Restrict management interfaces to LAN - Githubissues

TheTorProject / lepidopter

lepidopter: raspberry pi image for conducting OONI network measurements

https://ooni.torproject.org/

GNU General Public License v3.0

47 stars 20 forks source link

Restrict management interfaces to LAN #89

Open darkk opened 8 years ago

darkk commented 8 years ago

lepidopter may be exposed to Internet, it has ssh enabled with weak default password and authless ooniprobe web interface.

I can imagine several (unlikely, but imaginable) cases for the exposure:

User's ISP & router are IPv6-capable providing routable IPv6 address to lepidopter
User setting up port-forwarding carelessly to view nice ooni-probe wui from a 3G smartphone
User is ISP and lepidopter is given routable IPv4 address
Some unpredictable port-forwarding madness triggered by combination of systemd, Bonjour/avahi and uPNP

I can suggest couple of ways to restrict management interfaces:

on network-change event triggered by dhclient/systemd/whatever parse output of ip -o addr and allow source IPs from known subnets
on network-change event parse ip neight and deny source MACs of various routers