In my home network, the Clearnode hotspot is installed in the "UNTRUST" network segment along with devices like the Pi-Star hotspots, Roku(s) and Amazon devices to name a few.
The "UNTRUST" network can make outbound conections to the internet but nowhere else.
Setup this way, the Clearnode device is not directly connected to the internet so any security vulnerabilities can generally only be exploited from somewhere on the internal network but not from the internet where the device, running behind the firewall, should be "invisible". The exception to this was a UDP port, default 4059, which according to the instructions does need to be opened up (port forwarding through the firewall), in order to allow internet traffic to pass between Allstarlink nodes.
The initial vulnerability scan revealed that the following services and ports were open:
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
I didn't see port 4059 show up so I may turn off port forwarding since the device seems to be running okay without its presence.
Assessment and Summary
- Server: Apache/2.4.18 (Unix) PHP/7.0.4
- The anti-clickjacking X-Frame-Options header is not present.
- The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
- PHP/7.0.4 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
- Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
- Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names.
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
- OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
- OSVDB-3268: /icons/: Directory indexing found.
- OSVDB-3233: /icons/README: Apache default file found.