[OpenWrt-Devel] OpenWRT www version banner a security risk

Florian Fainelli florian at openwrt.org
Sun Sep 13 23:39:21 EDT 2015

On Sep 13, 2015 2:00 PM, "Etienne Champetier" <champetier.etienne at gmail.com>
> Hi Daniel,
> Le 13 sept. 2015 22:04, "Daniel Dickinson" <openwrt at daniel.thecshore.com>
a écrit :
> >
> > I do think allowing to choose to disable the banner is a minor benefit,
however, as I've said, there are much more effective means of preventing
accidential exposure, and quite frankly if the user is *choosing* to open
the web interface I think an warning and disabling the banner if the user
foolishly insists on opening the interface despite the warning is more
useful thank disabling the banner by default.
> >
> > If you're going to argue it prevents against internal threats than I
would argue that if your internal network is hostile enough that you need
to worry about attacks on openwrt from your internal network AND you're not
skilled enough to limit access to LuCI (or better, build an image without
LuCI and just use SSH) to the specific trusted hosts (preferably by
combination of MAC address and IP address) in the firewall, or (better) to
use a 'management' VPN or VLAN that only trusted hosts can get on, then
you're in a lot more trouble than eliminating the banner for LuCI will
> >
> >
> > Regards,
> >
> > Daniel
> >
> > On 2015-09-13 10:21 AM, MauritsVB wrote:
> >>
> >> At the moment the OpenWRT www login screen provides *very* detailed
version information before anyone has even entered a password. It displays
not just “15.05” or “Chaos Calmer” but even the exact git version on the
> >>
> >> While it’s not advised to open this login screen to the world, fact is
that it does happen intentionally or accidentally. Just a Google search for
“Powered by LuCI Master (git-“ will provide many accessible OpenWRT login
screens, including exact version information.
> >>
> >> As soon as someone discovers a vulnerability in a OpenWRT version all
an attacker needs to do is perform a Google search to find many
installations with versions that are vulnerable (even if a patch is already
> >>
> >> In the interest of hardening the default OpenWRT install, can I
suggest that by default OpenWRT doesn’t disclose the version (not even
15.05 or “Chaos Calmer”) on the login screen? For extra safety I would even
suggest to leave “OpenWRT” off the login screen, the only people who should
use this screen already know it’s running OpenWRT.
> >>
> >> Any thoughts?
> >>
> >> Maurits
> >>
> For me listenning only on lan will break all my setups (15+):
> - On most of my openwrt there is no lan, it's management, or
'name-of-the-site' ...
> - on some of them i can access from multiple interface (VPNs + ...)
> You can't prevent people from shooting themselves in the foot (maybe port
openning was on purpose),
> but you can:
> -Put a huge warning in luci when you set firewall default to 'ACCEPT'
> -add robots.txt (i think the router will still end up on shodan)
> -add a big warning if robots.txt is accessed (reliable way to know that
you're open on the internet)
> Also you are talking about luci but what about dropbear (ssh)? There is
no anti brute force, and maybe there is a banner (on my phone, can't check)

For that you could setup different things ranging from using iptables'
mlimit match per protocol all the way to having something like fail2ban
(written in python though) which can do more complex

All of that is more of a security policy that you deploy rather than want
it by default, even though it may seem very sensible for a default use case.

The bottom line is that if you are exposed to the wild internet, just brace
yourself, it is only a matter of time before your host gets scanned, brute
forced or even penetrated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150913/a39e5938/attachment.htm>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list