2016-11-19 - Hotspot users can access /grase/radmin

Header Data

From: Michael Raynor <mx***1@gmail.com>
Message Hash: 5438e64a2b9905a2786ead2c4fcb23b0afc49130e2168746c70409835b4a66a8
Message ID: <f0b94c28-d3ba-4772-9d08-8be5d8e9b8e8@grasehotspot.org>
Reply To: N/A
UTC Datetime: 2016-11-19 05:29:51 UTC
Raw Date: Sat, 19 Nov 2016 04:29:51 -0800

Raw message

Hi Guys,

I just realised when testing that hotspot users are able to access the 
/grase/radmin folder from both the LAN IP and the WAN/Management IP on the 
Grase server.

I tried to add code to /etc/apache2/conf-available/grase-conf-apache2.conf 
but it doesn't seem to cover access when using the WAN/Management IP from 
hotspot users (it does block from the LAN IP):

    <Directory "/usr/share/grase/www/radmin/">
       Deny from 10.50.0.0/16
    </Directory>

Hotspot users obviously need access to the /grase/uam/ folder and the other 
common resources, but even showing the /grase/radmin is an unnecessary 
security risk.

I know credentials should be secure, but was just wondering if there was a 
tried and tested way to block access outright.

This also makes me wonder what else is open for hotspot users (ssh, mysql 
probing etc).

Any thoughts?

Thanks,

Michael

Thread

• Return to November 2016

• Return to “Michael Raynor <mx***1@gmail.com>”

• Return to “Timothy White <ti***8@gmail.com>”

• 2016-11-19 (Sat, 19 Nov 2016 04:29:51 -0800) - Hotspot users can access /grase/radmin - Michael Raynor <mx***1@gmail.com>
  • 2016-11-19 (Sun, 20 Nov 2016 06:16:39 +1000) - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin - Timothy White <ti***8@gmail.com>
    • 2016-11-19 (Sat, 19 Nov 2016 13:44:55 -0800) - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin - Michael Raynor <mx***1@gmail.com>
    • 2016-11-20 (Sat, 19 Nov 2016 23:59:04 -0800) - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin - Michael Raynor <mx***1@gmail.com>