Hello,
I'm playing some hours on the command line on the VenusOS 2.33. Because I'm working also as a penetration tester (ethical hacker) and there are some security issues I've some thought about the actual configuration. Unmodified operation in a professional management vlan is therefore not possible.
#1: One should be able to disable services not necessary in some environment, eg llmnrd, simple-upnp, avahi, etc.
In a clear designed system it should be able to do this with the command update-rc.d and remove the corresponding symlink in /etc/rc5.d/. But some services are started here via daemontools supervise.
My workaround for a clear design: I touched a down-file in /services/$SERVICE/ and wrote a simple script eg /etc/init.d/llmnrd-supervised which controls the service via the svc command. Then you are able to enable or disable this service with add or delete of the symlink in rc5.d/
#2: the transmission of the Remote Console password in clear text over port tcp/81 or no password is not state of the art in 2019.
With the change to the lighttpd webserver it would be possible to pass the websocket traffic over tcp/443 and anyway the initial login. And with lighttpd you can have more sophisticated authentication, eg GSSAPI.
Then the VenusOS and the connected stuff can be used to power a computer rack with green energy and you will have a secure setup up to date in 2019.
--
Stefan H
