Well I guess its inevitable but Unifi is reporting the arc port as being probed daily from all around the world, it might be innocent idk. Hong Kong, Russia, Nikaragua. I know this is the reality of it, but still other open ports I have are not getting this attention.
I don’t suppose changing the port well away from the default will have any effect but all in all I just don’t trust it so am switching it off for now. I realise this is foolish, but still not enough benefit for perceived risk because until ARK I had no security detections on my system, YMMV.
Maybe there’s just a mixup in terminology. It will pass through the router via port forwarding to the Roon Core but - vulnerabilities aside with the actual roon service on that port - will presumably be rejected by that service if it’s not properly authenticated.
Yes, terminology is probably getting us here but, sorry for being a bit pedantic in my response…
With the way ARC works there is, basically, a web server which listens for incoming connections. When port forwarding is enabled then it is listening for a connection from anywhere (unless the user has done something to limit the inbound scope). This connection, called a TCP socket, will establish which allows the “client” to fire requests or garbage at the ARC server.
Now, these rouge requests or garbage is how services get exploited. You don’t need to be authenticated to send “garbage”. And, if ARC service is vulnerable, then it’s this garbage that gives way to access and an exploit.
Your normal “script kiddy” will be shutdown pretty quickly as the service won’t normally do anything before authentication which is great. But never 100% means there isn’t an exploit waiting to be found.
My intention isn’t to scare people away from using ARC. I know Roon Labs spent a lot of time looking and testing this. I’m not expecting a vulnerability. If this became some rallying cry to turn off ARC I’d be very upset with myself
But… some people like to know details so glad you found value in it and understood my intention for writing it.
Full disclosure: I don’t open the port. I have a VPN into my network which then gives me access to ARC. The VPN technology and software I use has millions of users. It’s the type of thing where, if a vulnerability was to be exploited, it’d make the news. This means the team behind preventing that is significantly well resourced.
Overly complicated but in summary. My VPN termination is a virtual interface on a router that sits at the edge of my network. After authentication, the VPN allocates me an address within the network range of that interface. At that point, my device looks like any other connected device to that router. I can route / firewall traffic to any private area within the network as well as allow / deny access to any Internet egress on my network. I can modify these policies per login if needed. Again, overly complicated.
Here’s a much easier way:
Search Tailscale on the community. Lots of good success using this kind of VPN.
Let’s remember that this is a forum for music enthusiasts, not networking professionals.
Yes, a connection can be negotiated, as with any service, but ultimately, it will be refused (rejected, fail…) if authentication is unsuccessful. And of course, any service behind an open port is open to network scans, exploits, brute force etc., but this why some choose to trust others to handle these things…