2016-11-19 - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin
Header Data
From: Michael Raynor <mx***1@gmail.com>
Message Hash: c528a39ca50fd01f16b972b8ff177848be20b39e7d6d382bf697295fd0a1de0e
Message ID: <79503552-3168-4c89-a96c-fefda4df0b9f@grasehotspot.org>
Reply To: <CAESLx0JRBa2a9bGizbZjF_j1YA+YSfGt-EkfPgkyXsNpvO0J_g@mail.gmail.com>
UTC Datetime: 2016-11-19 14:44:55 UTC
Raw Date: Sat, 19 Nov 2016 13:44:55 -0800
Raw message
Thanks Tim, I will see what I can do.
Cheers,
Michael
On Sunday, 20 November 2016 07:16:41 UTC+11, timwhite88 wrote:
>
> Hi Michael
>
> This is a very intentional design decision. There are plenty of places
> that the Grase Hotspot is installed as the router. There is no access from
> the WAN side, only the LAN side, for both administration and users.
>
> By default, there is even a link to the admin interface in the footer of
> the UAM login screen.
>
> The default ports that are open on the LAN side are in the config file.
> HS_TCP_PORTS="80 443 22 2812 53 3990 3128"
>
> Looking at that list, you'll see web ports, ssh, dns, coova-chilli and
> squid. 2812 would have been dansguardian from when I used to install that
> too. There are firewall rules in ipup.sh as well that block access to
> squid, except where it's been transparently proxied (access is needed in
> HS_TCP_PORTS for that to work still).
>
> Securing the WAN/LAN access is an exercise for the system admin, because
> unfortunately there is no standard installation. In some installs, the
> Hotspot WAN is really the internet. In other installations, the Hotspot WAN
> is really the normal LAN which is where your management happens to be from.
>
> In future versions, the UAM and Radmin will probably be in the same
> symfony application. So setting a good Admin password will be mandatory
> (currently we don't force you to change the password).
>
> For now, you'll probably want to use either iptables, or apache access
> rules. Try blocking access from localhost, as the reason the WAN ip is
> probably working, is that it's going through the squid proxy.
>
> Regards
>
> Tim
>
> On Sat, Nov 19, 2016 at 10:29 PM, Michael Raynor <mx***.@gmail.com
> <javascript:>> wrote:
>
>> Hi Guys,
>>
>> I just realised when testing that hotspot users are able to access the
>> /grase/radmin folder from both the LAN IP and the WAN/Management IP on the
>> Grase server.
>>
>> I tried to add code to
>> /etc/apache2/conf-available/grase-conf-apache2.conf but it doesn't seem to
>> cover access when using the WAN/Management IP from hotspot users (it does
>> block from the LAN IP):
>>
>> <Directory "/usr/share/grase/www/radmin/">
>> Deny from 10.50.0.0/16
>> </Directory>
>>
>> Hotspot users obviously need access to the /grase/uam/ folder and the
>> other common resources, but even showing the /grase/radmin is an
>> unnecessary security risk.
>>
>> I know credentials should be secure, but was just wondering if there was
>> a tried and tested way to block access outright.
>>
>> This also makes me wonder what else is open for hotspot users (ssh, mysql
>> probing etc).
>>
>> Any thoughts?
>>
>> Thanks,
>>
>> Michael
>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***.@grasehotspot.org <javascript:>.
>> To post to this group, send email to gr***.@grasehotspot.org
>> <javascript:>.
>> Visit this group at
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/f0b94c28-d3ba-4772-9d08-8be5d8e9b8e8%40grasehotspot.org
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/f0b94c28-d3ba-4772-9d08-8be5d8e9b8e8%40grasehotspot.org?utm_medium=email&utm_source=footer>
>> .
>>
>
>
Thread
-
Return to November 2016
- Return to “Michael Raynor <mx***1@gmail.com>”
-
Return to “Timothy White <ti***8@gmail.com>”
- 2016-11-19 (Sat, 19 Nov 2016 04:29:51 -0800) - Hotspot users can access /grase/radmin - Michael Raynor <mx***1@gmail.com>
- 2016-11-19 (Sun, 20 Nov 2016 06:16:39 +1000) - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin - Timothy White <ti***8@gmail.com>
- 2016-11-19 (Sat, 19 Nov 2016 13:44:55 -0800) - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin - Michael Raynor <mx***1@gmail.com>
- 2016-11-20 (Sat, 19 Nov 2016 23:59:04 -0800) - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin - Michael Raynor <mx***1@gmail.com>
- 2016-11-19 (Sun, 20 Nov 2016 06:16:39 +1000) - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin - Timothy White <ti***8@gmail.com>