<div dir="ltr">Mine vote for generally _not do anything_, Defaults are safe as pointed out here few times... We can not start to babysit users from themselves... We can guide, we can help and so on, but it's still end user responsibility when opening port(s) to WAN, or securing access in a big LAN/VPN/VLAN/etc -enviroment, we can't start pampering them...<div><br></div><div> Sami Olmari</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 14, 2015 at 6:30 PM, Joshua Judson Rosen <span dir="ltr"><<a href="mailto:jrosen@harvestai.com" target="_blank">jrosen@harvestai.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2015-09-13 10:21, MauritsVB wrote:<br>
> At the moment the OpenWRT www login screen provides *very* detailed version information before anyone has even entered a password. It displays not just “15.05” or “Chaos Calmer” but even the exact git version on the banner.<br>
><br>
> While it’s not advised to open this login screen to the world, fact is that it does happen intentionally or accidentally. Just a Google search for “Powered by LuCI Master (git-“ will provide many accessible OpenWRT login screens, including exact version information.<br>
><br>
> As soon as someone discovers a vulnerability in a OpenWRT version all an attacker needs to do is perform a Google search to find many installations with versions that are vulnerable (even if a patch is already available).<br>
><br>
> In the interest of hardening the default OpenWRT install, can I suggest that by default OpenWRT doesn’t disclose the version (not even 15.05 or “Chaos Calmer”) on the login screen? For extra safety I would even suggest to leave “OpenWRT” off the login screen, the only people who should use this screen already know it’s running OpenWRT.<br>
><br>
> Any thoughts?<br>
<br>
</span>I think you'd also need to change a number of services to stop<br>
reporting detailed information in their protocol.<br>
<br>
For example: have you noticed that the ETag and Last-Modified<br>
values that uhttpd returns for a given path are identical<br>
across all installations of a given version of OpenWrt?<br>
It doesn't really matter if there's an OpenWrt version-number<br>
in the *content* fetched over HTTP--the client has already<br>
got that information before they even get the content.<br>
<br>
Another example: the version-info exchanged at the start<br>
of the SSH protocol.<br>
<br>
It's like deciding that you want to send an anonymous letter<br>
and so avoid signing your name on that letter, but still putting<br>
your name and return address on the outside of the envelope.<br>
<span class="im HOEnZb"><br>
--<br>
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."<br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
openwrt-devel mailing list<br>
<a href="mailto:openwrt-devel@lists.openwrt.org">openwrt-devel@lists.openwrt.org</a><br>
<a href="https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel" rel="noreferrer" target="_blank">https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel</a><br>
</div></div></blockquote></div><br></div>