Posted: Sat Jun 17, 2017 10:22 Post subject: WAN access to YAMon3 monitor usage pages
Hello,
I searched the forum on this and did not come up with anything so I am now asking my questions here.
I have a Netgear WNDR4500 and I am running a DDNS service on it so I can remote manage and make changes to it. I am deployed with US Forces overseas. My family are not very IT savvy. So when needed I can get into my home router and see what's up, if things are healthy and what the WAN usages look like, etc. I was just home recently for some R&R and I decided to install YAMon3 as it seemed like a good tool to have as long as it didn't drag my routers cpu down. I was very impressed with it while I was home, on the LAN side of my network.
I have my backdoor WAN connection pretty secure and locked down so as to keep anyone from finding it and trying to gain access to my system. When I got back to my base I noticed that I could reach the YAMon3 usage pages by using my DDNS URL with my port numbers and then the /user/index.html. I have since un-installed YAMon from the router since I did not like that you could reach this with out even a username and password for credentials. It just seems like a security risk.
So is there a way to block getting to the YAMon3 usage web-pages from the WAN port? I have no issues with the family getting to it from the LAN WLAN side and if I could not get to it from the WAN at all that would be okay with me. I know that the user traffic I want to monitor is mostly routed thru the WAN, not sure if this is a conflict with the YAMon or not. You can't have one without the other.
I have since ordered a new Netgear WRT1200AC that I want to configure to replace my WNDR4500. It should have the CPU power to handle YAMon, SAMBA, DNLA, etc... I hope. But as I said, not wanting to try YAMon again if it is always going to be reachable from the WAN ports public IP.
Thanks,
Dan A.
Router Model: Netgear WNDR4500
Firmware Version: DD-WRT v24-sp2 (03/02/15) giga - build 26424M
Kernel Version: Linux 3.10.70 #6827 Mon Mar 2 07:04:04 CET 2015 mips
Posted: Sun Jun 18, 2017 14:45 Post subject: Re: WAN access to YAMon3 monitor usage pages
WiFi_Cowboy wrote:
Hello,
I searched the forum on this and did not come up with anything so I am now asking my questions here.
I have a Netgear WNDR4500 and I am running a DDNS service on it so I can remote manage and make changes to it. I am deployed with US Forces overseas. My family are not very IT savvy. So when needed I can get into my home router and see what's up, if things are healthy and what the WAN usages look like, etc. I was just home recently for some R&R and I decided to install YAMon3 as it seemed like a good tool to have as long as it didn't drag my routers cpu down. I was very impressed with it while I was home, on the LAN side of my network.
I have my backdoor WAN connection pretty secure and locked down so as to keep anyone from finding it and trying to gain access to my system. When I got back to my base I noticed that I could reach the YAMon3 usage pages by using my DDNS URL with my port numbers and then the /user/index.html. I have since un-installed YAMon from the router since I did not like that you could reach this with out even a username and password for credentials. It just seems like a security risk.
So is there a way to block getting to the YAMon3 usage web-pages from the WAN port? I have no issues with the family getting to it from the LAN WLAN side and if I could not get to it from the WAN at all that would be okay with me. I know that the user traffic I want to monitor is mostly routed thru the WAN, not sure if this is a conflict with the YAMon or not. You can't have one without the other.
I have since ordered a new Netgear WRT1200AC that I want to configure to replace my WNDR4500. It should have the CPU power to handle YAMon, SAMBA, DNLA, etc... I hope. But as I said, not wanting to try YAMon again if it is always going to be reachable from the WAN ports public IP.
Thanks,
Dan A.
Router Model: Netgear WNDR4500
Firmware Version: DD-WRT v24-sp2 (03/02/15) giga - build 26424M
Kernel Version: Linux 3.10.70 #6827 Mon Mar 2 07:04:04 CET 2015 mips
Dan - unless I'm mistaken, the issue you raise is not specific to YAMon - i.e., any content written to /tmp/www would be similarly exposed. YAMon simply uses the internal web server and does *not* make any configuration changes.
YAMon can optionally mirror it's data files to an external FTP folder... it that helps you see the data while you're overseas.
Posted: Mon Jun 19, 2017 8:05 Post subject: Re: WAN access to YAMon3 monitor usage pages
al_c wrote:
Dan - unless I'm mistaken, the issue you raise is not specific to YAMon - i.e., any content written to /tmp/www would be similarly exposed. YAMon simply uses the internal web server and does *not* make any configuration changes.
YAMon can optionally mirror it's data files to an external FTP folder... it that helps you see the data while you're overseas.
Al
Thanks Al,
That is some good information, both the FTP option and how content is treated in the /tmp/www folder. What I can't remember but I think I did was logged into the normal DD-WRT webpages with my backdoor and usual credentials. So if that is true, then the YAMon pages were directly accessible.
What I will try with my new WRT1200AC when it arrives and after configuring it, is to see if I can get directly to the YAMon pages first before logging into the DD-WRT page. If it ask for my normal user/psswd then that would satisfy my issues with access security. I guess the question is this, is /tmp/www only used for YAMon pages or is that global for any webpages served from the router.
