Yesterday I was shocked as I got access to my router’s foris and luci interface via the internet. Since I couldn’t find anything helpful here in the forum, I started seeking for a solution of my obvious security problem:
Log in to your router via ssh: ssh root@router.lan
Stop lighttpd: /etc/init.d/lighttpd stop
Open lighttpd’s config file: vi /etc/lighttpd/lighttpd.conf
Bind lighttpd to internal interface only: server.bind = "192.168.1.1"
From the security’s point of view it is better not to offer a service instead of blocking an offered one. Therefore I suggest to bind lighttpd to the LAN interface by default. If someone prefers to have the configuration interface available to everybode via internet, it’s his / her own decision, indeed.
I know, that my approach won’t satisfy everybody’s needs. But in fact, it is possible to bind lighttpd to more than one IP address. Perhaps it is possible to find a sense making secure standard solution as well as a possibility to change that settings without the need of using ssh.
Is it generally possible to access it from the Internet, or generally only from the LAN? I have changed except for individual forwarding to the home network in the firewall section nothing. The redirects go with direct fixed IPs to devices in the LAN, not the Omnia itself. The basic idea should be to my knowledge so that one has access only from the LAN and only with intentional changes from outside. When I call my public IP from the outside, nothing happens, which should be so. That you could easily access confuses me a bit …
I was confused too. When I clicked accidently on the link of my domain in the managemant interface of my DDNS provider I expected the well-known error message. But the login screen of my router appeared.
Silly question, the host you tried to access your router from was located on the wan side of the omnia? So you are not testing from inside the omnia’s LAN section whether you can reach the management interface by using its external IP address, correct?
The question is not silly: In fact I tried to reach the external IP from inside the LAN, but there are afaik no firewall rules for the external interface which differ between internal and external access. Therefore the result should be the same independently from if it is an access from LAN or WAN.
I’m using ddns and tried to reach foris http from outside and it’s not working - which is great so I assume you made changes that made it possible at first. And I have public IP (on UPC modem and turris behind as DMZ because bridge mode was causing problems for UPC STB IPTV services - UPC problem but only solution was to disable bridge)
Sounds reasonable. But I didn’t change the standard config of lighttpd as well as the firewall except portforwarding for port 80 - which couldn’t work since that port was already occupied.
Oh, I think this is called hair-pin routing or nat loopback and lede does that as well, I am not sure whether this actually has an explicit firewall rule even though it does seem to be implemented via iptables.
I think the really important test for your claim of wan side access to foris is to actually attempt to access it from a host that is physically located on thw WAN side. I tried with my omnia and failed for both foris/luci and ssh, YMMV.
Access to foris or any other service from the LAN side with the WAN IP works because the packets enter from the LAN interface and match the LAN rules where access is allowed. Real routing does not happen as the destination IP is a local IP.
So did you test this from outside your LAN? Using the external IP address from inside the LAN is not the same situation as using the outside IP address from the WAN side. The former is benign, the latter a safety issue, please let us know which situation you see.
I did not test from the outside, only from the LAN.
The situation was the following: I rebooted the router from the Fortis interface. When the interface reloaded after the router was back, the IP address in the URL-bar showed my public IP address (212.237.xxx.xxx) and the Fortis interface.
I logged out of Fortis and logged in to Fortis again with the same password as I use on 192.168.1.1.
At that point I got a bit concerned, and found the post by @neuni .
Checking the firewall rules from the LuCi interface it shows the following:
I expect this to mean that it rejects incoming connections from the WAN.
You may be right, that the connection is still coming from the LAN side, even though the URL shows the public IP, and that it is not actually accessible from the WAN. I’ll test with a VPN as soon as possible.
