i´m using my nethserver as router for my home-network. Out of interest i installed the NTOP Plugin. My nethserver is reachable from my RED interface (so from the internet). I realized that the NTOP Webinterface is even reachable from the internet and that without any further authorization.
So if anyone knows my NTOP domain he´s able to see my whole traffic.
Is this a misconfiguration on my part, or is the problem known?
You´re able to click on “show” behind any listed client. After that nethserver redirects to the ntop website and shows the specific informations about that client. But just have a look at the link:
I can´t block that redirect in my firewall. And if i´m entering exact this URL into another PC connected to the internet it has full access to the ntop interface.
i have looked at my configuration at work where NS acts as firewall/router and i have disabled access to NTOP and to NS Admin page (httpd-admin service) - maybe there is a problem at your config…
Are you actually having ntop traffic on red or is your firewall reflecting the external side back to you on the lan, making it seem to you that you can connect from internet?
I had the same issue once with a different service, grabbed a phone, switched to mobile data and got blocked.
yes if i´m disabling my NS Admin page for red interface i have no problems but i don´t wont to disable it cause i want to reach my NS admin page from the internet.
My NS Version is: NethServer release 7.4.1708 (Final)
Yep im having ntop traffic on red but the problem is still there when i´m disabling red interface in ntop settings.
As default, ntopng port (3000) is open only from green interfaces.
The hash you see as URL is used from the proxy pass, and can be considered safe since it is random.
Exactly the same when you share your pics or file using Google and Dropbox secret URLs.
If you feel uncomfortable with it, you can enable the authentication or create a custom template (/etc/e-smith/templates/etc/httpd/admin-conf.d/ntopng.conf/10base) and limit access to certain IPs.