Security changes - restricting uhttpd addresses
Peter Naulls
peter at chocky.org
Tue Oct 25 14:34:37 PDT 2022
On 10/25/22 17:25, Reuben Dowle wrote:
> I have myself gone through the process of getting an openwrt based product
> through a security audit.
>
>
> The issue of HTTP listening on all interfaces also came up in my audit, but the
> auditors were happy with the explanation that the firewall prevented any access
> through the WAN interface. If the people auditing your system are only
> interested in security 'theatre', then that is really a poor quality/incompetent
> audit process.
Well, I agree. For clarity, years ago I had been through reviews with both
Microsoft and Intel, with some combination of Ubuntu/OpenWrt, so had some
expectation here. Those reviews turned up their share of nonsense, but things
have changed I guess.
My hands are tied, we gotta do the dance.
>> That said, I think that limiting the listening ports of uhttpd is a good idea. I
>> hardly see any downside to it, apart from maybe adding some complexity.
>
> I think adding complexity here is a pretty good argument against this.
Certainly. But failing an official fix, I'm left to a workaround of my own
devising, which is unlikely to be robust in the short term, but will have to do
- unless someone has other suggestions.
To be clear to everyone here - I appreciate the feedback, and likely agree with
everything that's been said - I've been doing this as long as you guys, so
I know the ins and outs, but I think the conversation is still worth having.
More information about the openwrt-devel
mailing list