I agree that adding a robots.txt with User-agent: * Disallow: / would be worth it, considering it’s a small effort and minimal space penalty.
It doesn’t stop Banner Grabbing tools but it does stop casual indexing by benign search tools. Of course, removing the version banner or adding a robots.txt doesn’t stop a determined attacker specifically targeting a known machine. What it does do is prevent these systems ending up in a detailed database of vulnerable systems. It should not be considered a replacement (or “job done”) for other security measures, just an extra line of protection. Maurits > On 13 Sep 2015, at 21:49, Daniel Dickinson <open...@daniel.thecshore.com> > wrote: > > On 2015-09-13 4:41 PM, Luiz Angelo Daros de Luca wrote: >> While openwrt doesn't offer security release, hiding version in banner >> is not very effective. If the attacker can detect it is OpenWRT and if >> there is a known security issue for any major version, it is enough to >> try an attack. >> >> Robot.txt is effective as Google is a common tool to look for targets. I > > Do you have any references / statistics / facts to justify this claim? > >> guess brute force scanners would not care to detect luci open to web as >> it is a rare target (if Google does not list them). If they care, again, > > Erm, if luci is rare target, then who is going to bother with searching for > vulnerable banners? > > Furthermore, the far better way to avoid this exposure is prevent exposing > the web interface unintentionally in the first place. > > I'm not convinced robots.txt prevents a significant number attacks, although > given small size of robots.txt I don't think it would hurt to include it > anyway. > > I'm merely pointing out that the robots.txt is really not a very effective > solution to the stated reason for wanting it (protecting user from accidental > exposure, or from choosing to expose without realize the risks of doing so). > > I think solving the real problem is more important than relying on a bandaid > and saying 'job done'. > > (Which is how I view Etienne's robots.txt email). > > Regards, > > Daniel > >> they would just try the known attack. >> >> Regards, >> >> >> Em dom, 13 de set de 2015 17:05, Daniel Dickinson >> <open...@daniel.thecshore.com <mailto:open...@daniel.thecshore.com>> >> escreveu: >> >> I do think allowing to choose to disable the banner is a minor benefit, >> however, as I've said, there are much more effective means of preventing >> accidential exposure, and quite frankly if the user is *choosing* to >> open the web interface I think an warning and disabling the banner if >> the user foolishly insists on opening the interface despite the warning >> is more useful thank disabling the banner by default. >> >> If you're going to argue it prevents against internal threats than I >> would argue that if your internal network is hostile enough that you >> need to worry about attacks on openwrt from your internal network AND >> you're not skilled enough to limit access to LuCI (or better, build an >> image without LuCI and just use SSH) to the specific trusted hosts >> (preferably by combination of MAC address and IP address) in the >> firewall, or (better) to use a 'management' VPN or VLAN that only >> trusted hosts can get on, then you're in a lot more trouble than >> eliminating the banner for LuCI will solve. >> >> Regards, >> >> Daniel >> >> On 2015-09-13 10:21 AM, MauritsVB wrote: >> > At the moment the OpenWRT www login screen provides *very* >> detailed version information before anyone has even entered a >> password. It displays not just “15.05” or “Chaos Calmer” but even >> the exact git version on the banner. >> > >> > While it’s not advised to open this login screen to the world, >> fact is that it does happen intentionally or accidentally. Just a >> Google search for “Powered by LuCI Master (git-“ will provide many >> accessible OpenWRT login screens, including exact version information. >> > >> > As soon as someone discovers a vulnerability in a OpenWRT version >> all an attacker needs to do is perform a Google search to find many >> installations with versions that are vulnerable (even if a patch is >> already available). >> > >> > In the interest of hardening the default OpenWRT install, can I >> suggest that by default OpenWRT doesn’t disclose the version (not >> even 15.05 or “Chaos Calmer”) on the login screen? For extra safety >> I would even suggest to leave “OpenWRT” off the login screen, the >> only people who should use this screen already know it’s running >> OpenWRT. >> > >> > Any thoughts? >> > >> > Maurits >> > _______________________________________________ >> > openwrt-devel mailing list >> > openwrt-devel@lists.openwrt.org >> <mailto:openwrt-devel@lists.openwrt.org> >> > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >> > >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org <mailto:openwrt-devel@lists.openwrt.org> >> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >> > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
