2016-11-19 - Re: [GRASE-Hotspot] Hotspot users can access /grase/radmin

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: f6c6d420a2087624e7083180ec40f0ad7ff423cefe48d21ddadcb6446640066d
Message ID: <CAESLx0JRBa2a9bGizbZjF_j1YA+YSfGt-EkfPgkyXsNpvO0J_g@mail.gmail.com>
Reply To: <f0b94c28-d3ba-4772-9d08-8be5d8e9b8e8@grasehotspot.org>
UTC Datetime: 2016-11-19 13:16:39 UTC
Raw Date: Sun, 20 Nov 2016 06:16:39 +1000

Raw message

Hi Michael

This is a very intentional design decision. There are plenty of places that
the Grase Hotspot is installed as the router. There is no access from the
WAN side, only the LAN side, for both administration and users.

By default, there is even a link to the admin interface in the footer of
the UAM login screen.

The default ports that are open on the LAN side are in the config file.
HS_TCP_PORTS="80 443 22 2812 53 3990 3128"

Looking at that list, you'll see web ports, ssh, dns, coova-chilli and
squid. 2812 would have been dansguardian from when I used to install that
too. There are firewall rules in ipup.sh as well that block access to
squid, except where it's been transparently proxied (access is needed in
HS_TCP_PORTS for that to work still).

Securing the WAN/LAN access is an exercise for the system admin, because
unfortunately there is no standard installation. In some installs, the
Hotspot WAN is really the internet. In other installations, the Hotspot WAN
is really the normal LAN which is where your management happens to be from.

In future versions, the UAM and Radmin will probably be in the same symfony
application. So setting a good Admin password will be mandatory (currently
we don't force you to change the password).

For now, you'll probably want to use either iptables, or apache access
rules. Try blocking access from localhost, as the reason the WAN ip is
probably working, is that it's going through the squid proxy.

Regards

Tim

On Sat, Nov 19, 2016 at 10:29 PM, Michael Raynor <mx***1@gmail.com> wrote:

> Hi Guys,
>
> I just realised when testing that hotspot users are able to access the
> /grase/radmin folder from both the LAN IP and the WAN/Management IP on the
> Grase server.
>
> I tried to add code to /etc/apache2/conf-available/grase-conf-apache2.conf
> but it doesn't seem to cover access when using the WAN/Management IP from
> hotspot users (it does block from the LAN IP):
>
>     <Directory "/usr/share/grase/www/radmin/">
>        Deny from 10.50.0.0/16
>     </Directory>
>
> Hotspot users obviously need access to the /grase/uam/ folder and the
> other common resources, but even showing the /grase/radmin is an
> unnecessary security risk.
>
> I know credentials should be secure, but was just wondering if there was a
> tried and tested way to block access outright.
>
> This also makes me wonder what else is open for hotspot users (ssh, mysql
> probing etc).
>
> Any thoughts?
>
> Thanks,
>
> Michael
>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at https://groups.google.com/a/
> grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit https://groups.google.com/a/
> grasehotspot.org/d/msgid/grase-hotspot/f0b94c28-d3ba-
> 4772-9d08-8be5d8e9b8e8%40grasehotspot.org
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/f0b94c28-d3ba-4772-9d08-8be5d8e9b8e8%40grasehotspot.org?utm_medium=email&utm_source=footer>
> .
>

Thread