Jump to content

Protect /WEB/INDEX.HTM ?

oatflake

By oatflake
in ISY994

Recommended Posts

oatflake New

oatflake

Posted
Posted

Hi! Just a secure paranoia question:

 

I noticed that the main /WEB/INDEX.HTM page is *not* http authenticated. The subsequent pages it calls is, but the base level page, if exposed to the internet, exposes that this port hosts the ISY-99i.

 

I would like to know if it's possible to configure the ISY-99i to make sure that even *this* main page (and ideally, even the redirect page in / that points to /WEB/INDEX.HTM) can be password protected to keep people who are snooping for these devices on the internet from attempting more attacks.

 

We don't know of any security exploits now, but I worry that someone may use this information to figure out that I have this device and then narrow their attacking methods.

Michel Kohanim Wise Elder

Michel Kohanim

Posted
Posted

Hello oatflake,

 

There are very many files in /WEB that should not be password protected otherwise the Admin Console (and UPnP) will not find ISY on the network.

 

Perhaps we can make only INDEX.HTM password protected?

 

With kind regards,

Michel

oatflake New

oatflake

Posted
  • Author
Posted
Hello oatflake,

 

There are very many files in /WEB that should not be password protected otherwise the Admin Console (and UPnP) will not find ISY on the network.

 

Perhaps we can make only INDEX.HTM password protected?

 

With kind regards,

Michel

 

Aha, I see - I presume the reason the Admin Console can't handle this is because it doesn't do http auth?

 

One other options I was considering was placing my ISY-99i behind my own SSL proxy like Pound, and setting up my own http authentication such as through haproxy - I actually tried this, but that explains why I couldn't get the Admin Console to work (the normal webpages worked fine).

 

I actually do have a suitable work-around right now; I simply block all access through my firewall and connect to my ISY-99i using an ssh tunnel. It's not ideal because it means I can only access it through a computer that has ssh setup, and I really like using my android phone web browser to check in on things.

 

I guess for now protecting INDEX.HTM is probably the simplest thing. Does that require a firmware update, or is there a way I can tweak the settings myself?

Michel Kohanim Wise Elder

Michel Kohanim

Posted
Posted

Hello oatflake,

 

No, Admin Console does HTTP auth. The problem is when you are searching for ISY, you may NOT already know the credentials (that's how all discovery protocols are designed) and thus a few of those files in /WEB should be generic.

 

We'll see what we can do to password protect index.

 

With kind regards,

Michel

Guest
This topic is now closed to further replies.
Go to topic listing
×
×
  • Create New...