0

Hello, sorry if this is a silly question, tried googling but only found an endless number of How-to-setup-your-router pages....

So, the question has to do with the http authentication used to login and view/change settings on your router. I wrote a small application in python to log in to my home router as the 'user' (not administrator) and return/display the DHCP table among other things from the returned html. I was also considering using the administrator username/passwd so that it could optionally change settings on the router. Now, I have read that the authentication process is not really encrypted, is this a security risk to have the program sending the username and password over the (wired) network? What if it was wireless and encrypted? Assuming the authentication is relatively safe, any way to safely store the password in a config file on my computer or should I require it to be typed each time the program is started ?

Thanks for any advice/tips etc :)
-John

3
Contributors
8
Replies
9
Views
7 Years
Discussion Span
Last Post by ryan461
0

If the script is sending this data over the internet, then yes it is unsafe. Sending the password data over the local LAN from a script is the same as you opening the web page and entering it. The person would have to be on your network and fully authenticated to see that data.

So if over the internet, unsafe. over the local lan, most likely safe.

0

Thanks for the info. I have no plans to use this over the internet, only over my LAN (wired), possibly wireless at some later time (encrypted). Cheers :)

If the script is sending this data over the internet, then yes it is unsafe. Sending the password data over the local LAN from a script is the same as you opening the web page and entering it. The person would have to be on your network and fully authenticated to see that data.

So if over the internet, unsafe. over the local lan, most likely safe.

0

Well wired has to be physically spliced and then yes the traffic is unencrypted. The best of wireless preshared security can be broken depending on the key. But at that point the traffic is still currently encrypted. It would take quite a bit of work from that point to encrypt it. So depends on what your concerns are i suppose

0

Well, not sure what my concerns SHOULD be... It's just a lowly home network, I just wanted to be alerted if a computer joined the network, especially when the wireless is turned on. I couldn't really see how the authentication info would be intercepted over the four foot cable between router and computer but what do I know ;p
This was really just a can-I-do-this/make-work-project/academic-excercise with python.

Thanks for the replies btw, it's much appreciated.
-John

0

It's not just the 4-foot cable - it's across your LAN, and if wireless is added to the mix, it's now in the air (unless you know for a fact that your key hasn't been compromised.)

Also, if you're sending login credentials to your router, they should be over HTTPS. Even if it's just a "can-I-do-this/make-work-project/academic-excercise with python" on a "lowly home network", get in the habit NOW of practicing good coding, using best practices, which includes keeping security in mind FROM THE VERY START.

Just a thoght: another way to approach this problem could wind up being very simple: have your router send its logs to a syslog server (use Google), and have a script or another program (I prefer OSSEC-HIDS) send you an e-mail alert when a new DHCP lease is given out. Quick, secure (well, more secure than your original method, at least), and easy. Not to mention you'll learn a few new things in the process :)

Edited by TheOgre: n/a

0

The router would have to support an https login page. Some of them do, but some of them dont. Traffic isn't transmitted over the wireless unless it is destined for a wireless device or if its broadcasted traffic.

0

Yeah unfortunately this router (D-Link DI-624) does not support https for the interface (from what I can see). The syslog idea is interesting, but don't you need to log in to the router and click the send-email button to get it to send the log anyway ? At least that is how it appears from my reading of the DI-624 manual... I can't actually try it because I also don't have an SMTP server/email address to provide it. I only use hotmail. So, I think screen-scraping the interface is a necessary evil in this case ?

0

You can send smtp email to your hotmail, the only issue is ISPs tend to block SMTP email. Just need to punch in the smtp server for hotmail, i forget what it is you'll have to google it. If hotmail doesnt work, try gmail as well.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.