I think another option could be to turn off remote web access in the DD-WRT Admin section, and just reach it threw a VPN connection. That might be another way to make sure I am the only one reaching back to my router for both the DD-WRT and YAMon pages.
I will try and update this thread once I am able to see how it behaves.
Posted: Fri Jun 23, 2017 16:13 Post subject: Re: WAN access to YAMon3 monitor usage pages
WiFi_Cowboy wrote:
al_c wrote:
Dan - unless I'm mistaken, the issue you raise is not specific to YAMon - i.e., any content written to /tmp/www would be similarly exposed. YAMon simply uses the internal web server and does *not* make any configuration changes.
YAMon can optionally mirror it's data files to an external FTP folder... it that helps you see the data while you're overseas.
Al
Thanks Al,
That is some good information, both the FTP option and how content is treated in the /tmp/www folder. What I can't remember but I think I did was logged into the normal DD-WRT webpages with my backdoor and usual credentials. So if that is true, then the YAMon pages were directly accessible.
What I will try with my new WRT1200AC when it arrives and after configuring it, is to see if I can get directly to the YAMon pages first before logging into the DD-WRT page. If it ask for my normal user/psswd then that would satisfy my issues with access security. I guess the question is this, is /tmp/www only used for YAMon pages or is that global for any webpages served from the router.
I think another option could be to turn off remote web access in the DD-WRT Admin section, and just reach it threw a VPN connection. That might be another way to make sure I am the only one reaching back to my router for both the DD-WRT and YAMon pages.
I will try and update this thread once I am able to see how it behaves.
Dan A.
/tmp/user is used for any pages you want to add to the router... not just YAMon.
If you want to lock things down, you could look at replacing the stock dd-wrt web server with something like lighttpd... there are likely others out there as well.
Thanks for the suggestion on lighttpd. The r31924 build I loaded has a section that allows you to activate lighttpd webserver from within dd-wrt, tells you where to place your content and then you can turn on or off WAN access and define port numbers as needed.
I'm going to check this out over the holiday weekend and see how it works and behaves. I am guessing that I am only needing the index.html file or do I need to move all the files in /tmp/www to the new folder that lighttpd will use. (can't remember the folder name off the top of my head.)
I remember you posting something on folder structure on your YAMon website, so I might re-reference that if needed.
Once I remove index.html file from the /tmp/www folder, that should stop general access to it from the WAN and also LAN ports using the stock dd-wrt webserver, right?
Thanks for the suggestion on lighttpd. The r31924 build I loaded has a section that allows you to activate lighttpd webserver from within dd-wrt, tells you where to place your content and then you can turn on or off WAN access and define port numbers as needed.
I'm going to check this out over the holiday weekend and see how it works and behaves. I am guessing that I am only needing the index.html file or do I need to move all the files in /tmp/www to the new folder that lighttpd will use. (can't remember the folder name off the top of my head.)
I remember you posting something on folder structure on your YAMon website, so I might re-reference that if needed.
Once I remove index.html file from the /tmp/www folder, that should stop general access to it from the WAN and also LAN ports using the stock dd-wrt webserver, right?
- Thanks again
You will have to alter the value of `_wwwPath` in your config.file... point it to the root of your lighttpd web directory. In theory the setup/startup scripts should create all of the symlinks properly but you might have to tweak things a bit by hand as I've haven't had the time/hardware to test that configuration.
Visitors to your router will likely still have access to the /tmp/www/ directory but there will be nothing for them to see.
Well that was easy. Below is an image attachment of the web-server tab in DD-WRT for my router model and image build. As you can see, it has a feature for turning on/off WAN access. You can also adjust the port numbers if the standard port numbs are not for you.
The lighttpd web-server uses /jffs/www/ for its root home folder. So I just recreated all the symlinks as they are in the /tmp/www directory, copied the hard files and directories. Afterwards I renamed /tmp/www/ to /tmp/www-orig/ and then made a new blank /tmp/www/ just in case. Didn't want to break something, wasn't sure if that needs to be there.
As you can see from my directory listing I played with re-naming the index.html to another name. That was before I moved it to the lighttpd server.
The only thing that I missed was that single change in the yamon config.file you mentioned (Al) to point the _wwwPath to /jffs/www. And now that is done and everything looks to be running just fine.
I can now access the dd-wrt services tab remotely, turn on WAN access for the web-server as needed, check my network stats and then turn off WAN access to keep others out of my system. I hope to find a way to make lighttpd only work or respond to https but if I can't that is not a big deal. I got exactly what I needed, YAMon and control over the WAN port for it.
Oh, by the way.... if you get a chance to pick up a Linksys WRT1200ACv2 or one of its brothers in the same product line, I recommend it. Not very expensive, can find Linksys factory refirbs on ebay, open source firmware ready and approved by Linksys.... and horsepower to spare.
