oatflake Posted December 19, 2011 Posted December 19, 2011 Hi! Just a secure paranoia question: I noticed that the main /WEB/INDEX.HTM page is *not* http authenticated. The subsequent pages it calls is, but the base level page, if exposed to the internet, exposes that this port hosts the ISY-99i. I would like to know if it's possible to configure the ISY-99i to make sure that even *this* main page (and ideally, even the redirect page in / that points to /WEB/INDEX.HTM) can be password protected to keep people who are snooping for these devices on the internet from attempting more attacks. We don't know of any security exploits now, but I worry that someone may use this information to figure out that I have this device and then narrow their attacking methods.
Michel Kohanim Posted December 19, 2011 Posted December 19, 2011 Hello oatflake, There are very many files in /WEB that should not be password protected otherwise the Admin Console (and UPnP) will not find ISY on the network. Perhaps we can make only INDEX.HTM password protected? With kind regards, Michel
oatflake Posted December 19, 2011 Author Posted December 19, 2011 Hello oatflake, There are very many files in /WEB that should not be password protected otherwise the Admin Console (and UPnP) will not find ISY on the network. Perhaps we can make only INDEX.HTM password protected? With kind regards, Michel Aha, I see - I presume the reason the Admin Console can't handle this is because it doesn't do http auth? One other options I was considering was placing my ISY-99i behind my own SSL proxy like Pound, and setting up my own http authentication such as through haproxy - I actually tried this, but that explains why I couldn't get the Admin Console to work (the normal webpages worked fine). I actually do have a suitable work-around right now; I simply block all access through my firewall and connect to my ISY-99i using an ssh tunnel. It's not ideal because it means I can only access it through a computer that has ssh setup, and I really like using my android phone web browser to check in on things. I guess for now protecting INDEX.HTM is probably the simplest thing. Does that require a firmware update, or is there a way I can tweak the settings myself?
Michel Kohanim Posted December 20, 2011 Posted December 20, 2011 Hello oatflake, No, Admin Console does HTTP auth. The problem is when you are searching for ISY, you may NOT already know the credentials (that's how all discovery protocols are designed) and thus a few of those files in /WEB should be generic. We'll see what we can do to password protect index. With kind regards, Michel
Recommended Posts