[OpenWrt-Devel] OpenWRT www version banner a security risk
Daniel Dickinson
openwrt at daniel.thecshore.com
Sun Sep 13 17:33:43 EDT 2015
On 2015-09-13 5:00 PM, Etienne Champetier wrote:
> Hi Daniel,
>
> For me listenning only on lan will break all my setups (15+):
> - On most of my openwrt there is no lan, it's management, or
> 'name-of-the-site' ...
> - on some of them i can access from multiple interface (VPNs + ...)
What I'm talking about is a change to the *default* /etc/config/uhttpd
so that it by *default* on *new installations* listens on lan network
and not all networks.
a) It would not prevent choosing to have multiple networks and to listen
only on the management network (or whichever network or networks you
choose).
b) It would not change existing installs
I would argue against trying migrate existing configurations since there
is no good way of determining if the loose setup is intentional or not,
although perhaps having luci option 'asked_migrate' and a luci banner
that indicates your setup might benefit from migrating might be useful
(so that existing uses that could benefit might find out about it).
The capability of listening on the ip address(es) of your choice already
exists uhttpd, it is simply that currently the default is to listen on
all networks. Presumably if you can change the default network config,
with this (existing) uci option added to the LuCI config you would also
be savvy enough to make LuCI listen on the network(s) of your choice.
>
> You can't prevent people from shooting themselves in the foot (maybe
> port openning was on purpose),
You can, however, make it less likley and/or make reasonable efforts to
help protect newbies (or half-asleep admins) from making
easily-preventable mistakes.
> but you can:
> -Put a huge warning in luci when you set firewall default to 'ACCEPT'
> -add robots.txt (i think the router will still end up on shodan)
> -add a big warning if robots.txt is accessed (reliable way to know that
> you're open on the internet)
>
> Also you are talking about luci but what about dropbear (ssh)? There is
> no anti brute force, and maybe there is a banner (on my phone, can't check)
The same principal would apply to SSH - warn user if they open SSH to
internet with password based logins enabled, make dropbear listen on on
lan by default (in fact LuCI for dropbear already allows you to setup
SSH only for the network(s) you want; it's just that the default is to
allow on all).
>
> Please don't break my setups :)
There is no reason changing *default* UCI config should break an
existing config or prevent the type of setup you want (access via some
network but not others).
When I'm talking about default uci config I mean /etc/config/uhttpd (and
/etc/config/dropbear) that are embedded in images should be changed (in
the case of uhttpd this would require adding to LuCI the ability to
change the uci config for networks to listen on since atm those uci
options are not exposed in LuCI).
This would only result in a difference to users who
a) Flash for the first time
b) Do a factory reset
c) Sysupgrade without preserving config (effectively doing b as part of
a firmware upgrade).
Regards,
Daniel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list