Secure REST API endpoints of genieacs-nbi

Is there a way to secure the REST API of geneiacs-nbi server. I’m able to access the following endpoints without any security like basic-auth

  • /users
  • /config
  • /files
  • /objects

As per the security guys in my org, this is a vulnerability in the Information disclosure category.

You can put a reverse proxy in front of the NBI like nginx or apache.

Yes, it’s for sure a huge security hole if you let the API wide open, but you don’t need an authentication system on the GenieACS NBI service in order to secure it.

You can use a proxy as akcoder suggested but you can also simply use firewall. The purpose of the API is integrate GenieACS to other services of your company, so make sure that only the IP address of those services have access to it.

Yes, for now I’ve restricted NBI access using IP Tables.

The argument put forth by security team of my org is that even in private network, information should not be disclosed.

Agreed. This is why we are doing auth, SSL and firewalls even on our private CPE management network. The number one rule of security is trust no one, especially not equipment that has a connection to the internet.

akcoder your setup is very cool. Security is never too much

On my company, we chose not to have authentication because we use NBI on a very simple way. Instead, 7557 input is closed for everyone, so no one excepts the own machine has full access to it. Then, I wrote a little daemon on the same machine that pulls “tasks” from our private API.

What is cool about our implementation, is that even if someone hacks a priveleged server, like our private API, they won’t have full control over all CPE devices because they can only fire specific tasks and query for specific parameters. And that’s a big part of it.

Not only GenieACS does not have authentication, but doesn’t have any kind of ACL. So this is a very primitive way for us to limit not only WHO can make changes on CPEs but also WHAT KIND of changes they are alllowed to do.

Always be paranoid when it comes to security.

I prefer services that implement their own security, or at least give you an option to do so, over outsourcing their security to some other place.

As such, I’ve created this PR:

to add HTTP header authentication to the GenieACS NBI.