2016-11-20 - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin

Header Data

From: Michael Raynor <mx***1@gmail.com>
Message Hash: 51414e713298dd229fa0e13b243e7b705d8b31b9639775d547d2505e096f5a1f
Message ID: <f0ddce37-167c-4842-80d2-476ee3f0d6c5@grasehotspot.org>
Reply To: <CAESLx0JRBa2a9bGizbZjF_j1YA+YSfGt-EkfPgkyXsNpvO0J_g@mail.gmail.com>
UTC Datetime: 2016-11-20 00:59:04 UTC
Raw Date: Sat, 19 Nov 2016 23:59:04 -0800

Raw message 

Hi Tim,

What is the best way to set up a SSL certificate for the /grase/radmin 
login page? It would be good to encrypt the login to prevent MITM sniffing 
etc.

I have a wildcard certificate, so we could set a different DNS record for 
accessing Grase from the WAN side and the LAN side and Apache should 
continue to work.

I know both /grase/radmin and /grase/uam are on the same virtual host, so 
it might need a bit more thought to get clients hitting the correct login 
page, and also the http://logout page (if that is served via the same 
virtual host).

Thanks for your help!

Michael

On Sunday, 20 November 2016 07:16:41 UTC+11, timwhite88 wrote:
>
> Hi Michael
>
> This is a very intentional design decision. There are plenty of places 
> that the Grase Hotspot is installed as the router. There is no access from 
> the WAN side, only the LAN side, for both administration and users.
>
> By default, there is even a link to the admin interface in the footer of 
> the UAM login screen.
>
> The default ports that are open on the LAN side are in the config file.
> HS_TCP_PORTS="80 443 22 2812 53 3990 3128"
>
> Looking at that list, you'll see web ports, ssh, dns, coova-chilli and 
> squid. 2812 would have been dansguardian from when I used to install that 
> too. There are firewall rules in ipup.sh as well that block access to 
> squid, except where it's been transparently proxied (access is needed in 
> HS_TCP_PORTS for that to work still).
>
> Securing the WAN/LAN access is an exercise for the system admin, because 
> unfortunately there is no standard installation. In some installs, the 
> Hotspot WAN is really the internet. In other installations, the Hotspot WAN 
> is really the normal LAN which is where your management happens to be from.
>
> In future versions, the UAM and Radmin will probably be in the same 
> symfony application. So setting a good Admin password will be mandatory 
> (currently we don't force you to change the password).
>
> For now, you'll probably want to use either iptables, or apache access 
> rules. Try blocking access from localhost, as the reason the WAN ip is 
> probably working, is that it's going through the squid proxy.
>
> Regards
>
> Tim
>
> On Sat, Nov 19, 2016 at 10:29 PM, Michael Raynor <mx***.@gmail.com 
> <javascript:>> wrote:
>
>> Hi Guys,
>>
>> I just realised when testing that hotspot users are able to access the 
>> /grase/radmin folder from both the LAN IP and the WAN/Management IP on the 
>> Grase server.
>>
>> I tried to add code to 
>> /etc/apache2/conf-available/grase-conf-apache2.conf but it doesn't seem to 
>> cover access when using the WAN/Management IP from hotspot users (it does 
>> block from the LAN IP):
>>
>>     <Directory "/usr/share/grase/www/radmin/">
>>        Deny from 10.50.0.0/16
>>     </Directory>
>>
>> Hotspot users obviously need access to the /grase/uam/ folder and the 
>> other common resources, but even showing the /grase/radmin is an 
>> unnecessary security risk.
>>
>> I know credentials should be secure, but was just wondering if there was 
>> a tried and tested way to block access outright.
>>
>> This also makes me wonder what else is open for hotspot users (ssh, mysql 
>> probing etc).
>>
>> Any thoughts?
>>
>> Thanks,
>>
>> Michael
>>
>> -- 
>> This mailing list is for the Grase Hotspot Project 
>> http://grasehotspot.org
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to gr***.@grasehotspot.org <javascript:>.
>> To post to this group, send email to gr***.@grasehotspot.org 
>> <javascript:>.
>> Visit this group at 
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/f0b94c28-d3ba-4772-9d08-8be5d8e9b8e8%40grasehotspot.org 
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/f0b94c28-d3ba-4772-9d08-8be5d8e9b8e8%40grasehotspot.org?utm_medium=email&utm_source=footer>
>> .
>>
>
>

Thread