Jump to content


Photo

OpenWebif [E2OpenPlugins]


  • Please log in to reply
1459 replies to this topic

Re: OpenWebif [E2OpenPlugins] #1201 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 26 May 2014 - 10:28

I've added an option to disallow logins as user "root".

This makes it impossible for an attacker to abuse the Webif for probing the root password.
Attempts to login as root are intentionally no answered with any meaningful error message but just "401 - Authentication required", just as if you entered wrong credentials.

In order to use this feature, you first have to telnet/ssh to your box and enter (for example):
adduser admin -h /dev/null -H -s /bin/false -G root
plus a password for this new user (twice).

This will create a new user
- named "admin"
- with /dev/null as his home dir (Does not exist)
- with /bin/false as shell (can not login to shell ...)
- being a member of the group "root" (Doesn't mean anything without the ability to get to a shell)
and the password as chosen by you ... (Preferably NOT the same as that for user "root").

Group "users" or any other existing group should work as well.

After creating one (or multiple) users != "root", you can use their credentials for login and disable root logins.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: OpenWebif [E2OpenPlugins] #1202 AxManDream

  • Member
  • 6 posts

0
Neutral

Posted 5 June 2014 - 15:19

Hi SpaceRat,

 

that's quite cool, I was looking for something like that :-)

Just one question (as I'm quite new in that field): How do I disable root logins after creating one or more users the way you described? Is "root" then disabled just for WebIf or also for ssh-login?



Re: OpenWebif [E2OpenPlugins] #1203 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 5 June 2014 - 16:56

that's quite cool, I was looking for something like that :-)
Just one question (as I'm quite new in that field): How do I disable root logins after creating one or more users the way you described?

It's a plain setting inside the OpenWebif options (Go to plugins -> OpenWebif using your remote control).
Alternatively, you can simply set
config.OpenWebif.no_root_access=true
inside /etc/enigma2/settings

Is "root" then disabled just for WebIf or also for ssh-login?

Just for the webif.

It's just enough to prevent the root password from being probed or being sniffed:
If for example ssh is opened to the outside using password logins, it's still quite annoying to probe the root password on ssh (Three attempts, delay, then disconnect), however it was easy on the webif (Unlimited attemps, no delay).
So an attacker could have used the webif for comfortable probing of the root pwd and then use it with ssh.
If you disable "root" logins on the webif, probing the root pwd there can not succeed while root can still login to ssh.

Note that OpenPLi's built-in streaming and transcoded streaming (On Vu+) still allow probing however.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: OpenWebif [E2OpenPlugins] #1204 AxManDream

  • Member
  • 6 posts

0
Neutral

Posted 5 June 2014 - 17:31

that's quite cool, I was looking for something like that :-)
Just one question (as I'm quite new in that field): How do I disable root logins after creating one or more users the way you described?

It's a plain setting inside the OpenWebif options (Go to plugins -> OpenWebif using your remote control).
Alternatively, you can simply set
config.OpenWebif.no_root_access=true
inside /etc/enigma2/settings

>Is "root" then disabled just for WebIf or also for ssh-login?

Just for the webif.

It's just enough to prevent the root password from being probed or being sniffed:
If for example ssh is opened to the outside using password logins, it's still quite annoying to probe the root password on ssh (Three attempts, delay, then disconnect), however it was easy on the webif (Unlimited attemps, no delay).
So an attacker could have used the webif for comfortable probing of the root pwd and then use it with ssh.
If you disable "root" logins on the webif, probing the root pwd there can not succeed while root can still login to ssh.

Note that OpenPLi's built-in streaming and transcoded streaming (On Vu+) still allow probing however.

 

 

Perfect, thank you! :-)



Re: OpenWebif [E2OpenPlugins] #1205 h.udo

  • Member
  • 2 posts

0
Neutral

Posted 29 July 2014 - 14:09

Hi folks!

 

A question to the developers of OpenWebif:

 

Is there any way to get the HDD capacity and free space in bytes? Any modifier i can use in web/about or web/deviceinfo?

 

I'm developing a frontend for a known media center software and I need it in bytes instead of GB or MB.

 

That way I can avoid doing the math (freeSpace * 1024* 1024 * etc) to get bytes and lose some accuracy.

 

Thanks for the great work you guys done!

 

h.udo



Re: OpenWebif [E2OpenPlugins] #1206 Robertooo

  • Senior Member
  • 287 posts

0
Neutral

Posted 4 August 2014 - 11:01

Hi,

 

Have somebody any idea why openwebif doesn't work on my PC with Win 7? The channels don't visible in the list but with Win XP they work perfectly.

 

Other things work OK with Win 7 too.



