balgan
commented
6 years ago Hi @nickpsecurity Thank you so much for your comments, we're happy this tool helped you out and we hope it will help many more.
Its important that people understand what they're exposing to the internet in a simple and clean way.
If you ever have more feedback for us, please do let us know and we will try and improve the tool further!
Best regards Tiago
I'm at a relative's house right now. I decided to run it to see what happens. They got a few laptops and streaming box behind a Linksys router that I set up for them a while back. The report shows the setup was good except for three, open ports: 80 (lighttpd), 515 (printer), and 9100 (jetdirect). Plus, not using encryption on HTTP server. Interesting scan since they don't have a printer! I'm guessing the Linksys uses lighttpd for its web server with its default configuration allowing common, printer ports. Unlisted in admin UI, too! I have firewalls on endpoints but I'm double checking they're blocking whatever those ports are. Best to be extra careful. So, thanks for reminder.
Now, to the issue I found where I'm assuming thats the server you're detecting on 80. Router's web server is set up to block all remote or wireless connections. You have to be physically plugged into the network. Then, you have to authenticate to access it. I confirmed this by trying to access the server at 80 via computer outside the network. Gets "connection reset" ever time. Also, Firefox on LAN wouldn't even connect to router over HTTPS, citing some risk of Linksys's configuration of HTTPS. I wasn't gonna risk that adding to whatever problem I'm debugging later over a phone or network. Other rule is they or I disconnect internal devices before administration. So, internal network only, wired, no other devices, and stronger credentials is the overall setup. Given that, HTTPS provides no meaningful increase in security with a lack of it remotely causing no extra risk.
There is a risk left that's more severe that gets less attention: a vulnerability in lighttpd that can be triggered by it accepting a remote packet or stream of them. Router would need to be updated with any security fixes for that server to reduce risk. This kind of vulnerability exists in all consumer routers with web servers or other listening services. You seem to assess this with version detection compared to CVE database. It's not as prominently described or displayed as encryption. Among most important advice for securing consumer routers is a strong, initial configuration plus upgrading/patching the box to fix security issues. You should probably mention router updates or something in that section or a follow-up link on what measures to take.
Note: Also, thanks to this tool, I discovered their $50-60 Linksys router has SPI firewall but no port blocking. What!? I was going to blackhole the ports with its port forwarding but the destinations are forced to use 192.168.1.x on a DHCP network using same range for trusted devices. (Shakes head.) Maybe I should upgrade them... after some careful research... if router manufacturers are making design decisions that dumb. So, that's twice your service was useful. :)