SmartSDR v3.9.18 and the SmartSDR v3.9.18 Release Notes
SmartSDR v2.12.1 and the SmartSDR v2.12.1 Release Notes
Power Genius XL Utility v3.8.9 and the Power Genius XL Release Notes v3.8.9
Tuner Genius XL Utility v1.2.11 and the Tuner Genius XL Release Notes v1.2.11
Antenna Genius Utility v4.1.8
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.
Best-Practises: Opening the API Port to the Outside World
I have a working remote setup that I really like!
I am using Smart-Link and have thus forwarded ports 4993 and 4994 on my router without any issues. As I now wanted to use the API Access via TCP on Port 4992, I also forwarded this port - and gave my Router a public DNS record. This way, I can use the WaveFlexIntegrator (https://github.com/tnxqso/wave-flex-integrator) without the need for a VPN. And that also works great!
I now only have a few security concerns...
Most of the time, the Flex is powered down and physically disconnected from the grid via a proper power switch, so not much concern here. However, the API port accepts TCP connections from anyone at any time once powered up. For example, a random port-scanner might find it and connect to it. I don't know how the flex is set up internally, but I feel like this could be an issue?
The Smart-Link Ports 4993 & 4994 are meant to be accessible from the Outside world, thus I suspect there is some authentication, encryption, rate-limiting, whatever, going on, but I don't know. I didn't find anything if it is okay to open Port 4992 to the outside world.
Would anyone else see this as a concern? Is there any logging happening on the Flex so I could see connection attempts?
Maybe this sounds a bit paranoid, but regarding cyber-security, I try to be one step more paranoid than others would consider reasonable :D
Any thoughts on this?
Cheers,
Fabian DM7HB
Best Answer
-
I can only say that you should never forward port 4992 to the outside world. Ever.
Doing so exposes your radio to a none secure port that allows the bad guys direct access to your radio. Not good.
That port is for internal, behind the firewall use by applications on the same LAN/Subnet.
4993 and 4994 are TLS secured ports.
If you have a requirement where you need access to 4992 for am application, then you should be running a VPN. I appreciate you have it locked down by source IP address, but most other users of FlexRadios may not have the skills to do that.
If you are reading this and have no idea what I typed, :) , then never ever do this. Very risky. This is what VPNs are for.
Yes, I am in old ****, dad mode. 73
0
Answers
-
I use my firewall-router (it's a Ubiquiti Dream Machine Pro, aka UDM-Pro).
When I forward ports 4992, 4993, and 4994, I generally only allow connections from my work-place. That is, I only ALLOW a small range of IP-addresses.
So when I am truly "randomly" out-and-about, perhaps using hotel WiFi or my Cell-phone hotspot, I then have to use an app on my phone to open-up the firewall restrictions and let me in. I can complete this long before my Maestro has finished booting.
I will admit this is not the most user-friendly approach, but I am also concerned about security. This approach allows me to sleep comfortably at night 😀 I also do this for my Log4OM database-server (so i can perform QSO-logging from anywhere). There ARE bad guys everywhere…
0 -
I have to agree with Mike, for a very short time about 5 hrs I opened port 4992 on my router using a outside 624992 Port and I immediately got several hits on the Radio this was when I was testing the MORCONI CW interface, enough of that so I built a ZeroTier gateway Bridge with a Pi 4 and BERYL travel router and now I just use the BERYL to do all my remote networking.
I also closed the Ports that SmartLink needed to have open which is ridicules to have two open ports waiting for someone to figure out how to break in, now I just use the BERYL router and ZEROTier when I'm away, it really works MUCH better then does SmartLink and I can plug my MORCONI in to the Ethernet port and my Maestro and Laptop to the WiFi using my Teathered cellphone, Wired Connection, or the none used band on the WiFi as the WAN on the BERYL travel router.
For MANY years I used SoftEther VPN but for some reason my Apple phone will no longer work with it so I had to find a new solution and ZeroTier fits the bill nicely though it took me a while to get it working, I tried it on a Pi5 16Gig first but that was a total failure for some reason but the Pi4 works great. Hopefully the NEXT generation of FLEX Software will get ride of SmartLink and put in a Real VPN for Level 2 Networking for a real remote seamless work station for those that don't want to build their own.
73 and hope those going to the Hamfest have a great trip.
Bret WX7Y
0 -
Hi Mike,
Thanks for your reply!
"I can only say that you should never forward port 4992 to the outside world. Ever."
"4993 and 4994 are TLS secured ports."
That perfectly answers my question, thank you very much! As I didn't find much documentation on the port 4992, I already suspected it is not meant to be opened.
I've closed it and will continue to use the VPN.
Thanks!0
Leave a Comment
Categories
- All Categories
- 325 Community Topics
- 2.1K New Ideas
- 590 The Flea Market
- 7.8K Software
- 6.2K SmartSDR for Windows
- 165 SmartSDR for Maestro and M models
- 394 SmartSDR for Mac
- 260 SmartSDR for iOS
- 246 SmartSDR CAT
- 178 DAX
- 368 SmartSDR API
- 9.1K Radios and Accessories
- 14 Aurora
- 152 FLEX-8000 Signature Series
- 7.1K FLEX-6000 Signature Series
- 906 Maestro
- 50 FlexControl
- 854 FLEX Series (Legacy) Radios
- 866 Genius Products
- 445 Power Genius XL Amplifier
- 307 Tuner Genius XL
- 114 Antenna Genius
- 274 Shack Infrastructure
- 194 Networking
- 437 Remote Operation (SmartLink)
- 135 Contesting
- 717 Peripherals & Station Integration
- 135 Amateur Radio Interests
- 939 Third-Party Software