[OpenWrt-Devel] OpenWRT www version banner a security risk

Daniel Dickinson openwrt at daniel.thecshore.com
Sun Sep 13 17:33:43 EDT 2015


On 2015-09-13 5:00 PM, Etienne Champetier wrote:
> Hi Daniel,
>
> For me listenning only on lan will break all my setups (15+):
> - On most of my openwrt there is no lan, it's management, or
> 'name-of-the-site' ...
> - on some of them i can access from multiple interface (VPNs + ...)

What I'm talking about is a change to the *default* /etc/config/uhttpd 
so that it by *default* on *new installations* listens on lan network 
and not all networks.

a) It would not prevent choosing to have multiple networks and to listen 
only on the management network (or whichever network or networks you 
choose).
b) It would not change existing installs

I would argue against trying migrate existing configurations since there 
is no good way of determining if the loose setup is intentional or not, 
although perhaps having luci option 'asked_migrate' and a luci banner 
that indicates your setup might benefit from migrating might be useful 
(so that existing uses that could benefit might find out about it).

The capability of listening on the ip address(es) of your choice already 
exists uhttpd, it is simply that currently the default is to listen on 
all networks.  Presumably if you can change the default network config, 
with this (existing) uci option added to the LuCI config you would also 
be savvy enough to make LuCI listen on the network(s) of your choice.

>
> You can't prevent people from shooting themselves in the foot (maybe
> port openning was on purpose),

You can, however, make it less likley and/or make reasonable efforts to 
help protect newbies (or half-asleep admins) from making 
easily-preventable mistakes.

> but you can:
> -Put a huge warning in luci when you set firewall default to 'ACCEPT'
> -add robots.txt (i think the router will still end up on shodan)
> -add a big warning if robots.txt is accessed (reliable way to know that
> you're open on the internet)
>
> Also you are talking about luci but what about dropbear (ssh)? There is
> no anti brute force, and maybe there is a banner (on my phone, can't check)

The same principal would apply to SSH - warn user if they open SSH to 
internet with password based logins enabled, make dropbear listen on on 
lan by default (in fact LuCI for dropbear already allows you to setup 
SSH only for the network(s) you want; it's just that the default is to 
allow on all).

>
> Please don't break my setups :)

There is no reason changing *default* UCI config should break an 
existing config or prevent the type of setup you want (access via some 
network but not others).

When I'm talking about default uci config I mean /etc/config/uhttpd (and 
/etc/config/dropbear) that are embedded in images should be changed (in 
the case of uhttpd this would require adding to LuCI the ability to 
change the uci config for networks to listen on since atm those uci 
options are not exposed in LuCI).

This would only result in a difference to users who

a) Flash for the first time
b) Do a factory reset
c) Sysupgrade without preserving config (effectively doing b as part of 
a firmware upgrade).

Regards,

Daniel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list