• @[email protected]
    link
    fedilink
    English
    471 year ago

    Or, hear me out, maybe we don’t expose network management interfaces to untrusted networks? Sure, shit can still get breached by very deep intrusions, but at least you don’t show up on shodan!?

    • @tymOP
      link
      English
      221 year ago

      This is the way. It baffles me how often I have to have ‘the talk’ with IT people. Don’t be lazy, create a secure tunnel into the LAN!

      • @[email protected]
        link
        fedilink
        English
        51 year ago

        I’ve discovered interfaces left behind on lan vlans - and they’re all set up with separate mgmt network, so why make one on LAN for some quick test and leave it behind. With web, cli and api open….

    • @kinther
      link
      English
      9
      edit-2
      1 year ago

      At least have a source IP access list only allowing trusted IP ranges. Ideally it would only be reached from an internal IP range or bastion host, but not all companies have a security hat to wear.

      • P03 Locke
        link
        fedilink
        English
        71 year ago

        but not all companies have a security hat to wear.

        This is the barest of minimalistic security. It’s a router. You don’t allow external admin access to the router. Period. End of story.

        • @kinther
          link
          English
          41 year ago

          I dont disagree with you if a company has a competent employee configuring them.

          • P03 Locke
            link
            fedilink
            English
            11 year ago

            It shouldn’t even be allowed by the router software.

    • @[email protected]
      link
      fedilink
      English
      51 year ago

      Indeed, from a tenable article:

      Cisco does recommend disabling the HTTP Server feature on any Cisco IOS XE systems that are internet-facing. The advisory provides steps on how to disable the feature as well as steps on how to determine if the HTTP Server feature is enabled. Additionally, the Cisco security advisory outlines an additional command to run after disabling the HTTP Server feature, to ensure that the feature is not re-enabled after a system reload.

      So yeah, maybe not widen your attack surface to the whole fucking internet in the first place.