New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict management interfaces to LAN #89

Open

darkk opened this issue Oct 27, 2016 · 0 comments

Labels

Member

darkk commented Oct 27, 2016 •

edited

Loading

lepidopter may be exposed to Internet, it has ssh enabled with weak default password and authless ooniprobe web interface.

I can imagine several (unlikely, but imaginable) cases for the exposure:

User's ISP & router are IPv6-capable providing routable IPv6 address to lepidopter
User setting up port-forwarding carelessly to view nice ooni-probe wui from a 3G smartphone
User is ISP and lepidopter is given routable IPv4 address
Some unpredictable port-forwarding madness triggered by combination of systemd, Bonjour/avahi and uPNP

I can suggest couple of ways to restrict management interfaces:

on network-change event triggered by dhclient/systemd/whatever parse output of ip -o addr and allow source IPs from known subnets
on network-change event parse ip neight and deny source MACs of various routers

The text was updated successfully, but these errors were encountered:

darkk added the enhancement label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment