lepidopter icon indicating copy to clipboard operation
lepidopter copied to clipboard
verified publisher icon TheTorProject

Restrict management interfaces to LAN

Open darkk opened this issue 9 years ago • 0 comments

lepidopter may be exposed to Internet, it has ssh enabled with weak default password and authless ooniprobe web interface.

I can imagine several (unlikely, but imaginable) cases for the exposure:

  • User's ISP & router are IPv6-capable providing routable IPv6 address to lepidopter
  • User setting up port-forwarding carelessly to view nice ooni-probe wui from a 3G smartphone
  • User is ISP and lepidopter is given routable IPv4 address
  • Some unpredictable port-forwarding madness triggered by combination of systemd, Bonjour/avahi and uPNP

I can suggest couple of ways to restrict management interfaces:

  1. on network-change event triggered by dhclient/systemd/whatever parse output of ip -o addr and allow source IPs from known subnets
  2. on network-change event parse ip neight and deny source MACs of various routers

darkk avatar Oct 27 '16 18:10 darkk