Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:security:lede_security [2018/03/30 20:12] – [I am expert, show me some extra hardening...] Escaped <= so that it's not an arrow etskinner | docs:guide-user:security:openwrt_security [2023/04/27 13:38] – Lua is a proper noun, not an acronym. icecream | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ======Hardening of your LEDE device====== | + | ====== |
| - | Good news, LEDE has reasonable security by default.\\ | + | Good news, OpenWrt |
| - | If you are inexperienced in hardening and firewall and web security, there is no need to worry, LEDE is " | + | |
| - | **...with one important single exception: | + | If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt |
| - | You need to set a password on your LEDE " | + | |
| - | This page also contains some general information about security of LEDE and what you should do in general, to keep your router in a properly secured state. | + | **...with one important single exception: |
| - | =====Setting | + | You need to set a password on your OpenWrt |
| - | To initially set (or later on change) | + | The root account is the default OpenWrt |
| - | * Enter the new password in the " | + | The next chapter will show you how to do this. |
| - | * Click " | + | |
| - | + | ||
| - | Alternatively, | + | |
| - | =====I am expert, show me some extra " | + | This page also contains |
| - | * If you have >=8MB Flash ROM and share your homenetwork with other people, it is good practice | + | |
| - | - '' | + | |
| - | - '' | + | |
| - | - you can now access the web admin GUI by using https:// | + | |
| - | * if you don't ever use your LuCi web admin GUI at all, you can even disable LuCi (the web admin GUI): | + | |
| - | - disable LuCi autostart: | + | |
| - | - stop the LuCi service: ''/ | + | |
| - | * if you have disabled your web GUI and and want to reenable it: | + | |
| - | - enable LuCi autostartion: | + | |
| - | - start the LuCi service: ''/ | + | |
| - | | + | ===== Setting the root password ===== |
| - | =====My | + | Set the root password using web interface. |
| + | - Navigate to **LuCI -> System -> Administration -> Router Password**. | ||
| + | - Enter the new password in the **Router Password** section. | ||
| + | - Click **Save & Apply** a the bottom of the page. | ||
| + | |||
| + | You can also set the root password using command-line interface. | ||
| + | |||
| + | <code bash> | ||
| + | passwd | ||
| + | </ | ||
| + | |||
| + | ===== Securing TTY and serial console ===== | ||
| + | Enable password prompt for TTY and serial console. | ||
| + | |||
| + | <code bash> | ||
| + | uci set system.@system[0].ttylogin=" | ||
| + | uci commit system | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | Authentication for OpenWrt TTY and serial console is disabled by default. | ||
| + | Using TTY and serial console requires physical access to the device. | ||
| + | You can reduce the attack surface by enabling authentication. | ||
| + | |||
| + | Note that hardware attacks on serial console pins are also possible. | ||
| + | However, it requires physical access, time and skills. | ||
| + | |||
| + | ===== Disabling Linux single user mode ===== | ||
| + | Single user mode is available through GRUB and allows to boot without password. | ||
| + | An attacker is then able to change root password and reboot. | ||
| + | A solution would be to lock-down OpenWrt booloader process, to make sure that booting in Linux single user mode is impossible. | ||
| + | This has to be discussed and this is not yet documented. | ||
| + | |||
| + | ===== I am expert, show me some extra hardening... ===== | ||
| + | If you have 8MB flash or more and share your home network with other people, it is good practice to [[docs: | ||
| + | |||
| + | If you don't ever use your LuCI web interface at all, you can [[docs: | ||
| + | |||
| + | ===== My OpenWrt | ||
| ...and that is a very bad idea. | ...and that is a very bad idea. | ||
| - | Treat your admin root account with some sane respect. | + | Treat your root account with some sane respect. |
| - | Do what every major company does with the "root" | + | Do what every major company does with the root accounts of their Linux servers: |
| - | * Stay away from admin access (SSH and web GUI), when you don't need it | + | * Stay away from admin access (SSH and web interface), when you don't need it |
| * Close/Log off your root admin sessions once your are done administrating (not 8h later) | * Close/Log off your root admin sessions once your are done administrating (not 8h later) | ||
| * Only connect as root, when really in the need for administration | * Only connect as root, when really in the need for administration | ||
| * Don't share your root password with others | * Don't share your root password with others | ||
| - | * Don't share your root password with others, even if they promise some hot Katy Perry pictures in return | + | * Don't share your root password with others, even if they promise some hot skateboarding penguins |
| - | + | ===== I don't need to set a root password, when I am the only user. Right?.... ===== | |
| - | =====I don't need to set a 'root' | + | |
| Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password. | Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password. | ||
| - | Because any web site you call from a browser in your home network (e.g. those that promise hot Katy Perry pictures) could easily use so called | + | Any web site you call from a browser in your home network (e.g. those that promise hot skateboarding penguins |
| - | So just go and set a password on your "root" | + | If no root password is set, such malicious sites could manipulate your OpenWrt device in a way that you won't like. |
| + | So just go and set a password on your root account now. | ||
| - | =====Let' | + | ===== Let's just open this one single port for incoming traffic, what could possibly go wrong?... ===== |