Re: OpenWebif [E2OpenPlugins] #1207 Kosh

  • Senior Member
  • 430 posts

+5
Neutral

Posted 4 August 2014 - 11:19

Try to use an alternative browser, not I.E.


ET10K user i.c.w. Samsung UE40B6000 LED HDTV. ET9K alas not functioning anymore.


Re: OpenWebif [E2OpenPlugins] #1208 WanWizard

  • PLi® Core member
  • 70,381 posts

+1,807
Excellent

Posted 4 August 2014 - 11:21

No problem here. I've seen reports that you may have to flush your cache or force a reload (using Ctrl-F5), due to changes in the ajax scripts.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: OpenWebif [E2OpenPlugins] #1209 Robertooo

  • Senior Member
  • 287 posts

0
Neutral

Posted 4 August 2014 - 11:47

I've tried it Chrome, not I.E.



Re: OpenWebif [E2OpenPlugins] #1210 Dr. Hannibal

  • Member
  • 6 posts

0
Neutral

Posted 5 August 2014 - 17:31

I have one problem with the webif. I flashed the newest openpli and i restored the settings, but now I have no access to the webif. I reveive a message: unauthoized!

can anybody help me out?



Re: OpenWebif [E2OpenPlugins] #1211 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 5 August 2014 - 17:54

I have one problem with the webif. I flashed the newest openpli and i restored the settings, but now I have no access to the webif. I reveive a message: unauthoized!
can anybody help me out?

Restoring the settings doesn't recover your Linux users or their passwords, afair.
So if you enabled "disallow root logins" in OpenWebif, your additionally created user for OWIF might be missing.
or
Your root user still has the OpenPli default password (none at all) as flashed and you are trying to use your previous root password (as set before flashing).
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: OpenWebif [E2OpenPlugins] #1212 Dr. Hannibal

  • Member
  • 6 posts

0
Neutral

Posted 5 August 2014 - 18:11

I tried to change the password with a plugin from the feed, but still no access... what is the default name in the new webif? or how can I creat a user? or change the name?



Re: OpenWebif [E2OpenPlugins] #1213 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 5 August 2014 - 18:30

I tried to change the password with a plugin from the feed, but still no access... what is the default name in the new webif? or how can I creat a user? or change the name?

If you haven't had done this before the re-flash of your box, you shouldn't need to do it now.

However, for your information:
adduser admin -h /dev/null -s /bin/false -H
(you will be asked for the new user's password) would create the user "admin" which can be used to login into OWIF.
As this new user has no valid shell, unlike the user "root" he can't be abused for anything else but what can be done through the OWIF itself.

After successful creation and testing of such an additional user, you can disable root access to the openwebif inside its E2 configuration.
This will keep the OWIF from serving as a nice helper for probing the root password.


The password for user "root" (or any other user) can be changed after logging in to the box using telnet/ssh by entering
passwd
-> will change the password for the current user (= root)

or
passwd <user>
e.g.
passwd admin
will change the password for some other user (here: "admin").

Edited by SpaceRat, 5 August 2014 - 18:31.

1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: OpenWebif [E2OpenPlugins] #1214 Dr. Hannibal

  • Member
  • 6 posts

0
Neutral

Posted 5 August 2014 - 19:08

Thank you very much! Now it works again!



Re: OpenWebif [E2OpenPlugins] #1215 TheMystery

  • Senior Member
  • 395 posts

+2
Neutral

Posted 6 August 2014 - 16:03

I've added an option to disallow logins as user "root".

This makes it impossible for an attacker to abuse the Webif for probing the root password.
Attempts to login as root are intentionally no answered with any meaningful error message but just "401 - Authentication required", just as if you entered wrong credentials.

In order to use this feature, you first have to telnet/ssh to your box and enter (for example):

adduser admin -h /dev/null -H -s /bin/false -G root
plus a password for this new user (twice).

This will create a new user
- named "admin"
- with /dev/null as his home dir (Does not exist)
- with /bin/false as shell (can not login to shell ...)
- being a member of the group "root" (Doesn't mean anything without the ability to get to a shell)
and the password as chosen by you ... (Preferably NOT the same as that for user "root").

Group "users" or any other existing group should work as well.

After creating one (or multiple) users != "root", you can use their credentials for login and disable root logins.

 

I created a new user as descript, and i can login with the new user in the webinterface.

I disabled root logins within enigma2 and rebooted te box.

But i can stil login with my root account, what could be wrong?

Also if i enable stream authentication i can normaly stream without password.

 

I have already installed a clean image and configured everything again but with no result.


Edited by TheMystery, 6 August 2014 - 16:07.


Re: OpenWebif [E2OpenPlugins] #1216 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 6 August 2014 - 16:29

I disabled root logins within enigma2 and rebooted te box.
But i can stil login with my root account, what could be wrong?

