Security changes - restricting uhttpd addresses

Wed Oct 26 12:16:47 PDT 2022

On Wed, Oct 26, 2022 at 11:58 AM Etienne Champetier
<champetier.etienne at gmail.com> wrote:
>
> Le mar. 25 oct. 2022 à 17:47, Michael Richardson
> <mcr+ietf at sandelman.ca> a écrit :
> >
> >
> > Peter Naulls <peter at chocky.org> wrote:
> >     > Nevertheless, the security people are looking at this config
> >     > statically, and not seeing that it's bound to the LAN interface IP
> >     > only.
> >
> > I don't think they are really security people, but...
> >
> >     > For my use, I've changed the default binding to the LAN IP, and also
> >     > added another init.d script to check the current LAN address, and
> >     > update the uhttpd config if need be and then restart it (and add
> >     > a config hook to the network config). Obviously this isn't
> >     > very satisfactory, open to better suggestions here.
> >
> > So, it needs to bound to *all* the IPv6 "LAN" IPs.
> > That means:
> >   a) the ULA that is created.
> >   b) the LL-IPv6 that are always present
> >   c) the GUA IPv6 that is delegated
> >
> > And when we make guest LANs, we may also need to bind it to that, because
> > there are things that guests might need to know, such as seeing the status
> > page to see if the network is up.
> >
> >     > It might also be better if uhttpd could be configured to bind
> >     > to a specific interface rather than knowing its IP upfront, but
> >     > that might be impractical.
> >
> > It's totally impractical.

I also have to reiterate these "security audits", and this is in now
way related to OpenWRT, but the people who like to think they know
security.

o just because a package is installed does not mean it is listening
o go read some docs
o learn how to port scan yourself
o go read some docs
o learn how to write your own exploits
o go read some docs
o quit reading CVEs that are not related to your product(s)
o go read some docs
o join LKML and read what is being done
o go read some docs

Leave us alone - my company uses Linux exclusively - the threats are
handled way faster than any other platform (OpenWRT aside), so tell
your *security* people to hire someone that is not a straight out of
college noob running some 3rd part package collector and actually
learn how to examine a system for exploits.  Just because something is
installed absolutely does not mean it is vulnerable to attack.

This is becoming a headache trying to teach the recently graduated
kids with security degrees or certifications (that are easily handed
out nowadays) how to handle security.  Everyone wants to package
inspect versus network inspect.

Let me tell you something - if I have physical access, there is not a
damn thing you can do to stop me - so just worry about network access
like everyone is telling you.  If your company is not amenable to that
- I would find another job.  I have a rule of thumb - I do not work
for people dumber than me - you should try that rather than trying to
force dumber people to make you change.  Rules of the world
progressing (college class 101).

> Can't we bind to 0.0.0.0 and use SO_BINDTODEVICE to make sure it's
> really only responding on the right interface ?
> With complicated routing setup it changes a bit the behavior, but this
> might be the simplest option if we don't want to rely only on the
> firewall