lepidopter may be exposed to Internet, it has ssh enabled with weak default password and authless ooniprobe web interface.
I can imagine several (unlikely, but imaginable) cases for the exposure:
- User's ISP & router are IPv6-capable providing routable IPv6 address to lepidopter
- User setting up port-forwarding carelessly to view nice ooni-probe wui from a 3G smartphone
- User is ISP and lepidopter is given routable IPv4 address
- Some unpredictable port-forwarding madness triggered by combination of systemd, Bonjour/avahi and uPNP
I can suggest couple of ways to restrict management interfaces:
- on
network-change event triggered by dhclient/systemd/whatever parse output of ip -o addr and allow source IPs from known subnets
- on
network-change event parse ip neight and deny source MACs of various routers
lepidopter may be exposed to Internet, it has ssh enabled with weak default password and authless ooniprobe web interface.
I can imagine several (unlikely, but imaginable) cases for the exposure:
I can suggest couple of ways to restrict management interfaces:
network-changeevent triggered by dhclient/systemd/whatever parse output ofip -o addrand allow source IPs from known subnetsnetwork-changeevent parseip neightand deny source MACs of various routers