NTOP Plugin reachable from internet without authorization

prostream · 2017-12-13 17:59:00 UTC

Hi,

i´m using my nethserver as router for my home-network. Out of interest i installed the NTOP Plugin. My nethserver is reachable from my RED interface (so from the internet). I realized that the NTOP Webinterface is even reachable from the internet and that without any further authorization.

So if anyone knows my NTOP domain he´s able to see my whole traffic.

Is this a misconfiguration on my part, or is the problem known?

des · 2017-12-13 18:04:58 UTC

Hi,
Goto Gateway →Firewall rules
then search for ntopng → edit service
then look here

and uncheck the Internet (red) checkbox

this should work

prostream · 2017-12-13 18:23:00 UTC

yep that setting is active but when accessing “Bandwidth usage”:

You´re able to click on “show” behind any listed client. After that nethserver redirects to the ntop website and shows the specific informations about that client. But just have a look at the link:

I can´t block that redirect in my firewall. And if i´m entering exact this URL into another PC connected to the internet it has full access to the ntop interface.

des · 2017-12-13 18:42:16 UTC

Can you access NS admin interface from internet ?
Did you setup password for NTOP admin user?

prostream · 2017-12-13 18:51:45 UTC

yes as i said in my first posting
yes

des · 2017-12-13 18:55:46 UTC

sorry did not clearly understood it

i have looked at my configuration at work where NS acts as firewall/router and i have disabled access to NTOP and to NS Admin page (httpd-admin service) - maybe there is a problem at your config…

jjimenez · 2017-12-13 19:11:47 UTC

I can confirm this is not normal behaviour, my traffic to nettop is properly blocked at red interfaces.

des · 2017-12-13 19:14:37 UTC

Which version of NS do you use ?

planet_jeroen · 2017-12-13 19:19:56 UTC

Are you actually having ntop traffic on red or is your firewall reflecting the external side back to you on the lan, making it seem to you that you can connect from internet?

I had the same issue once with a different service, grabbed a phone, switched to mobile data and got blocked.

It’s a bit of a stretch, but easily overlooked.

prostream · 2017-12-13 19:58:37 UTC

yes if i´m disabling my NS Admin page for red interface i have no problems but i don´t wont to disable it cause i want to reach my NS admin page from the internet.

My NS Version is: NethServer release 7.4.1708 (Final)

Yep im having ntop traffic on red but the problem is still there when i´m disabling red interface in ntop settings.

des · 2017-12-13 20:04:15 UTC

I had also this problem, but I solved it like this:

disable access to admin page
setup OpenVPN Server on that router

and I am now able to access this server and anything in my lan - but you have to had a static IP address - which I assume you have.

giacomo · 2017-12-14 10:59:01 UTC

As default, ntopng port (3000) is open only from green interfaces.

The hash you see as URL is used from the proxy pass, and can be considered safe since it is random.
Exactly the same when you share your pics or file using Google and Dropbox secret URLs.

If you feel uncomfortable with it, you can enable the authentication or create a custom template (/etc/e-smith/templates/etc/httpd/admin-conf.d/ntopng.conf/10base) and limit access to certain IPs.

prostream · 2017-12-15 12:42:48 UTC

Ahh okay thanks for that!