19 replies to this topic

[filr0x]

Hi friends, i’ve seen that is there the possibility to setup HTTPS for remote OpenWebIf, to prevent intruders, i want to setup this, but what i must do after enable HTTPS from plugin? How i can create certificate, etc.? Is there a tutorial? Thanks in advance.

[WanWizard]

I hate to disappoint you, but HTTPS does precisely zero to prevent intruders...

[filr0x]

Hi WanWizard and thanks for your reply, is there a way to prevent or reduce possibility of intrusions? Because i’ve seen that HTTP Auth is vulnerable. Thanks.

[WanWizard]

Use a VPN, most routers support them, most NAS devices too.

 

If really needed, you can install OpenVPN on the box itself, but it is a last-resort option, and requires commandline access to configure it.

[filr0x]

Ok, thank you, is there a guide to do it?

I must make my home VPN? Or Can i just install OpenVPN on my ZGemma and buy a VPN service (like NordVPN for example)?

Edited by filr0x, 16 February 2020 - 14:48.

[WanWizard]

A VPN service is for connecting with a client in your home network to the outside world, and you need the other way, from a client on the internet securely to your home network.

 

Like I said:

• if your broadband router supports any VPN functionality (but ideally not PPTP), use it
• if you have a NAS or other device that supports OpenVPN, use it (with a port forward on your router)
• install OpenVPN on your box as a last resort (with a port forward on your router)

And the reason for that is two-fold:

• the box is not a security device, there is no privilege separation, everything runs as root
• there is no documentation I know of, and no GUI to configure it, so it requires knowledge or a lot of Google work

[filr0x]

So there is no way to expose OpenWebIf in secure mode by only using the box..?

[WanWizard]

No.

 

Like I said, the box is not a security device, there isn't even a proper webserver running on the box, the webif is a python process listening to port 80 requests...

 

The alternative may be to use an SSH tunnel in combination with a public key instead of a password, but that requires knowledge as well.

 

There is an old guide about this (http://www.milosoftw...p?body=dropbear) in Dutch, maybe Google Translate may help here. It describes accessing the WebIf via the SSH tunnel.

[jort38]

No.
 
Like I said, the box is not a security device, there isn't even a proper webserver running on the box, the webif is a python process listening to port 80 requests...
 
The alternative may be to use an SSH tunnel in combination with a public key instead of a password, but that requires knowledge as well.
 
There is an old guide about this (http://www.milosoftw...p?body=dropbear) in Dutch, maybe Google Translate may help here. It describes accessing the WebIf via the SSH tunnel.

u

You can set that page easily to English (tp right). No translation needed.

[MiLo]

The SSH method is safe and much easier than VPN. It encrypts everything, which can be taxing for low-end (i.e. old) boxes if you want to tunnel live video through it. Also works on most mobile phones and things like that.

 

(Don't be tempted to think that you can just open the web-interface without SSH or VPN and "it won't happen to me". It will happen to you and some enterprising criminal is likely to inject ransomware on everything on your home network.)

[filr0x]

Ok, I’ve tested using SSH, it’s work fine, now i have another question for you: I would like to change the SSH default port from 22 to a port as 12345, in order to avoid to open 22 port on router to prevent port scan on port 22. Is possible to change SSH default port?

[WanWizard]

Yes. But pointless, it will be found almost as quickly. Security by obscurity never works.

 

Dropbear supports sshd style passwordless public key access, and disabling password logins, which might be a safer route.

[filr0x]

And if I use a strong password instead public key, is this bypassable?

For example: ti[dh-1)18]]75.

?

Edited by filr0x, 29 February 2020 - 01:04.

[MiLo]

Ok, I’ve tested using SSH, it’s work fine, now i have another question for you: I would like to change the SSH default port from 22 to a port as 12345, in order to avoid to open 22 port on router to prevent port scan on port 22. Is possible to change SSH default port?

 

Just instruct your router to forward external port 12345 to internal port 22, no need to change the port on the box itself.

[MiLo]

And if I use a strong password instead public key, is this bypassable?

For example: ti[dh-1)18]]75.

Even a "strong" password is way less secure than using keypairs. And keypair is much more convenient since you don't have to type it. The nice thing about keypairs is that even if someone is able to intercept and decrypt all your network traffic, he'll still be unable to reproduce your credentials.

[filr0x]

Ok thank you very much.

Now I would like to test also VPN method, but I don’t have any PC in the same LAN in which is placed the box, I only have a router and the box. My question is: is possible to install OpenVPN as Server directly in the box so i can use a pc from outside as client and connect to the box through the VPN server installed in the box lot? Without connect to another server first?

[WanWizard]

Yes.

 

As long as you know how to configure it, and with the usual disclaimer that the box is not a security device, it doesn't even provide the normal linux OS security as everything runs as root.

[filr0x]

Ok, do you know any guide for doing this?

For you which method give more security? SSH Tunnel or OpenVPN Server installed on the box as i say?

[WanWizard]

If you are limited to the box, I would go for SSH + keys. Just for the simplicity.

 

I have a firewall with OpenVPN support, so I use that myself.

[littlesat]

For openvpn you first need to require a key/license set and then put it properly on you box and maken an openvpn config