Secure REST API endpoints of genieacs-nbi

ravishekhar · September 29, 2020, 9:21am

Is there a way to secure the REST API of geneiacs-nbi server. I’m able to access the following endpoints without any security like basic-auth

/users
/config
/files
/objects

As per the security guys in my org, this is a vulnerability in the Information disclosure category.

akcoder · September 29, 2020, 4:33pm

You can put a reverse proxy in front of the NBI like nginx or apache.

perotta · October 6, 2020, 10:10pm

Yes, it’s for sure a huge security hole if you let the API wide open, but you don’t need an authentication system on the GenieACS NBI service in order to secure it.

You can use a proxy as akcoder suggested but you can also simply use firewall. The purpose of the API is integrate GenieACS to other services of your company, so make sure that only the IP address of those services have access to it.

ravishekhar · October 12, 2020, 4:42am

Yes, for now I’ve restricted NBI access using IP Tables.

The argument put forth by security team of my org is that even in private network, information should not be disclosed.

akcoder · October 12, 2020, 8:30pm

Agreed. This is why we are doing auth, SSL and firewalls even on our private CPE management network. The number one rule of security is trust no one, especially not equipment that has a connection to the internet.

perotta · October 13, 2020, 1:02pm

akcoder your setup is very cool. Security is never too much

On my company, we chose not to have authentication because we use NBI on a very simple way. Instead, 7557 input is closed for everyone, so no one excepts the own machine has full access to it. Then, I wrote a little daemon on the same machine that pulls “tasks” from our private API.

What is cool about our implementation, is that even if someone hacks a priveleged server, like our private API, they won’t have full control over all CPE devices because they can only fire specific tasks and query for specific parameters. And that’s a big part of it.

Not only GenieACS does not have authentication, but doesn’t have any kind of ACL. So this is a very primitive way for us to limit not only WHO can make changes on CPEs but also WHAT KIND of changes they are alllowed to do.

Always be paranoid when it comes to security.

markabrahams · April 4, 2022, 1:47pm

I prefer services that implement their own security, or at least give you an option to do so, over outsourcing their security to some other place.

As such, I’ve created this PR:

github.com/genieacs/genieacs

Add HTTP request header authentication to NBI

genieacs:master ← markabrahams:nbi-authentication

opened 01:38PM - 04 Apr 22 UTC

markabrahams

+17 -0

This PR provides an HTTP-header-based NBI authentication solution for the securi…ty issue raised in this forum post: https://forum.genieacs.com/t/secure-rest-api-endpoints-of-genieacs-nbi/1093 The solution adds an optional configuration parameter "NBI_AUTHENTICATION_KEY", which - when present - is required to be present in an "x-api-key" HTTP header of any incoming request. When the "NBI_AUTHENTICATION_KEY" configuration parameter is absent, the current behaviour stands i.e. no authentication is required.

to add HTTP header authentication to the GenieACS NBI.

Topic		Replies	Views
GenieACS security hardening best practices	6	1050	October 14, 2020
Does any component of this software provide a CLI interface?	1	193	May 10, 2023
CPE to ACS authentication	16	1805	August 29, 2023
CPE fails to authenticate to GenieACS v1.2 behind NGINX	4	1670	July 3, 2020
HTTP/. 401 Unauthorized when using Digest Authentication	5	4170	June 21, 2023

Secure REST API endpoints of genieacs-nbi

Related Topics