WAN access to YAMon3 monitor usage pages

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
WiFi_Cowboy
DD-WRT Novice


Joined: 16 Mar 2015
Posts: 15

PostPosted: Sat Jun 17, 2017 10:22    Post subject: WAN access to YAMon3 monitor usage pages Reply with quote
Hello,
I searched the forum on this and did not come up with anything so I am now asking my questions here.

I have a Netgear WNDR4500 and I am running a DDNS service on it so I can remote manage and make changes to it. I am deployed with US Forces overseas. My family are not very IT savvy. So when needed I can get into my home router and see what's up, if things are healthy and what the WAN usages look like, etc. I was just home recently for some R&R and I decided to install YAMon3 as it seemed like a good tool to have as long as it didn't drag my routers cpu down. I was very impressed with it while I was home, on the LAN side of my network.

I have my backdoor WAN connection pretty secure and locked down so as to keep anyone from finding it and trying to gain access to my system. When I got back to my base I noticed that I could reach the YAMon3 usage pages by using my DDNS URL with my port numbers and then the /user/index.html. I have since un-installed YAMon from the router since I did not like that you could reach this with out even a username and password for credentials. It just seems like a security risk.

So is there a way to block getting to the YAMon3 usage web-pages from the WAN port? I have no issues with the family getting to it from the LAN WLAN side and if I could not get to it from the WAN at all that would be okay with me. I know that the user traffic I want to monitor is mostly routed thru the WAN, not sure if this is a conflict with the YAMon or not. You can't have one without the other.

I have since ordered a new Netgear WRT1200AC that I want to configure to replace my WNDR4500. It should have the CPU power to handle YAMon, SAMBA, DNLA, etc... I hope. But as I said, not wanting to try YAMon again if it is always going to be reachable from the WAN ports public IP.

Thanks,
Dan A.



Router Model: Netgear WNDR4500
Firmware Version: DD-WRT v24-sp2 (03/02/15) giga - build 26424M
Kernel Version: Linux 3.10.70 #6827 Mon Mar 2 07:04:04 CET 2015 mips
Sponsor
al_c
DD-WRT Guru


Joined: 13 Apr 2013
Posts: 1525
Location: Ottawa Canada

PostPosted: Sun Jun 18, 2017 14:45    Post subject: Re: WAN access to YAMon3 monitor usage pages Reply with quote
WiFi_Cowboy wrote:
Hello,
I searched the forum on this and did not come up with anything so I am now asking my questions here.

I have a Netgear WNDR4500 and I am running a DDNS service on it so I can remote manage and make changes to it. I am deployed with US Forces overseas. My family are not very IT savvy. So when needed I can get into my home router and see what's up, if things are healthy and what the WAN usages look like, etc. I was just home recently for some R&R and I decided to install YAMon3 as it seemed like a good tool to have as long as it didn't drag my routers cpu down. I was very impressed with it while I was home, on the LAN side of my network.

I have my backdoor WAN connection pretty secure and locked down so as to keep anyone from finding it and trying to gain access to my system. When I got back to my base I noticed that I could reach the YAMon3 usage pages by using my DDNS URL with my port numbers and then the /user/index.html. I have since un-installed YAMon from the router since I did not like that you could reach this with out even a username and password for credentials. It just seems like a security risk.

So is there a way to block getting to the YAMon3 usage web-pages from the WAN port? I have no issues with the family getting to it from the LAN WLAN side and if I could not get to it from the WAN at all that would be okay with me. I know that the user traffic I want to monitor is mostly routed thru the WAN, not sure if this is a conflict with the YAMon or not. You can't have one without the other.

I have since ordered a new Netgear WRT1200AC that I want to configure to replace my WNDR4500. It should have the CPU power to handle YAMon, SAMBA, DNLA, etc... I hope. But as I said, not wanting to try YAMon again if it is always going to be reachable from the WAN ports public IP.

Thanks,
Dan A.



Router Model: Netgear WNDR4500
Firmware Version: DD-WRT v24-sp2 (03/02/15) giga - build 26424M
Kernel Version: Linux 3.10.70 #6827 Mon Mar 2 07:04:04 CET 2015 mips


Dan - unless I'm mistaken, the issue you raise is not specific to YAMon - i.e., any content written to /tmp/www would be similarly exposed. YAMon simply uses the internal web server and does *not* make any configuration changes.

YAMon can optionally mirror it's data files to an external FTP folder... it that helps you see the data while you're overseas.

Al
WiFi_Cowboy
DD-WRT Novice


Joined: 16 Mar 2015
Posts: 15

PostPosted: Mon Jun 19, 2017 8:05    Post subject: Re: WAN access to YAMon3 monitor usage pages Reply with quote
al_c wrote:

Dan - unless I'm mistaken, the issue you raise is not specific to YAMon - i.e., any content written to /tmp/www would be similarly exposed. YAMon simply uses the internal web server and does *not* make any configuration changes.

YAMon can optionally mirror it's data files to an external FTP folder... it that helps you see the data while you're overseas.

Al


Thanks Al,
That is some good information, both the FTP option and how content is treated in the /tmp/www folder. What I can't remember but I think I did was logged into the normal DD-WRT webpages with my backdoor and usual credentials. So if that is true, then the YAMon pages were directly accessible.

What I will try with my new WRT1200AC when it arrives and after configuring it, is to see if I can get directly to the YAMon pages first before logging into the DD-WRT page. If it ask for my normal user/psswd then that would satisfy my issues with access security. I guess the question is this, is /tmp/www only used for YAMon pages or is that global for any webpages served from the router.

I think another option could be to turn off remote web access in the DD-WRT Admin section, and just reach it threw a VPN connection. That might be another way to make sure I am the only one reaching back to my router for both the DD-WRT and YAMon pages.

I will try and update this thread once I am able to see how it behaves.

Dan A.
al_c
DD-WRT Guru


Joined: 13 Apr 2013
Posts: 1525
Location: Ottawa Canada

PostPosted: Fri Jun 23, 2017 16:13    Post subject: Re: WAN access to YAMon3 monitor usage pages Reply with quote
WiFi_Cowboy wrote:
al_c wrote:

Dan - unless I'm mistaken, the issue you raise is not specific to YAMon - i.e., any content written to /tmp/www would be similarly exposed. YAMon simply uses the internal web server and does *not* make any configuration changes.

YAMon can optionally mirror it's data files to an external FTP folder... it that helps you see the data while you're overseas.

Al


Thanks Al,
That is some good information, both the FTP option and how content is treated in the /tmp/www folder. What I can't remember but I think I did was logged into the normal DD-WRT webpages with my backdoor and usual credentials. So if that is true, then the YAMon pages were directly accessible.

What I will try with my new WRT1200AC when it arrives and after configuring it, is to see if I can get directly to the YAMon pages first before logging into the DD-WRT page. If it ask for my normal user/psswd then that would satisfy my issues with access security. I guess the question is this, is /tmp/www only used for YAMon pages or is that global for any webpages served from the router.

I think another option could be to turn off remote web access in the DD-WRT Admin section, and just reach it threw a VPN connection. That might be another way to make sure I am the only one reaching back to my router for both the DD-WRT and YAMon pages.

I will try and update this thread once I am able to see how it behaves.

Dan A.

/tmp/user is used for any pages you want to add to the router... not just YAMon.

If you want to lock things down, you could look at replacing the stock dd-wrt web server with something like lighttpd... there are likely others out there as well.

Al
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum