DietPi ARC security hardening?

Just moving from ROCK to a DietPi Roon installation. ARC is configured to provide remote access from outside, via port forwarding.

Are there any security hardening steps I should take on DietPi? I assume the usual steps of closing ports etc are unnecessary because the outside can only reach the ARC/Roon port. But what if some sort of attack on that port succeeds - should I do any additional hardening to be sure an attacker can’t progress elsewhere in my network?

DietPi is no different in this respect to ROCK.

Both open the ARC port (and other ports that are only used on the local network).

By default, with no port forwarding setup, your router will not open the Roon ARC port and so no attacks on that port can occur from outside of your network.

If you do have port forwarding setup, then the router opens the ARC port and forwards all TCP connection attempts on that ARC port to the Roon Server. Thus the Roon Server is the only device that is vulnerable to attacks on the Roon ARC port.

However, just because an open port on a device (Your Roon Server in this case) does not necessarily make that device vulnerable. When an attempt is made to connect to the Roon Server on the ARC Port, there will be some sort of authorisation/validation of the connection and if that is not correct, the connection to the rogue actor will be closed.

Agree with all that … except: if a vulnerability turns up in the Roon Server application (eg a buffer overflow) then this could in theory allow an attacker to gain control of the RoonPi box.

I’ve not seen any evidence that Roon have an independent certification programme, bounty programme etc to stress-test their implementation on various platforms. What if there is an undiscovered vulnerability? Anything else I should do within DietPi to reduce the risk of such a vulnerability doing something nasty?

The only way to totally secure a computer is to put it in a secure room with no windows, no doors and no network connection - but such a system does not tend to be of much use.

Having said that, not entirely in jest, Roon Server on DietPi does not, in my oppinion, need any additional security for home users. Of course there is a risk. There is with any software that offers network services to other computers especially when those computers are outside of your own network. The chances of a rogue agent mounting an attack on the Roon ARC port (which it cannot know in advance) in such a way that Roon Server accepts it as a genuine connection is vanishingly small.

However, if you really are concerned about this, you could abandon the use of Port Forwarding and disable it on your router and use Tailscale instead. Tailscale can be installed on DietPi using dietpi-software and instructions for using it with Roon can be found at:

Using Tailscale will establish a VPN between your mobile devices running ARC and your Roon Server.

Right, an open port can only be attacked, if the application that is listening to it and handles incoming requests has a related security vulnerability (or is intentionally harmful, of course). If no application is listening on/handling requests on a port, requests are just dropped, hence no attack possible.

Usually, a NAP with only those ports forwarded to those devices, where you know and trust the applications which handle/use them, is fine. But it can still make sense to run a firewall like iptables or ufw (an iptables wrapper CLI which some find easier to use) can still make sense, to protect against attacks from within your local network, of if malicious software accidentally installed on this or other systems in the LAN install malware which listens on additional port and/or configures the NAT via UPnP to forward them (which is my reason to always disable all UPnP features in every router ASAP).

Coincidentally the topic of security in DietPi came just up on our GitHub, where I explained that DietPi is essentially Debian, on x86_64 systems including the kernel, which means that core system components are maintained by experienced maintainers and a security team, who backport patches for any upcoming/known vulnerability ASAP: HyperV security problem · Issue #7308 · MichaIng/DietPi · GitHub
On most SBCs, recent/regularly updated kernel builds based on mainline Linux can also be generally seems as secure, and we update them when being made aware of a vulnerability, but there are some which use not that well maintained vendor kernel sources, especially new Rockchip SoC based SBCs. However, also here, when serious vulnerabilities are coming up in the media, either the vendors, or Armbian, or us will react with a patch, when we can.

The Roon Server is of course no Debian package, hence keep it updated once its internal updater notifies about it.

2 Likes

I use Tailscale for ARC, PlexAmp and any other remote access I need. Runs well on Dietpi and makes life simple.

Then use a VPN like Tailscale. Or, just not use ARC. If Upnp is off on your router, then no port forwarding will be setup, or, you could just put a 0 in the port number, or both.

2 Likes

The only downside to that, on android at least, is that you have to disable any other VPN before using Tailscale.
I use Nordvpn on my phone permanently and it needs switching off to use Tailscale unless there’s a way round it I’m unaware of.

No idea I don’t use a vpn other than to connect home or for work but both Tailscale and my work vpn operate at same time on my MacBook Pro.

1 Like

I don’t know how it would work with NordVPN but I have used wireguard with a split tunnel such that only Roon ARC used the Wireguard Tunnel. I believe Tailscale can be configured the same way.

I would hope that doing that would result in ARC using Tailscale and every other application using the NordVPN - which is basically what you would want.

However, not being a NordVPN user, I have not tested such a configuration so I can’t say that it would work.

2 Likes

Doesn’t look like mobile devices can run two at same time.

If it’s privacy then I am sure Tailscale offers protection you can use it dns or add one you trust using exit nodes you can mask your ip. For accessing content out of your georestriction not sure it will help here. I guess it’s what you need nord for will make the decision to use one or the other.

1 Like

Yeah on Android, if I’m not mistaken, at least NordVPN and WireGuard apps, surely then also Tailscale, use the system’s VPN functionality, which most likely can only be used with one app per time.

1 Like

Tailscale uses Wireguard, so probably the same functionality.

1 Like

Yes, it’s for privacy, I chose to not connect to the internet other than through a VPN, there were some exceptions, Roon being one of them, Qobuz another and that was through split tunneling.
Next time I try Tailscale I’ll have to have a play around a bit more with it. Thanks.