Re-Check the settings:
If E2 crashes (even invisibly) during reboot (and it does that quite frequently) it might forget to save the settings.

If this is the case and you can't get your settings saved, perform the following steps from shell (telnet/ssh):

1. Enter "init 4" in order to quit E2
2. Open "/etc/enigma2/settings" inside an editor (e.g. mcedit from mc) or a lame excuse for an editor (vi)
3. Find the line saying "config.OpenWebif.no_root_access=" and change the value after the "=" to "true".
4. Save the file and reboot the box

Also if i enable stream authentication i can normaly stream without password.

Streaming and stream auth isn't handled by OpenWebif in OpenPli images, so there's nothing OpenWebif can do about it in this case.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: OpenWebif [E2OpenPlugins] #1217 TheMystery

  • Senior Member
  • 395 posts

+2
Neutral

Posted 6 August 2014 - 16:54

I disabled root logins within enigma2 and rebooted te box.
But i can stil login with my root account, what could be wrong?

Re-Check the settings:
If E2 crashes (even invisibly) during reboot (and it does that quite frequently) it might forget to save the settings.

If this is the case and you can't get your settings saved, perform the following steps from shell (telnet/ssh):

1. Enter "init 4" in order to quit E2
2. Open "/etc/enigma2/settings" inside an editor (e.g. mcedit from mc) or a lame excuse for an editor (vi)
3. Find the line saying "config.OpenWebif.no_root_access=" and change the value after the "=" to "true".
4. Save the file and reboot the box

>>Also if i enable stream authentication i can normaly stream without password.

Streaming and stream auth isn't handled by OpenWebif in OpenPli images, so there's nothing OpenWebif can do about it in this case.

 

 

This are the settings of openwebif in /etc/enigma2/settings:

config.OpenWebif.auth_for_streaming=true (not working)

config.OpenWebif.auth=true (works)

config.OpenWebif.no_root_access=true (not working)

 

So values are saved good


Edited by TheMystery, 6 August 2014 - 16:55.


Re: OpenWebif [E2OpenPlugins] #1218 SpaceRat

  • Senior Member
  • 1,030 posts

+65
Good

Posted 6 August 2014 - 19:48

TheMystery, on 06 Aug 2014 - 17:52, said:
But i can stil login with my root account, what could be wrong?

Now I remember:
That setting is overridden for local connections using IPv4.
This was implemented in order to avoid hassle with legacy E2 Bouquet Editors and stuff like that which allow only one set of login/pass for all services (ftp/telnet/http) used by them.

So in order to test you would have to try a remote connection.
1st box: Vu+ Ultimo 4k 4xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
2nd box: Gigablue Quad 4k 2xDVB-S2 FBC / 2xDVB-C / 1.8 TB HDD / OpenATV 6.2
testing boxes: Vu+ Duo² + AX Quadbox HD2400 + 2x Vu+ Solo² + Octagon SF4008
Sats & Pay-TV: Astra 19.2°E + Hotbird 13°E with Redlight / SCT HD / SES Astra HD- / Sky V14 / 4th empire propaganda TV
Card-Server: Raspberry Pi + IPv6-capable oscam
Router: Linksys WRT1900ACS w/ LEDE + Fritz!Box 7390

Re: OpenWebif [E2OpenPlugins] #1219 TheMystery

  • Senior Member
  • 395 posts

+2
Neutral

Posted 6 August 2014 - 20:10

TheMystery, on 06 Aug 2014 - 17:52, said:
But i can stil login with my root account, what could be wrong?

Now I remember:
That setting is overridden for local connections using IPv4.
This was implemented in order to avoid hassle with legacy E2 Bouquet Editors and stuff like that which allow only one set of login/pass for all services (ftp/telnet/http) used by them.

So in order to test you would have to try a remote connection.

 

Oke, i 'am gonna try it tommorow on my work.

 

Is it for streaming the same?


Edited by TheMystery, 6 August 2014 - 20:11.


Re: OpenWebif [E2OpenPlugins] #1220 TheMystery

  • Senior Member
  • 395 posts

+2
Neutral

Posted 7 August 2014 - 13:13

 

TheMystery, on 06 Aug 2014 - 17:52, said:
But i can stil login with my root account, what could be wrong?

Now I remember:
That setting is overridden for local connections using IPv4.
This was implemented in order to avoid hassle with legacy E2 Bouquet Editors and stuff like that which allow only one set of login/pass for all services (ftp/telnet/http) used by them.

So in order to test you would have to try a remote connection.

 

Oke, i 'am gonna try it tommorow on my work.

 

Is it for streaming the same?

 

From a remote connection it works indeed.

stream authentication not yet tested.




4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users