1, 2006)

Sounds interesting.

So with the client on the Tivo it is able to achieve some form of secure Tivo access via their website that stops those people randomly polling IP addresses from potentially gaining Tivoweb access?

Don't suppose you can also get FTP or Telnet access to the Tivo this way though?


----------



## cwaring (Feb 12, 2002)

Nope.

Actually, something odd has just happened. Before, I mentioned that you get access to your Tivo in a little window in the middle of the screen.

Well, since I logged-in, every time I go back to the site I get staight into my Tivo. I can't get back to the main page. Wonder if it's a bug?


----------



## Pete77 (Aug 1, 2006)

cwaring said:


> Nope.
> 
> Actually, something odd has just happened. Before, I mentioned that you get access to your Tivo in a little window in the middle of the screen.
> 
> Well, since I logged-in, every time I go back to the site I get staight into my Tivo. I can't get back to the main page. Wonder if it's a bug?


I expect that it logs you out after a certain number of minutes of activity. Still doesn't sound that safe though.

I think I will give it a miss for the time being and stick to Username, Password and the httpd log in conjunction with the IP address being stored at www.dyndns.org


----------



## cwaring (Feb 12, 2002)

Pete77 said:


> Still doesn't sound that safe though.


Seems just as safe as any other method to me.


----------



## Pete77 (Aug 1, 2006)

cwaring said:


> Seems just as safe as any other method to me.


Just with it being a beta and leaving you logged in without needing a username and password again is what I meant.


----------



## cwaring (Feb 12, 2002)

Okay. Fair point. I don't worry so much as there's only me that knows the user/pass (it's not easy to guess) and I never go anywhere anyway


----------

