Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:security:openwrt_security [2021/03/29 12:19] – update, formatting, spelling vgaetera | docs:guide-user:security:openwrt_security [2022/11/06 13:10] – [I have custom packages installed...] mdvthu | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| Good news, OpenWrt has reasonable security by default. | Good news, OpenWrt has reasonable security by default. | ||
| - | If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt is "hardened" | + | If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt is hardened by default in a sufficient way, such that non-experienced muggles can use it right away, without being worried. |
| **...with one important single exception: | **...with one important single exception: | ||
| - | You need to set a password on your OpenWrt | + | You need to set a password on your OpenWrt root account. |
| - | The "root" | + | The root account is the default OpenWrt admin account on your device. |
| + | The next chapter will show you how to do this. | ||
| This page also contains some general information about security of OpenWrt and what you should do in general, to keep your router in a properly secured state. | This page also contains some general information about security of OpenWrt and what you should do in general, to keep your router in a properly secured state. | ||
| Line 45: | Line 46: | ||
| This has to be discussed and this is not yet documented. | This has to be discussed and this is not yet documented. | ||
| - | ===== I am expert, show me some extra "hardening"... ===== | + | ===== I am expert, show me some extra hardening... ===== |
| If you have 8MB flash or more and share your home network with other people, it is good practice to [[docs: | If you have 8MB flash or more and share your home network with other people, it is good practice to [[docs: | ||
| Line 55: | Line 56: | ||
| Treat your root account with some sane respect. | Treat your root account with some sane respect. | ||
| - | Do what every major company does with the "root" | + | Do what every major company does with the root accounts of their Linux servers: |
| * Stay away from admin access (SSH and web interface), when you don't need it | * Stay away from admin access (SSH and web interface), when you don't need it | ||
| * Close/Log off your root admin sessions once your are done administrating (not 8h later) | * Close/Log off your root admin sessions once your are done administrating (not 8h later) | ||
| Line 62: | Line 63: | ||
| * Don't share your root password with others, even if they promise some hot skateboarding penguins pictures in return | * Don't share your root password with others, even if they promise some hot skateboarding penguins pictures in return | ||
| - | ===== I don't need to set a 'root' | + | ===== I don't need to set a root password, when I am the only user. Right?.... ===== |
| Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password. | Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password. | ||
| - | Because any web site you call from a browser in your home network (e.g. those that promise hot skateboarding penguins pictures) could easily use so called | + | Any web site you call from a browser in your home network (e.g. those that promise hot skateboarding penguins pictures) could easily use so called |
| - | So just go and set a password on your "root" | + | If no root password is set, such malicious sites could manipulate your OpenWrt device in a way that you won't like. |
| + | So just go and set a password on your root account now. | ||
| ===== Let's just open this one single port for incoming traffic, what could possibly go wrong?... ===== | ===== Let's just open this one single port for incoming traffic, what could possibly go wrong?... ===== | ||
| Line 105: | Line 107: | ||
| ===== A word about high-value weak points on OpenWrt ===== | ===== A word about high-value weak points on OpenWrt ===== | ||
| OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpatched security flaw in one of these services. | OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpatched security flaw in one of these services. | ||
| - | This could lead to malicious malware redirect attacks where [[https://secure.wphackedhelp.com/blog/wordpress-malware-redirect-hack-cleanup/# | + | This could lead to malicious malware redirect attacks where [[https://attack.mitre.org/techniques/T1189/|website redirects to a malware site]] and so on. |
| These high-value services in particular are: | These high-value services in particular are: | ||
| - | * the webserver running LuCI (based on LUA) for OpenWrt web interface access | + | * The webserver running LuCI (based on LUA) for OpenWrt web interface access |
| - | * the dropbear SSH server for OpenWrt command-line admin access | + | * The dropbear SSH server for OpenWrt command-line admin access |
| * The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default) | * The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default) | ||
| * Samba SMB share to provide user network file shares (only if manually activated, it's not there by default) | * Samba SMB share to provide user network file shares (only if manually activated, it's not there by default) | ||
| It is up to your personal responsibility, | It is up to your personal responsibility, | ||
| - | * set a "root" | + | * Set a root password |
| - | * keep your OpenWrt firmware up to date | + | * Keep your OpenWrt firmware up to date |
| - | * when you have Samba and/or SFTP activated manually: check regularly, if there are package upgrade available for Samba and SFTP and apply those upgrades | + | * When you have Samba and/or SFTP activated manually: check regularly, if there are package upgrade available for Samba and SFTP and apply those upgrades |