While openwrt doesn't offer security release, hiding version in banner is not very effective. If the attacker can detect it is OpenWRT and if there is a known security issue for any major version, it is enough to try an attack.
Robot.txt is effective as Google is a common tool to look for targets. I guess brute force scanners would not care to detect luci open to web as it is a rare target (if Google does not list them). If they care, again, they would just try the known attack. Regards, Em dom, 13 de set de 2015 17:05, Daniel Dickinson < open...@daniel.thecshore.com> escreveu: > I do think allowing to choose to disable the banner is a minor benefit, > however, as I've said, there are much more effective means of preventing > accidential exposure, and quite frankly if the user is *choosing* to > open the web interface I think an warning and disabling the banner if > the user foolishly insists on opening the interface despite the warning > is more useful thank disabling the banner by default. > > If you're going to argue it prevents against internal threats than I > would argue that if your internal network is hostile enough that you > need to worry about attacks on openwrt from your internal network AND > you're not skilled enough to limit access to LuCI (or better, build an > image without LuCI and just use SSH) to the specific trusted hosts > (preferably by combination of MAC address and IP address) in the > firewall, or (better) to use a 'management' VPN or VLAN that only > trusted hosts can get on, then you're in a lot more trouble than > eliminating the banner for LuCI will solve. > > Regards, > > Daniel > > On 2015-09-13 10:21 AM, MauritsVB wrote: > > At the moment the OpenWRT www login screen provides *very* detailed > version information before anyone has even entered a password. It displays > not just “15.05” or “Chaos Calmer” but even the exact git version on the > banner. > > > > While it’s not advised to open this login screen to the world, fact is > that it does happen intentionally or accidentally. Just a Google search for > “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login > screens, including exact version information. > > > > As soon as someone discovers a vulnerability in a OpenWRT version all an > attacker needs to do is perform a Google search to find many installations > with versions that are vulnerable (even if a patch is already available). > > > > In the interest of hardening the default OpenWRT install, can I suggest > that by default OpenWRT doesn’t disclose the version (not even 15.05 or > “Chaos Calmer”) on the login screen? For extra safety I would even suggest > to leave “OpenWRT” off the login screen, the only people who should use > this screen already know it’s running OpenWRT. > > > > Any thoughts? > > > > Maurits > > _______________________________________________ > > openwrt-devel mailing list > > openwrt-devel@lists.openwrt.org > > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
