Security changes - restricting uhttpd addresses
Reuben Dowle
reuben.dowle at 4rf.com
Tue Oct 25 14:25:04 PDT 2022
I have myself gone through the process of getting an openwrt based product through a security audit.
> I think everyone bothering to read this understands the theatre aspects of all
> this that I called out in my original post. Whether things should actually be
> fixed (or "fixed") is certainly an open question, but if I can save someone
> some future grief, or at least have the discussion, then I might save myself or
> someone else some time.
The issue of HTTP listening on all interfaces also came up in my audit, but the auditors were happy with the explanation that the firewall prevented any access through the WAN interface. If the people auditing your system are only interested in security 'theatre', then that is really a poor quality/incompetent audit process.
> That said, I think that limiting the listening ports of uhttpd is a good idea. I
> hardly see any downside to it, apart from maybe adding some complexity.
I think adding complexity here is a pretty good argument against this.
Regard,
Reuben
More information about the openwrt-devel
mailing list