I agree add robots.txt would be useful, but I suspect that lies between
point 1 and 2 of my second email (that is configuring uhttpd listen on
on lan by default is easiest, and frankly most useful from a
'bang-for-buck' point of view), is probably easier than 2 because 2
(attempting to notify of possible firewall misconfiguration) involves a
certain amount of heuristics (i.e. is not exact) and would result in
warnings that are annoying to people who do know what they are doing. It
is probably not as useful for protecting the user as 2, nor as 1, but
does help with the problem of trivial search engine usage to find
misconfigured systems which is not a bad thing if the cost of such
prevention is not too high.
Oh and point 1 also has the advantage of zero increase in image size
whereas both 2 ant robots.txt would add code and therefore increase
image size.
Regards,
Daniel
On 2015-09-13 3:06 PM, L. D. Pinney wrote:
+1 for Etienne
Patch OpenWrt to add robots.txt
On Sun, Sep 13, 2015 at 12:45 PM, Daniel Dickinson
<open...@daniel.thecshore.com <mailto:open...@daniel.thecshore.com>> wrote:
My point, especially if you read this post fully, and the following,
is that not displaying the banner is minimally useful, and that
other measure to achieve the same goal (protect user when they
mistakes) are far more useful/meaninful than eliminating the banner.
Regards,
Daniel
On 2015-09-13 11:34 AM, MauritsVB wrote:
I see where you’re coming from but I disagree that one should
always rely on the user to know exactly what to do and what not
to do. A bit of basic prevention doesn’t hurt.
Wouldn’t you agree that if you follow that line you might as
well argue that OpenWRT should not come with default-deny rules
in the firewall? After all, anyone who is savvy enough to
install OpenWRT should then also know that by default it has no
firewall rules.
There is a reason that not displaying too much information in
banners is good security practice. It slows down the
reconnaissance phase of an attack (using “banner grabbing”
tools) and can persuade many attackers to even skip a specific
target. Even for complex server software and hardware that
requires far more expert operators than OpenWRT it is still best
practice not to give too much away about the specific version.
It’s why companies such as Cisco and Juniper advise not to
disclose version information in banners.
Of course, by not displaying by default but making it a
configurable option any admin who requires if for support
purposes could still enable it.
As for your idea about warning users that their LuCI is
reachable via WAN, I agree, that definitely makes sense.
However, I see that as a separate issue from displaying security
sensitive information on the login page.
Maurits
On 13 Sep 2015, at 15:28, Daniel Dickinson
<open...@daniel.thecshore.com
<mailto:open...@daniel.thecshore.com>> wrote:
Quite frankly if someone has unintionally exposed LuCI to
the internet I think they've got a lot bigger problem than
exposed version information, and that not putting the
version information at best delays only very slightly a
would be attacker.
And for properly configured installs, the version
information is extremely useful for doing support and such like.
Not that it likely means much, by vote is against such weak
bandaid to what is fundamentally an issue a user creates for
themselves that is much larger than the details of what's on
the screen.
What would be more relevent solution is for LuCI to have a
banner that indicates that the LuCI is visible on the WAN,
thus alerting the user to a misconfiguration, if it is that.
Regards,
Daniel
On 2015-09-13 10:21 AM, MauritsVB wrote:
At the moment the OpenWRT www login screen provides
*very* detailed version information before anyone has
even entered a password. It displays not just “15.05” or
“Chaos Calmer” but even the exact git version on the banner.
While it’s not advised to open this login screen to the
world, fact is that it does happen intentionally or
accidentally. Just a Google search for “Powered by LuCI
Master (git-“ will provide many accessible OpenWRT login
screens, including exact version information.
As soon as someone discovers a vulnerability in a
OpenWRT version all an attacker needs to do is perform a
Google search to find many installations with versions
that are vulnerable (even if a patch is already available).
In the interest of hardening the default OpenWRT
install, can I suggest that by default OpenWRT doesn’t
disclose the version (not even 15.05 or “Chaos Calmer”)
on the login screen? For extra safety I would even
suggest to leave “OpenWRT” off the login screen, the
only people who should use this screen already know it’s
running OpenWRT.
Any thoughts?
Maurits
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
<mailto:openwrt-devel@lists.openwrt.org>
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
<mailto:openwrt-devel@lists.openwrt.org>
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
<mailto:openwrt-devel@lists.openwrt.org>
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org <mailto:openwrt-devel@lists.openwrt.org>
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
