# Securing OpenWRT ### Enabling HTTPS: 1. Install Required Packages: ```bash opkg update opkg install luci-lib-px5g px5g-standalone libustream-openssl luci-ssl opkg install luci ``` 2\. Restart httpd server ```shell /etc/init.d/uhttpd restart ``` This will generate the certificate: ```shell about to generate keys Generating RSA private key, 2048 bit long modulus Generating selfsigned certificate with subject 'C=ZZ;ST=Somewhere;L=Unknown;CN=OpenWrt;' and validity 2016-09-19 19:52:32-2018-09-19 21:59:32 keys generated ``` * Optionally remove the key generator: ```shell opkg remove px5g ``` 3\. Disable or rebind router listening on plain `HTTP`: * Disable: ```shell uci delete uhttpd.main.listen_http ; uci commit ``` * Or rebind all `LAN` connections to redirect `HTTP` to `HTTPS` ```shell uci set uhttpd.main.listen_http=192.168.70.1:80 uci set uhttpd.main.listen_https='192.168.70.1:443' uci set uhttpd.main.redirect_https='1' uci commit ``` * Restart `HTTPD` ```shell /etc/init.d/uhttpd restart ``` This should be reachable via HTTPS now. Done! *** ### Setting up the root password: **LuCI** 1. Navigate to `LuCI` --> `System` --> `Administration` --> `Router Password` 2. Enter new password 3. Click `Save & Apply` **CLI** ```shell passwd ``` Done! *** ### SSH Access: 1. **Do not offer access from the Internet at all** 2. Create a non-privaleged user: * Add user: ```shell opkg update opkg install shadow vim useradd USERNAME ``` * Change user `password`: ```bash passwd USERNAME ``` * Create user `home`: ```bash mkdir -p /home/USERNAME chown USERNAME: /home/USERNAME vim /etc/passwd ``` Add entry: ```bash USERNAME:x:1000:1000:USERNAME:/home/USERNAME:/bin/ash ``` * Add user to `sudo`: Install sudo: ```bash opkg install sudo ``` Modify `sudoers` file to use `sudo` with `root` password prompt: ```bash visudo ``` or ```bash vim /etc/sudoers ``` Uncomment the following lines: ``` ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). Defaults targetpw # Ask for the password of the target user ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' ``` **This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe.** * Add `SSH` Key to new `User`: ```bash mkdir -p /home/USERNAME/.ssh touch /home/USERNAME/.ssh/authorized_keys vim /home/USERNAMs/.ssh/authorized_keys ``` **Add Public Key to file** {% hint style="info" %} Note*:* `OpenWRT` only works with `RSA` Keys. `ed25519` Keys will not work! {% endhint %} * Modify Port & Authentication 1. Navigate to `System` --> `Administration` 2. Click on `SSH Access` 3. Change `Port` 4. Disable `Password authentication` 5. Disable `Allow root logins with password` 6. `Save & Apply` Done! ### Disable IPV6: ```bash uci set 'network.lan.ipv6=off' uci set 'network.wan.ipv6=off' uci set 'dhcp.lan.dhcpv6=disabled' uci commit /etc/init.d/odhcpd disable ```