Remove link to Server Manager from welcome page

Is possible to remove the link to the server manager from the welcompage in Apache?

Just any other CentOS, you just need to create an index file:

touch /var/www/html/index.html

If you want to remove the server manager link:

cp /usr/share/httpd/noindex/nethserver_index.html /var/www/html/index.html

Then customize the page as you wish :wink:

2 Likes

I know that i could. Root privileges and search engines can solve the issues even for a n00b like me.
But as security-prone-setting, maybe should be removed from the originating template.

A welcome page promoting NethServer is nice. But a fastpath to admin access seems a bad idea to meā€¦

3 Likes

If others have the same feelings, I have nothing against merging a PR which does the job! :slight_smile:

2 Likes

@saitobenkei and @rolf seems that my little hint should not hurt.
Do you know other users who could agree?

@giacomo what do you mean with ā€œPRā€?

PR means ā€œPull Requestā€: About pull requests - GitHub Docs

Where the hell is my donkey hatā€¦

TY @giacomo

1 Like

Even tho it is security by obscurity, I do tend to agree with @pike
I donā€™t see any need to point any scriptkiddy to the weblogin page and start hammering the admin interface.
On the other hand, fail2ban will kick in as soon anyone tries more than 3 times with false credentials. But still, i rather wouldnā€™t have the link freely available from the landing webpage.
adminwebjail

1 Like

IMHO these things are quite different, therefore both leading to better security.

Fail2Ban reduces footprint for bruteforce attack (saving resources in case of repeated failed accesses) and DDOS.
Removing to httpd-admin referral wonā€™t give to automated pagescan the chance to know thereā€™s the admin interface. It will need some AI or HI to read the documentation and try to access.

Hi there, but :

  • Who expose Default Landing Page to the outside world ? 80,443 and 980 should be always blocked on WAN nic. Better if apache daemon listens only on LAN/DMZ interfaces for default;

WAN and Public Apache on the same NS hosting other services is really one of the biggest bad idea ever in my opinion.

  • and ta quick search on NS docs reveal to anyone which are default webadmin port listening and url to admin login page;

So removing admin link do not improve security in any way. Just a cosmetic thing

regards

paolo

Most people running a web server on their Neth boxes. Iā€™d expect a good number of us use them as public-facing web servers.

I totally agree with you Dan but removing admin link didnā€™t improve security in any way so itā€™s better to close 980 port on WAN nic for default for example.

Sadly I think many out there use web access for remote administrationā€¦and this is the real issue not admin linkā€¦

What do you think @giacomo ?

1 Like

Sure it does. Marginally, but it is an improvement. Security through obscurity isnā€™t a good strategy as your sole method, but by the same token, the less information you can give an attacker the better.

That it is, but they are orthogonal issues, and that doesnā€™t address the possibility of malicious internal users. That also makes it impossible for remote users to change their passwords, since the only way to do that is through the server manager.

IMO, this is a very low-value change. The security benefit is minimal, but not non-existent. Meanwhile, the cost is almost zero. Seems net-beneficial to me, so PR here:

4 Likes

Trying to recap: two users would like to remove a feature (clicking on the server-manager link).
We have to be careful when removing a feature, we may have users relying on it that didnā€™t voice their opinion.
But, in this case, I think that @danb35 pull request can be merged. The feature is believed to have low impact and the users is presented with an easy way to find a workaround.

We may also create a poll, explaining the reasoning behind the request, inviting to vote and way a few more days. But, honestly, this change is small, is this all worth it? :slight_smile:

1 Like

I totally agree, I always discourage opening the port 980 on the public Internet ā€¦ BUT itā€™s so convenient! :star_struck:

The real problem is that you need public access when NethServer is installed on a VPS.
So i back you idea to close the port 980 but only in some scenario. @davide_marini suggested a brilliant solution: let the user choose wisely during the first setup wizard.

And @edoardo_spadoni already did a mock-up:

I agree with you and @filippo_carletti and Iā€™m willing to merge the PR.
It shouldnā€™t have any impact, and if it does, of course we can blame Dan! :stuck_out_tongue:

What do you think? Could be this a solution with good balance among security and simplicity?

5 Likes

ā€¦unless you set up a dummy interface and use VPN for access to the server manager. Pity the dummy interface capability isnā€™t in the GUI, though. Password changes for remote users are another reason someone might expose 980 to the public Internet.

Sureā€“and Iā€™ll tell the affected users to RTFM!

1 Like

PR has been merged.
I will make sure the new code will be available in the ISO for NS 7.5 beta.

Now I have discovered this link, it is easy, how I can get it back :slight_smile:

1 Like