<p dir="ltr">While openwrt doesn't offer security release, hiding version in banner is not very effective. If the attacker can detect it is OpenWRT and if there is a known security issue for any major version, it is enough to try an attack.</p>
<p dir="ltr">Robot.txt is effective as Google is a common tool to look for targets. I guess brute force scanners would not care to detect luci open to web as it is a rare target (if Google does not list them). If they care, again, they would just try the known attack.</p>
<p dir="ltr">Regards,</p>
<br><div class="gmail_quote"><div dir="ltr">Em dom, 13 de set de 2015 17:05, Daniel Dickinson <<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I do think allowing to choose to disable the banner is a minor benefit,<br>
however, as I've said, there are much more effective means of preventing<br>
accidential exposure, and quite frankly if the user is *choosing* to<br>
open the web interface I think an warning and disabling the banner if<br>
the user foolishly insists on opening the interface despite the warning<br>
is more useful thank disabling the banner by default.<br>
<br>
If you're going to argue it prevents against internal threats than I<br>
would argue that if your internal network is hostile enough that you<br>
need to worry about attacks on openwrt from your internal network AND<br>
you're not skilled enough to limit access to LuCI (or better, build an<br>
image without LuCI and just use SSH) to the specific trusted hosts<br>
(preferably by combination of MAC address and IP address) in the<br>
firewall, or (better) to use a 'management' VPN or VLAN that only<br>
trusted hosts can get on, then you're in a lot more trouble than<br>
eliminating the banner for LuCI will solve.<br>
<br>
Regards,<br>
<br>
Daniel<br>
<br>
On 2015-09-13 10:21 AM, MauritsVB wrote:<br>
> At the moment the OpenWRT www login screen provides *very* detailed version information before anyone has even entered a password. It displays not just “15.05” or “Chaos Calmer” but even the exact git version on the banner.<br>
><br>
> While it’s not advised to open this login screen to the world, fact is that it does happen intentionally or accidentally. Just a Google search for “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login screens, including exact version information.<br>
><br>
> As soon as someone discovers a vulnerability in a OpenWRT version all an attacker needs to do is perform a Google search to find many installations with versions that are vulnerable (even if a patch is already available).<br>
><br>
> In the interest of hardening the default OpenWRT install, can I suggest that by default OpenWRT doesn’t disclose the version (not even 15.05 or “Chaos Calmer”) on the login screen? For extra safety I would even suggest to leave “OpenWRT” off the login screen, the only people who should use this screen already know it’s running OpenWRT.<br>
><br>
> Any thoughts?<br>
><br>
> Maurits<br>
> _______________________________________________<br>
> openwrt-devel mailing list<br>
> <a href="mailto:openwrt-devel@lists.openwrt.org" target="_blank">openwrt-devel@lists.openwrt.org</a><br>
> <a href="https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel" rel="noreferrer" target="_blank">https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel</a><br>
><br>
_______________________________________________<br>
openwrt-devel mailing list<br>
<a href="mailto:openwrt-devel@lists.openwrt.org" target="_blank">openwrt-devel@lists.openwrt.org</a><br>
<a href="https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel" rel="noreferrer" target="_blank">https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel</a><br>
</blockquote></div>