Good news, OpenWrt has reasonable security by default.
If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt is “hardened” by default in a sufficient way, such that non-experienced muggles can use it right away, without being worried.
…with one important single exception:
You need to set a password on your OpenWrt “root” admin account. The “root” account is the default OpenWrt admin account on your device. The next chapter will show you how to do this.
This page also contains some general information about security of OpenWrt and what you should do in general, to keep your router in a properly secured state.
To initially set (or later on change) the “root” admin account password on the web admin GUI, goto
http://192.168.1.1 → Menu System/Adminstration
Alternatively, on the commandline use
passwd to set a password.
opkg install luci-ssl
…and that is a very bad idea.
Treat your admin root account with some sane respect.
Do what every major company does with the “root” accounts of their Linux servers:
Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password.
Because any web site you call from a browser in your home network (e.g. those that promise hot Katy Perry pictures) could easily use so called “cross site request forgery” to access admin GUI of your OpenWrt device, without you noticing it and then do evil things there. If no 'root' password is set, such malicious sites could manipulate your OpenWrt device in a way that you won't like.
So just go and set a password on your “root” account now.
Handle firewall rules with care:
If you have already performed various firewall changes on your OpenWrt device and now lost overview of your custom rules, you can always reset all your OpenWrt settings back to the to the initial default (see trouble shooting section).
Not so fast…
Did you notice that even OpenWrt firmware gets updated from time to time?
As with your former vendor firmware, you should check regularly, whether OpenWrt has released new firmware and apply these updates to your device. There is even a configuration backup and restore feature, such that you do not have to start from scratch after each update.
As with the firmware you should also keep an eye on the custom packages you install. There are several hundreds of optional packages. Not all security problems of those packages get addressed by OpenWrt system upgrades, but instead require you to manually upgrade the packages as well.
If you are using custom packages, you should run a
opkg update;opkg list-upgradable from time to time. This shows your installed packages that have available updates.
You then install package upgrades manually by running
opkg upgrade SOMEPACKAGENAME.
Note that not every listed package upgrade is due to security issues, it can also be a harmless bug fix or feature extension.
An update will continue to use your existing service configuration, but for critical OpenWrt environments, a manual config backup never hurts as safety precaution before upgrading packages…
Note: OpenWrt uses a read-only root file system plus a differential extension partition for all package installs and upgrades. When wanting to maximize usage of your precious flash space, it tends to be a better approach, to applying up-to-date OpenWrt firmware and then reinstall your packages instead of only upgrading packages, when expecting larger volumes of upgrades.
OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpached security flaw in one of these services. This could lead to malicious malware redirect attacks where website redirects to a malware site and so on.
These high-value services in particular are:
It is up to your personal responsibility, to counter such weak points on your OpenWrt device(s):