API security question

Is it secure? It can be possible used for abuse. How to disable it?

Person here told me to create new one:

What is an API? You have a System that may talk to other systems. Therefore you have an API...

So the security is as secure as possible. No company word say "here, you have an half secure API, because we are not able to do it better".

I am pretty sure the GL.iNet App is using the API for a fast and data efficient communication. If I have a absolutely no idea from IT, I would be happy to have the App.

I could abuse the API from my LAN side, but not from the Internet. This is the most important security barrier.
If you'd like to block the API from the LAN side I suggest to add another VLAN, similar to the guest network, and let the devices play there with dedicated deny on the API functions. So the API is still available for management in the main WLAN... But maybe the API requests are already blocked in the default guest network. I don't need this, so I haven't tested.

And if you will argument you could DDOS the API, I am out. I that case you also could ping the router to death.

You can disable it by disabling the web GUI - in that case there is no way to configure the router but SSH.
So if you want to go this extra step for security, no problem.

The API itself uses the login from your web GUI; so it's as secure as your normal login.

1 Like

What app? API used to make App work?

Can I rate limit such connections via firewall?

Blocked for additional security:

Ok, so no worries

Pretty sure the API is used for the app to work.

If you are that concerned about security and DDoS you should harden your device by using more strict firewall rules and disabling the web GUI.

Go by SSH instead which is pretty safe.

I have the feeling you just heard there is an API and, but don't know what this exactly is ... So what are we talking about? What is your concern?

Since version 4, the GL.iNet API is authenticated via JSON-RPC. Which should be considered as secure.
I don't believe we should go into the challenge token request, encrypted Auth request, and hash login to get a SID... Good luck with hacking this procedure.
But to be fair, publish this into internet, it won't take long until someone will open Up your box. It is not this secure.

But as Admin already added, you'll need the API of the router as well, to use the web frontend. It is an interface for systems to communicate with eachother. Kill it and you kill the communication.

Good luck. If it where this simple, why still company websites going down via DDOS?

1 Like

Maybe script something to ban MAC if a lot of connections made?

What do you mean? I use it to operate with payments. It must be as secure as possible. What to block?

I don’t care much about convenience for client devices, as security or convenience. SSH already blocked by disabling dropbear n

Block Web GUI and go full SSH only. Disable password usage and allow login only by public key.

@admon is it possible to make GUI work with keys?

Also I asked ISP to put me under CGNAT. Read somewhere that this will be mo security.

Can you review my firewall rules?

Here:


config rule
    option name 'AntiDOS'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option connlimit '10'
    option target 'DROP'

config rule
    option proto 'tcp'
    option length '0:39'
    option target 'DROP'

config rule
    option proto 'udp'
    option length '0:39'
    option target 'DROP'

config rule
    option name 'Rate-Limit'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option limit '100/s'
    option target 'ACCEPT'

config rule
    option proto 'icmp'
    option target 'DROP'

config rule
    option proto 'igmp'
    option target 'DROP'

config rule
    option name 'TTL-Limit'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option ttl 'lt 5'
    option target 'DROP'

config rule
    option name 'no-spoof'
    option src '*'
    option proto 'all'
    option dest_ip '!192.168.4.1/24' 
    option target 'DROP'

config rule
    option name 'Invalid-TCP-Flags'
    option src '*'
    option proto 'tcp'
    option tcp_flags 'ALL NONE,ALL ALL'
    option target 'DROP'

config rule
    option name 'Invalid-UDP-Packets'
    option src '*'
    option proto 'udp'
    option length '0'
    option target 'DROP'

config rule
    option name 'maccheck'
    option src 'lan'
    option proto 'tcp'
    option dest_ip '192.168.4.1'
    option dest_port '443'
    option mac '!xxxxxxxxxxxx'
    option target 'DROP'

config rule
    option name 'sshcheck'
    option src 'lan'
    option proto 'tcp'
    option dest_port '22'
    option mac '!xxxxxxxxxxxxx'
    option target 'DROP'

