Securing OpenWRT
Enabling HTTPS:
Install Required Packages:
opkg update
opkg install luci-lib-px5g px5g-standalone libustream-openssl luci-ssl
opkg install luci
2. Restart httpd server
/etc/init.d/uhttpd restart
This will generate the certificate:
about to generate keys
Generating RSA private key, 2048 bit long modulus
Generating selfsigned certificate with subject 'C=ZZ;ST=Somewhere;L=Unknown;CN=OpenWrt;' and validity 2016-09-19 19:52:32-2018-09-19 21:59:32
keys generated
Optionally remove the key generator:
opkg remove px5g
3. Disable or rebind router listening on plain HTTP
:
Disable:
uci delete uhttpd.main.listen_http ; uci commit
Or rebind all
LAN
connections to redirectHTTP
toHTTPS
uci set uhttpd.main.listen_http=192.168.70.1:80
uci set uhttpd.main.listen_https='192.168.70.1:443'
uci set uhttpd.main.redirect_https='1'
uci commit
Restart
HTTPD
/etc/init.d/uhttpd restart
This should be reachable via HTTPS now. Done!
Setting up the root password:
LuCI
Navigate to
LuCI
-->System
-->Administration
-->Router Password
Enter new password
Click
Save & Apply
CLI
passwd
Done!
SSH Access:
Do not offer access from the Internet at all
Create a non-privaleged user:
Add user:
opkg update
opkg install shadow vim
useradd USERNAME
Change user
password
:
passwd USERNAME
Create user
home
:
mkdir -p /home/USERNAME
chown USERNAME: /home/USERNAME
vim /etc/passwd
Add entry:
USERNAME:x:1000:1000:USERNAME:/home/USERNAME:/bin/ash
Add user to
sudo
:
Install sudo:
opkg install sudo
Modify sudoers
file to use sudo
with root
password prompt:
visudo
or
vim /etc/sudoers
Uncomment the following lines:
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
Defaults targetpw # Ask for the password of the target user
ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe.
Add
SSH
Key to newUser
:
mkdir -p /home/USERNAME/.ssh
touch /home/USERNAME/.ssh/authorized_keys
vim /home/USERNAMs/.ssh/authorized_keys
Add Public Key to file
Modify Port & Authentication
Navigate to
System
-->Administration
Click on
SSH Access
Change
Port
Disable
Password authentication
Disable
Allow root logins with password
Save & Apply
Done!
Disable IPV6:
uci set 'network.lan.ipv6=off'
uci set 'network.wan.ipv6=off'
uci set 'dhcp.lan.dhcpv6=disabled'
uci commit
/etc/init.d/odhcpd disable
Last updated