+1 for Etienne Patch OpenWrt to add robots.txt
On Sun, Sep 13, 2015 at 12:45 PM, Daniel Dickinson < open...@daniel.thecshore.com> wrote: > My point, especially if you read this post fully, and the following, is > that not displaying the banner is minimally useful, and that other measure > to achieve the same goal (protect user when they mistakes) are far more > useful/meaninful than eliminating the banner. > > Regards, > > Daniel > > > On 2015-09-13 11:34 AM, MauritsVB wrote: > >> I see where you’re coming from but I disagree that one should always rely >> on the user to know exactly what to do and what not to do. A bit of basic >> prevention doesn’t hurt. >> >> Wouldn’t you agree that if you follow that line you might as well argue >> that OpenWRT should not come with default-deny rules in the firewall? After >> all, anyone who is savvy enough to install OpenWRT should then also know >> that by default it has no firewall rules. >> >> There is a reason that not displaying too much information in banners is >> good security practice. It slows down the reconnaissance phase of an attack >> (using “banner grabbing” tools) and can persuade many attackers to even >> skip a specific target. Even for complex server software and hardware that >> requires far more expert operators than OpenWRT it is still best practice >> not to give too much away about the specific version. It’s why companies >> such as Cisco and Juniper advise not to disclose version information in >> banners. >> >> Of course, by not displaying by default but making it a configurable >> option any admin who requires if for support purposes could still enable it. >> >> As for your idea about warning users that their LuCI is reachable via >> WAN, I agree, that definitely makes sense. However, I see that as a >> separate issue from displaying security sensitive information on the login >> page. >> >> Maurits >> >> On 13 Sep 2015, at 15:28, Daniel Dickinson <open...@daniel.thecshore.com> >>> wrote: >>> >>> Quite frankly if someone has unintionally exposed LuCI to the internet I >>> think they've got a lot bigger problem than exposed version information, >>> and that not putting the version information at best delays only very >>> slightly a would be attacker. >>> >>> And for properly configured installs, the version information is >>> extremely useful for doing support and such like. >>> >>> Not that it likely means much, by vote is against such weak bandaid to >>> what is fundamentally an issue a user creates for themselves that is much >>> larger than the details of what's on the screen. >>> >>> What would be more relevent solution is for LuCI to have a banner that >>> indicates that the LuCI is visible on the WAN, thus alerting the user to a >>> misconfiguration, if it is that. >>> >>> Regards, >>> >>> Daniel >>> >>> On 2015-09-13 10:21 AM, MauritsVB wrote: >>> >>>> At the moment the OpenWRT www login screen provides *very* detailed >>>> version information before anyone has even entered a password. It displays >>>> not just “15.05” or “Chaos Calmer” but even the exact git version on the >>>> banner. >>>> >>>> While it’s not advised to open this login screen to the world, fact is >>>> that it does happen intentionally or accidentally. Just a Google search for >>>> “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login >>>> screens, including exact version information. >>>> >>>> As soon as someone discovers a vulnerability in a OpenWRT version all >>>> an attacker needs to do is perform a Google search to find many >>>> installations with versions that are vulnerable (even if a patch is already >>>> available). >>>> >>>> In the interest of hardening the default OpenWRT install, can I suggest >>>> that by default OpenWRT doesn’t disclose the version (not even 15.05 or >>>> “Chaos Calmer”) on the login screen? For extra safety I would even suggest >>>> to leave “OpenWRT” off the login screen, the only people who should use >>>> this screen already know it’s running OpenWRT. >>>> >>>> Any thoughts? >>>> >>>> Maurits >>>> _______________________________________________ >>>> openwrt-devel mailing list >>>> openwrt-devel@lists.openwrt.org >>>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >>>> >>>> _______________________________________________ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >>> >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >> >> _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
