Access Alt-f web page from external ip.

796 views
Skip to first unread message

Keon91

unread,
Jan 28, 2012, 2:52:48 PM1/28/12
to Alt-F
Hi,

I have forwarded the alt-f webpage in my router from 80 to 80 but when
I try to acces the page from a external ip I get a page with a 403
forbidden error.

Did the same thing with my sickbeard and sabnzbd webpages and they are
working fine!

Is this some sort of security or do I need to acces it in some sort of
other way?

Greetings

Joao Cardoso

unread,
Jan 28, 2012, 8:09:26 PM1/28/12
to al...@googlegroups.com

Try services, network, inetd, configure, http, configure.


--
You received this message because you are subscribed to the Google Groups "Alt-F" group.
To post to this group, send email to al...@googlegroups.com.
To unsubscribe from this group, send email to alt-f+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/alt-f?hl=en.

Joao Cardoso

unread,
Jan 28, 2012, 9:28:49 PM1/28/12
to al...@googlegroups.com

But remember that the root password is transmited in clear form through the wire. Use the stunnel package for secure http.

On Jan 29, 2012 1:09 AM, "Joao Cardoso" <joao.fs...@gmail.com> wrote:

Try services, network, inetd, configure, http, configure.

> > On Jan 28, 2012 7:52 PM, "Keon91" <kpsc...@gmail.com> wrote: > > Hi, > > I have forwarded the...

Keon91

unread,
Jan 29, 2012, 2:59:37 AM1/29/12
to Alt-F
Thanks for your reply,

I was wondering, isn't it more secure to have to login using a
Authorization popup window. (view attachment)
Where you have to type the username and password.

So before you can see anything on the webpage, you first have to
login?
Localy you can see the statuspage without loggin in with rootpasword.


On Jan 29, 3:28 am, Joao Cardoso <joao.fs.card...@gmail.com> wrote:
> But remember that the root password is transmited in clear form through the
> wire. Use the stunnel package for secure http.
>
> On Jan 29, 2012 1:09 AM, "Joao Cardoso" <joao.fs.card...@gmail.com> wrote:
>
> Try services, network, inetd, configure, http, configure.
>
>
>
>
>
>
>
> > > On Jan 28, 2012 7:52 PM, "Keon91" <kpscha...@gmail.com> wrote: > > Hi,
> > > I have forwarded the...

Keon91

unread,
Jan 29, 2012, 3:36:44 AM1/29/12
to Alt-F
like this :

http://1.bp.blogspot.com/_uHQksWKTm2Q/TVGIE1UKFFI/AAAAAAAAB48/6aO0SLSVnl8/s320/authorization+window+ff.png

Keon91

unread,
Jan 30, 2012, 10:45:01 AM1/30/12
to Alt-F

Isn't it a good idea to make the stunnel a standard enabled service in
Alt-F and a part of the http under the service inetd?

On Jan 29, 3:28 am, Joao Cardoso <joao.fs.card...@gmail.com> wrote:
> But remember that the root password is transmited in clear form through the
> wire. Use the stunnel package for secure http.
>
> On Jan 29, 2012 1:09 AM, "Joao Cardoso" <joao.fs.card...@gmail.com> wrote:
>
> Try services, network, inetd, configure, http, configure.
>
>
>
>
>
>
>
> > > On Jan 28, 2012 7:52 PM, "Keon91" <kpscha...@gmail.com> wrote: > > Hi,
> > > I have forwarded the...

Keon91

unread,
Jan 30, 2012, 10:47:53 AM1/30/12
to Alt-F
Another thing, how do I know that stunnel is doing it's job right?

How can I be sure that my root password isn't transported clear trough
the wire?

Joao Cardoso (Alt-F)

unread,
Jan 30, 2012, 12:14:32 PM1/30/12
to al...@googlegroups.com
On Monday 30 January 2012 07:47:53 Keon91 wrote:
> Another thing, how do I know that stunnel is doing it's job right?

That's the browser job. If it does not complain (apart from the self-signed
server certificate) when the url is 'https:/...', then all is alright. It
should display a lock icon or similar

> How can I be sure that my root password isn't transported clear trough
> the wire?
>
> On Jan 30, 4:45 pm, Keon91 <kpscha...@gmail.com> wrote:
> > Isn't it a good idea to make the stunnel a standard enabled service in
> > Alt-F and a part of the http under the service inetd?

Yes, if there wasn't only 8MB of flash memory available for the kernel and the
root filesystem. The DNS-325, e.g., has 128MB!

Regarding the login page: yes, it is possible to only display the status page
after a successful login, "security by obfuscation". But a "man in the middle"
attacker could get some server info from the http headers.

The auth screnshot you posted is tipically used by the browser when the server
asks for http authentication (look at the swat login, services->network->smb-
>configure->advanced page).
The "basic" http auth is not better than the current forms-based
authentication, and I'm not sure if the busybox http server fully supports
digest-based (md5) auth. If it does, and there are signs in the code that it
does, then Alt-F could use it -- passwords would not be transmitted in the
clear.
But again, a man in the midle attacker could forge the server header, asking
the browser to use "basic" authentication.

I'm not a security expert, and my Alt-F concerns regarding security only
covers the trivial casual user cases.

I think that "what a man can do other can undo" (apart from breaking an egg,
of course :-)

But you can fill an issue report, asking for http digest-based auth, so I will
not forget to see if busybox http server fits the job.

Keon91

unread,
Jan 30, 2012, 2:41:39 PM1/30/12
to Alt-F
I will make the issue report, thanks for your answer!

I know the limitations of the 8 mbit flash, too bad it isn't more!
Maybe it's a good thing to mention the install of the stunnel package
on the configuration page of http.
Maybe above the Remote Administration Ip line is a good place to put
it.


On Jan 30, 6:14 pm, "Joao Cardoso (Alt-F)" <whoami.jc...@gmail.com>
wrote:
Reply all
Reply to author
Forward
0 new messages