config rule
    option name 'anti-ntp-dos'
    option src '*'
    option proto 'udp'
    option dest_port '123'
    option limit '1/hour'
    option target 'ACCEPT'

config rule
    option name 'no80'
    option src '*'
    option proto 'all'
    option dest_port '80'
    option target 'DROP'

config rule
    option name 'nodos53'
    option src '*'
    option proto 'udp'
    option dest_port '53'
    option limit '60/minute'
    option target 'ACCEPT'

config rule
    option name 'nodos-alt5353'
    option src '*'
    option proto 'udp'
    option dest_port '5353'
    option limit '60/minute'
    option target 'ACCEPT'

config rule
    option name 'anti-dos-limit'
    option src 'lan'
    option proto 'all'
    option rate '1000/second'
    option target 'DROP'
    option connlimit '1'
    option connlimit-mask '24'
    option connlimit-timeout '0'

config rule
    option name 'Block-crap'
    option src 'lan'
    option proto 'all'
    option target 'DROP'

config rule
    option name '443-allow'
    option src 'guest'
    option proto 'tcp'
    option dest_port '443'
    option target 'ACCEPT'

config rule
    option name 'mainguestr2'
    option src 'guest'
    option proto 'all'
    option target 'DROP'

No, you can't get the GUI under keys - at least not without changing the nginx configuration. Theoretically, it would be possible to get whatever security level you like - but it's not useful in my opinion.

We are talking about a home router - not about some professional device.

What about my rules?

Like this?:


server {
    ...
    auth_request /auth;
    error_page 401 = /login;

    location /auth {
        internal;
        proxy_pass http://localhost:8080/auth;
        proxy_pass_request_body off;
        proxy_set_header Content-Length 0;
        proxy_set_header X-Original-URI $request_uri;
    }

    location /login {
        internal;
        proxy_pass http://localhost:8080/login;
        proxy_pass_request_body off;
        proxy_set_header Content-Length 0;
        proxy_set_header X-Original-URI $request_uri;
    }
}

server {
    listen 8080;
    location /auth {
        client_body_in_single_buffer 1;
        auth_request_set $auth_status $upstream_status;
        error_page 401 = /login;
        lua_need_request_body on;
        content_by_lua_block {
            local pubkey = "path/to/public/key"
            local signature = ngx.req.get_headers()["X-Auth-Signature"]
            local data = ngx.req.get_body_data()
            local ok, err = ngx.verify_signature(pubkey, data, signature)
            if ok then
                ngx.exit(200)
            else
                ngx.exit(401)
            end
        }
    }
}

It is home, but also used for business…

I can't help you with this desire, I am sorry.

So test your configuration and check if it's more safe. But please be aware that every firmware upgrade will reset those modifications. (As long as you don't add them to /etc/sysupgrade.conf - which cause conflicts, depending on what you are doing)

Even with “keep settings”?

As long as you don't add them to /etc/sysupgrade.conf, yep.
All modifications of files (so not changes via uci mostly) will be reset.

So ONLY those made from GUI will be kept?

A CGN would make most of your FW rules obsolete.
It will put another hop in the network path. So, your client, your router, the ISP router, the internet hops ... 3 left.
Do a tracert at a few regularly visited websites or services. I rarely saw traceroutes with 3 or less hops.

I would say some of your security ties will be counterproductive and make the router more vulnerable than it is in factory default.

Why? Can you share arguments? I want to block anything that I will not use. It is not just “YouTube” router, it operates ICTV, Chash Terminal, alarm… It must be secure

Not only but mostly yes.

@admon So your recommendation to add it via advanced gui (LuCi)?

It depends on what you changed. Firewall rules will be saved even while upgrading.
Modifications on files will be lost.

To be completely honest: I would not currently use a GL.iNet router for very critical areas. At least not without switching to plain OpenWrt.