Remove link to Server Manager from welcome page


(Michael Kicks) #1

Is possible to remove the link to the server manager from the welcompage in Apache?


(Giacomo Sanchietti) #2

Just any other CentOS, you just need to create an index file:

touch /var/www/html/index.html

If you want to remove the server manager link:

cp /usr/share/httpd/noindex/nethserver_index.html /var/www/html/index.html

Then customize the page as you wish :wink:


(Michael Kicks) #3

I know that i could. Root privileges and search engines can solve the issues even for a n00b like me.
But as security-prone-setting, maybe should be removed from the originating template.

A welcome page promoting NethServer is nice. But a fastpath to admin access seems a bad idea to me…


(Giacomo Sanchietti) #4

If others have the same feelings, I have nothing against merging a PR which does the job! :slight_smile:


(Michael Kicks) #5

@saitobenkei and @rolf seems that my little hint should not hurt.
Do you know other users who could agree?

@giacomo what do you mean with “PR”?


(Giacomo Sanchietti) #6

PR means “Pull Request”: https://help.github.com/articles/about-pull-requests/


(Michael Kicks) #7

Where the hell is my donkey hat…

TY @giacomo


(Rob Bosch) #8

Even tho it is security by obscurity, I do tend to agree with @pike
I don’t see any need to point any scriptkiddy to the weblogin page and start hammering the admin interface.
On the other hand, fail2ban will kick in as soon anyone tries more than 3 times with false credentials. But still, i rather wouldn’t have the link freely available from the landing webpage.
adminwebjail


(Michael Kicks) #9

IMHO these things are quite different, therefore both leading to better security.

Fail2Ban reduces footprint for bruteforce attack (saving resources in case of repeated failed accesses) and DDOS.
Removing to httpd-admin referral won’t give to automated pagescan the chance to know there’s the admin interface. It will need some AI or HI to read the documentation and try to access.


(Paolo Fornara) #10

Hi there, but :

  • Who expose Default Landing Page to the outside world ? 80,443 and 980 should be always blocked on WAN nic. Better if apache daemon listens only on LAN/DMZ interfaces for default;

WAN and Public Apache on the same NS hosting other services is really one of the biggest bad idea ever in my opinion.

  • and ta quick search on NS docs reveal to anyone which are default webadmin port listening and url to admin login page;

So removing admin link do not improve security in any way. Just a cosmetic thing

regards

paolo


(Dan) #11

Most people running a web server on their Neth boxes. I’d expect a good number of us use them as public-facing web servers.


(Paolo Fornara) #12

I totally agree with you Dan but removing admin link didn’t improve security in any way so it’s better to close 980 port on WAN nic for default for example.

Sadly I think many out there use web access for remote administration…and this is the real issue not admin link…

What do you think @giacomo ?


(Dan) #13

Sure it does. Marginally, but it is an improvement. Security through obscurity isn’t a good strategy as your sole method, but by the same token, the less information you can give an attacker the better.

That it is, but they are orthogonal issues, and that doesn’t address the possibility of malicious internal users. That also makes it impossible for remote users to change their passwords, since the only way to do that is through the server manager.

IMO, this is a very low-value change. The security benefit is minimal, but not non-existent. Meanwhile, the cost is almost zero. Seems net-beneficial to me, so PR here:


(Filippo Carletti) #14

Trying to recap: two users would like to remove a feature (clicking on the server-manager link).
We have to be careful when removing a feature, we may have users relying on it that didn’t voice their opinion.
But, in this case, I think that @danb35 pull request can be merged. The feature is believed to have low impact and the users is presented with an easy way to find a workaround.

We may also create a poll, explaining the reasoning behind the request, inviting to vote and way a few more days. But, honestly, this change is small, is this all worth it? :slight_smile:


(Giacomo Sanchietti) #15

I totally agree, I always discourage opening the port 980 on the public Internet … BUT it’s so convenient! :star_struck:

The real problem is that you need public access when NethServer is installed on a VPS.
So i back you idea to close the port 980 but only in some scenario. @davide_marini suggested a brilliant solution: let the user choose wisely during the first setup wizard.

And @edoardo_spadoni already did a mock-up:

I agree with you and @filippo_carletti and I’m willing to merge the PR.
It shouldn’t have any impact, and if it does, of course we can blame Dan! :stuck_out_tongue:

What do you think? Could be this a solution with good balance among security and simplicity?


(Dan) #16

…unless you set up a dummy interface and use VPN for access to the server manager. Pity the dummy interface capability isn’t in the GUI, though. Password changes for remote users are another reason someone might expose 980 to the public Internet.

Sure–and I’ll tell the affected users to RTFM!


(Giacomo Sanchietti) #17

PR has been merged.
I will make sure the new code will be available in the ISO for NS 7.5 beta.


(Stéphane de Labrusse) #18

Now I have discovered this link, it is easy, how I can get it back :slight_smile: