Donnerstag, 26. November 2009

EN - IOS HTTP Server hacking prevention

OK I need to post this since this is really scary to me.

A few days ago I stumbled upon a quite cool search engine (no I will not post the URL) what was really interesting is that it did not search for the content of the website it was more interested in the server replies like Server Version HTTP status code.

Since Cisco routers and switches offer a web server for configuration I searched for Cisco IOS servers. The result was scary (it gets worse a bit later) more than 67.000 routers and switches operating the HTTP server are public available. Their may be reasons why routers should be available via HTTP from the Internet but 67000 router people you are kidding me.
I checked some of them and most look like real routers/ switches.

But while browsing the list I found a few routers responding with Cisco IOS Server AND HTTP 200 code. (most of the routers respond with 401 authorization required). I tried one of these and great I could log in and have a look at the configuration passwords etc.

I decided to redefine my search and the result was: from those 67.000 routers 1200 are not requiring authorization of any kind, great.

A quick show cdp neigh showed that most of them I've checked are connected to other Cisco devices. I hope that these devices aren't configured that poorly.

To get out of this list just bind an access list to you HTTP Server,


access-list 1 permit X.X.X.X ! x.x.x.x= your management network
ip http access-class 1


or even better do a

no ip http server


hope some of those guys owning these routers fix them (fast)


Cheers
NWG

2 Kommentare:

  1. And don't forget "no ip http secure-server".

    AntwortenLöschen
  2. Well that was one of the most scary things- nearly no router had "ip http secure-server enabled"

    Cheers NWG

    AntwortenLöschen