@yuxin.zou and @alzhao please, consider implementing something to prevent brute force attacks on LuCi from WAN (and preferably from LAN too)!
Anyone can use https://******.glddns.com/cgi-bin/luci to access luci without any additional protection!
SSH not protected too! Anyone can try to brute force SSH using ******.glddns.com. It is extreme vulnerability.
There is no rate limit or something like that.
It is not recommended to expose your device on WAN.
Luci is a 3rd party tool. So only the luci devs may include something like that.
Please try not to tag staff members individually, they will read all posts anyway.
Then why this feature present? If it present it should be at least some security features for it. Or BIG RED BANNER with text like:
EXPOSING ROUTER TO WAN CAN CAUSE HACKS, BRICKS AND EVEN IRRECOVERABLE DAMAGE. IT IS HARDLY RECOMMENDED NOT TO USE IT
In another case, it will be better to implement primitive rate limits 2 attempts and IP banned
Because the user can choose if he wants to do it. The GL interface has some protection, luci is 3rd party and OpenWrt don't want to create more protection here.
Exposing a device to WAN is always dangerous. I agree there should be a warning.
Hmm, i have not explored this feature too much.
But when you allow glddns it automatically expose all ports open to wan?
If that is the case that is no good at all, ddns should only give a A record to your routers public ip, but not also forward ports you are supposed to do that yourself.
No, it does not.
GLDDNS is just a simple DDNS service. It does not change the firewall in any way.
This is a very handy feature, if you are using the router behind another router and want to access it from your transfer network, without manually change FW rules and place bigger holes as needed.
Just you don't need it does not imply it is useless. I use this switches regularly in Lab environment or when I provide guest networks over a second router behind my main router at a remote site (Yes, I am traveling with more than one router).
We are talking about WAN, which does not automatically means Internet.
I really would hate, if I can't remember the given password directly (changes every setup, because security) and the system blocks me out.
WAN interfaces can still be used internally. I use a router like that where I manage it via WAN (https and ssh), but it is connected to my internal network. There are valid uses, but as stated, exposing it to the internet is a pretty bad idea.
Then I think we should just came with warning and additional toggle that will block more than 3 attempts to login in LuCi. Who needs it will enable this.
You can use fail2ban to do this already, you just have to install the extra package and configure it.
Is it a solution that we disable Luci access even you enabled WAN access?
I think you should leave it the way it is
If it will work from LAN then it is ok
No.
As I wrote in some other posts this feature is required when your WAN isn't the internet but an upper network.
I would say everything should stay as it is. Maybe including a bigger warning while activating WAN exposure of the routers interface.
A correct way to go.