Like most Linux-based servers in the world, all SnapTV headend servers run OpenSSH secure shell server. This allows engineers, with a correct username and password, to access the server remotely. OpenSSH listens for incoming connections on TCP port 22.
However, since most SnapTV headend servers are not connected directly to the internet with a public IP address, TCP port 22 is only available from machines on the local network (other servers, laptops, STBs).
Since version 2.21, all headend servers include a "remote access" service that tries to overcome this problem, as described below. The purpose of this service is to allow SnapTV support engeneers to easily provide remote assistance, and solve problems with the server. The only requirement is that the server have normal internet access.
The remote access system uses standard WebSocket technology to forward connections from a central server (help.snap.tv) to port 22 on the headend server.
The headend server connects to help.snap.tv on port 80, and sets up a persistent WebSocket. This connection stays open as long as the server is online. Should the server go offline, the connection is lost, and it will try to reconnect periodically.
When a headend is connected, the central service at help.snap.tv allocates a random TCP port, and listens for connections locally. Only people with login accounts on help.snap.tv can connect to this port. Connections on this port are forwarded, through a WebSocket, to port 22 on the headend server, and normal OpenSSH authentication occurs.
- The service does not expose the server to anyone on the internet, only SnapTV engineers have access to help.snap.tv
- Having access to help.snap.tv, and the forwarded port, does not give access to the headend server, you still need a username and password to be able to log in
- We have not implemented a custom, insecure remote access protocol, it's basically just network routing to the encrypted and secure SSH service
If for some reason, someone wants to prevent SnapTV support engineers providing efficient remote assistance, there are a few options:
- Change the login password, and don't tell us
- Don't connect the server to the internet
- Prevent outgoing connections to help.snap.tv