| Handle firewall rules with care: | Handle firewall rules with care: | ||
| * Do not expose services on the WAN Internet port, if you do not understand the security implications. Automatic scanners of evil fources and script kids will find any open port on your WAN side sometimes within minutes and will then run extensive intrusion software suits on such open ports, probing a lot of attack vectors without any manual effort. The Internet is permanently being scanned for careless people. | * Do not expose services on the WAN Internet port, if you do not understand the security implications. Automatic scanners of evil fources and script kids will find any open port on your WAN side sometimes within minutes and will then run extensive intrusion software suits on such open ports, probing a lot of attack vectors without any manual effort. The Internet is permanently being scanned for careless people. | ||
| - | * if you want to access home services while being on the road, consider using openVPN | + | * if you want to access home services while being on the road, consider using a WireGuard VPN instead of opening service-related ports publically on the WAN side. |
| * Unfortunately a lot of online games have lots of " | * Unfortunately a lot of online games have lots of " | ||
| - | * Always use reasonable comments, when you add your own customized firewall rules (e.g. " | + | * Always use reasonable comments, when you add your own customized firewall rules (e.g. " |
| - | If you have already performed various firewall changes on your LEDE device and now lost overview of your custom rules, you can always reset all your LEDE settings back to the to the initial default (see trouble shooting section). | + | If you have already performed various firewall changes on your OpenWrt |
| - | =====So I've switched from insecure vendor firmware to LEDE. Finally, I am safe forever...===== | + | ===== So I've switched from insecure vendor firmware to OpenWrt. Finally, I am safe forever... ===== |
| Not so fast... | Not so fast... | ||
| - | Did you notice that even LEDE firmware gets updated from time to time? | + | Did you notice that even OpenWrt |
| - | As with your former vendor firmware, you should check regularly, whether | + | As with your former vendor firmware, you should check regularly, whether |
| + | There is even a configuration backup and restore feature, such that you do not have to start from scratch after each update. | ||
| - | =====I have custom packages installed...===== | + | ===== I have custom packages installed... ===== |
| - | As with the firmware you should also keep an eye on the custom packages you install. There are several hundreds of optional packages. Not all security problems of those packages get addressed by LEDE system upgrades, but instead require you to manually upgrade the packages as well. | + | As with the firmware you should also keep an eye on the custom packages you install. |
| + | There are several hundreds of optional packages. | ||
| + | Not all security problems of those packages get addressed by OpenWrt | ||
| - | If you are using custom packages, you should run a '' | + | If you are using custom packages, you should run a '' |
| - | You then install package upgrades manually by running '' | + | This shows your installed packages that have available updates. |
| + | You then install package upgrades manually by running '' | ||
| Note that not every listed package upgrade is due to security issues, it can also be a harmless bug fix or feature extension. | Note that not every listed package upgrade is due to security issues, it can also be a harmless bug fix or feature extension. | ||
| - | An update will continue to use your existing service configuration, | + | An update will continue to use your existing service configuration, |
| + | |||
| + | Note: OpenWrt uses a read-only root file system plus a differential extension partition for all package installs and upgrades. | ||
| + | When wanting to maximize usage of your precious flash space, it tends to be a better approach, to applying up-to-date OpenWrt firmware and then reinstall your packages instead of only upgrading packages, when expecting larger volumes of upgrades. | ||
| - | Note: LEDE uses a read-only root file system plus a differential extension partition for all package installs and upgrades. When wanting to maximize usage of your precious flash space, it tends to be a better approach, to applying up-to-date LEDE firmware and then reinstall your packages instead of only upgrading packages, when expecting larger volumes of upgrades. | + | {{page> |
| - | =====A word about high-value weak points on LEDE===== | + | ===== A word about high-value weak points on OpenWrt |
| - | LEDE devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpached | + | OpenWrt |
| + | This could lead to malicious malware redirect attacks where [[https:// | ||
| These high-value services in particular are: | These high-value services in particular are: | ||
| - | * the webserver running | + | * The webserver running |
| - | * the dropbear SSH server for LEDE commandline | + | * The dropbear SSH server for OpenWrt command-line |
| * The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default) | * The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default) | ||
| * Samba SMB share to provide user network file shares (only if manually activated, it's not there by default) | * Samba SMB share to provide user network file shares (only if manually activated, it's not there by default) | ||
| - | It is up to your personal responsibility, | + | It is up to your personal responsibility, |
| - | * set a "root" | + | * Set a root password |
| - | * keep your LEDE firmware up to date | + | * Keep your OpenWrt |
| - | * when you have Samba and/or SFTP activated manually: check regularly, if there are package | + | * When you have Samba and/or SFTP activated manually: check regularly, if there are package |
| - | | ||