I have an hypotethical question:
Let's say I want to open a OpenWRT router to access Luci from WAN. Is there a way to implement Anubis on the device to protect it? Or even the devices with most memory/storage can't host Anubis?
Thanks in advance.
It's ot but there is nothing particular on it... just an addition to an hosted webserver so as long as you have all the packages you can do it.
It's a statically linked golang app (requires go v1.24.x). If you could get it built for your platform, installing it for OpenWrt would be moderately straight forward. Memory and/or storage requirements are a factor to consider.
Using it to front-end LuCi makes no sense - there's nothing there without a login.
This would be better suited to its own thread, but as thess noted, it's golang based, which is rather heavy and not available on all targets (FPU required, so e.g. none of the popular mips targets) - and I guess anubis would be heavier (with the caveats, luci won't display anything but the login mask, golang) than not doing that (fail2ban/ banip would be more relevant, first).
But all this aside, you should never-never-never expose luci to the open internet, under no circumstances at all, not even for 10s, ever. The internet is a hostile place, numerous bots are probing it constantly, and they will start brute forcing your password, within minutes or less. That's before even considering if uhttpd would be hardended enough for the open net. If you need remote access, use a road-warrior style VPN on your router, this way only you (or those who you grant VPN access) can connect to it - and e.g. wireguard will remain completely stealth unless you have its correct keys.
[imagine a lot of explanation marks, blinking text and your speakers screaming at you here]
Publishing any interactive resources on the web requires a lot of considerations these days, ranging from legal (DMCA, GDPR, Impressum, …) to technical, how good and swift is security support for your chosen framework/ webapplication, how good are you at monitoring the instance for potential abuse, how quickly can you react can you, if^wwhen things go wrong - and how sensitive is the data, if it gets leaked (and what's the risk of your hardware being abused as jumphost). If access is only necessary for yourself, your close family and maybe a few friends, you can save yourself a lot of trouble by not publishing it on the open web, but by keeping within your network/ your VPN (respectively a DMZ published only via your road-warrior style VPN). This goes for anything. luci, home-assistant, owncloud/ nextcloud, jellyfish, immich, whatever. Security considerations are massively different between your own local resources not accessible to the public at large, or something you really want/ need to publish globally, with dozens/ hundreds/ thousands/ millions of semi-anonymous users (and static resources are always safer to deal with than dynamic ones).
2 Likes