Security changes - restricting uhttpd addresses
Peter Naulls
peter at chocky.org
Tue Oct 25 10:51:56 PDT 2022
The default uhttpd configuration has this:
# HTTP listen addresses, multiple allowed
list listen_http 0.0.0.0:80
list listen_http [::]:80
Now, I know there's lots of practical reasons for this to be the case,
and I know also that the firewall setup in OpenWrt is robust and
isn't going to allow WAN-side access.
Nevertheless, the security people are looking at this config
statically, and not seeing that it's bound to the LAN interface IP
only.
As aside, they don't see the iptables tool in the system, and don't
understand that that's been deprecated (although I since did add it
for some unrelated legacy usage), and think there's no firewall at all.
For my use, I've changed the default binding to the LAN IP, and also
added another init.d script to check the current LAN address, and
update the uhttpd config if need be and then restart it (and add
a config hook to the network config). Obviously this isn't
very satisfactory, open to better suggestions here.
It might also be better if uhttpd could be configured to bind
to a specific interface rather than knowing its IP upfront, but
that might be impractical.
More information about the openwrt-devel
mailing list