Concerned about seeing my modem when typing in my public IP address

Hello guys. A few years ago I made this thread (Why do I see my router login page when I type in my external IP address on the address bar? - #7 by rj-45) because I was worried that anyone on my network (even clients in guest wifi) could access the router page by simply typing the wan IP address, making any attempt to block access to router through IPtables useless.

I changed to another ISP recently and to my surprise, it's even worse now because I can access the modem by typing my IP address.

Why I think this is dangerous:
A malicious script (often included in cracked apps/games etc) could easily execute a command that access the public IP from the infected device and instantly try to access the modem with default user and pass (e.g. admin:admin) and change the configuration by setting up a ddns and now the attacker has complete control over your network.

A ghetto fix for this would be blocking access to any IP from your country (if you live in the US you are out of luck since almost all the most relvant websites and even Chinese govt websites are hosted in the US) using banIP and rely on cloudflare (or any dns provider outside your county) for dns queries.
If you live in the US you could block access to IP addresses that the ISP gives you. For example if your public IP always starts with 67.89.x.x you can block 67.89.0.0/16 to prevent this.
Is there any plan to implement a feature that allows us to block access to our own public IP address in the future?

Thanks in advance and thanks for all your hard work.

Does this happen from outside the network, or only from within?

This isn't inherently an OpenWrt problem, so I'm not sure how the development team here would be able to solve it. You should report this to your ISP or the manufacturer of the modem.

No, this wouldn't work the way you think it would... it's never that simple and you'd likely break other things.

I can't speak for the devs, but probably not, as many people actually want to be able to use their public IP as a way of reaching internal services that are port forwarded (even from within the LAN). And the problem is not universal or even common -- it is an issue with your modem, not your router.

That said, you can create a firewall rule that blocks connections from your LAN to your public IP address. If you have a dynamic IP, though, you may need to update this at some interval (you could make a script to do this if you were so inclined).

Only from within. Still extremely dangerous due to the things I said before. Clients on guest wifi should NEVER get access to the modem page under any circumstances imo.

True but I think OpenWRT should protect users against dumb ISPs and manufacturers out of the box.

Works for me. Been doing this for a month with no issues. I'm happy that clients on the guest wifi can't access the modem.

It's actually a quite popular concern that gets discussed here from time to time for example:

If you read the link I posted on my original post you can see that other users replied to me saying it's "normal Linux behaviour". So no, it's not something that only happens to me.
I guess it's one of those things that are backdoors disguised as features like UPnP and SSH.

Thanks for the reply.

I very much disagree wit this statement. Access to the modem in general is something that most users want and/or need from time to time. In mast cases, the modem doesn't respond to the public IP address, but rather a known address (in the case of most cable modems, it is 192.168.100.1). Modems that have user-configurable options should be secured by default, and if they use known or easy-to-guess credentials, that is a security failing on the part of the ISP and/or device manufacturer. It is not the responsibility of the router to protect upstream devices from users on the LAN (which is supposed to be trusted). OpenWrt does protect users from devices/threats that are upstream, but the other way around is open for good reasons.

In most cases, this is satisfied by the fact that OpenWrt provides a robust firewall to protect users' LANs. However, devices upstream are not the responsibility of the router.

Ok... that's fine if it works in your case. But to generalize and assume that it would work in other users' environments would be foolhardy. Such a broad strokes approach would be hard to implement (because it varies so greatly) and could really cause major issues for some users.

OpenWrt's firewall is flexible and easy to configure. The example you've provided is where someone is accessing their OpenWrt router via the WAN address... this is distinctly different than accessing the upstream modem that you're talking about. These are two very different situations.

Just FYI, I tested this with my WAN IP and got:

Forbidden
Rejected request from RFC1918 IP to public server address

This is due to uhttpd's rfc1918_filter option being enabled.

You can firewall your public IP from inside. Everything will still work. If the public IP changes you will need a script to detect the new IP and change the firewall rule.

Most cable modems won't let the customer interface do anything other than see status and reboot the modem. That could be the basis of a DoS attack (from inside) though.

mine allows you to enable/disable the LEDs

Have you actually gone outside and tried to connect to your modem from outside?

Or is this only a theoretical problem?

But generally a modem is the property of the ISP so the modem itself isn’t really a secure hardware I would say. That is why you have a router with firewall on your side of the modem.

Generally this is called IIRC NAT reflection or hairpinning or hairpin NAT and is something most users actually desire...

What modem and what address? And why is that a security issue?

The security problem here is the potential use of "default user and pass"... don't do that then (OK, for a DOCSIS modem you have no control over this, but good luck for your internal malicious user installing a DDNS client on that DOCSIS modem without physical access to the modem and even then it is going to be hard).

What??? Hairpinning affects a single address why block whole countries (leaving aside the hard problem of actually blocking by physical location). Just update change the blocked address when ever your IP address changes.

Or see how to disable hairpin routing

Not being a developer I do not know, but given how useful that feature generally is, I am not sure whether there is big demand for such a toggle.

The modem or the OpenWrt router? These are different entities with probably different solutions.

That is a bit harsh... hairpin routing is not a backdoor but a rather useful feature, assuming that is your issue in the first place, I still have not understood whether you are concerned about access to your OpenWrt's LUCI interface or about being able to access a modem your router is connected too. Again, knowing the the and model of the modem might be helpful for our discussion.

to be honest i don't think it is openwrt related, also from your description it is not really clear your exact network topology.

internet --- ISP --- isp provided device --- openwrt --- guest + lan networks

is this your setup? you connect isp device to owrt wan port, and you have internal guest and lan networks?

as your wan ip address is a public address by definition it is publicly available so why do you think your guest clients should not be able to access it? your internal network is defined by you, there is no such thing as "guest" network on public internet which would be handled differently by public parties. your internal classification (guest, lan) is not visible on internet, as per the name suggests it is internal and all your traffic either coming from guest or lan clients are aggregated via ISP device behind single public IP (a.k.a. your WAN address). so not sure what you expect from openwrt how to "block" access to "our own public IP" (*).

this makes little sense, as your public IP is public, pointing to the ISP device and according to you it is vulnerable why bother to break your internal client and from there access the public address? it is already publicly available!

this is neither true, if a hacker breaks the ISP device then they have some control over ISP network. which usually does not go unnoticed.

if your issue is that ISP device is not secure enough because it is running with well known default user/password then you should raise it your ISP, or login with the well known user/pwd and change it (if this is allowed by your ISP, keep in mind the ISP device is owned by the provider). but if your ISP is running insecure network or you think they do, then it is time to change provider.

if your issue is though, that your guest users may able to access openwrt device itself (e.g. access luci web pages) instead of just using it as transparent router then you should check your guest zone configuration and probably disallow "input" direction.

(*) you can do it but i don't see any benefit as any other party will be still able to access it, again, due to the fact it is a public address. but anyway, if want to exclude yourself then you can do the followings:

• if you have fixed public address, create a firewall rule to drop any traffic from any zone to this address in wan zone.
• if you don't have fixed public address, pick a DDNS service provider, use luci-app-ddns and you'll know the current public address always, and create the same rule as before but time-to-time you can update the ip address via uci scripting. or you can use ipset + dnsmasq-full and ipset rules.

That's what I do
Good catch