Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:security:openwrt_security [2021/03/29 12:19] – update, formatting, spelling vgaeteradocs:guide-user:security:openwrt_security [2022/11/06 13:10] – [I have custom packages installed...] mdvthu
Line 2: Line 2:
 Good news, OpenWrt has reasonable security by default. Good news, OpenWrt has reasonable security by default.
  
-If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt is "hardenedby default in a sufficient way, such that non-experienced muggles can use it right away, without being worried.+If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt is hardened by default in a sufficient way, such that non-experienced muggles can use it right away, without being worried.
  
 **...with one important single exception:** **...with one important single exception:**
  
-You need to set a password on your OpenWrt "root" admin account. +You need to set a password on your OpenWrt root account. 
-The "rootaccount is the default OpenWrt admin account on your device. The next chapter will show you how to do this.+The root account is the default OpenWrt admin account on your device. 
 +The next chapter will show you how to do this.
  
 This page also contains some general information about security of OpenWrt and what you should do in general, to keep your router in a properly secured state. This page also contains some general information about security of OpenWrt and what you should do in general, to keep your router in a properly secured state.
Line 45: Line 46:
 This has to be discussed and this is not yet documented. This has to be discussed and this is not yet documented.
  
-===== I am expert, show me some extra "hardening"... =====+===== I am expert, show me some extra hardening... =====
 If you have 8MB flash or more and share your home network with other people, it is good practice to [[docs:guide-user:luci:luci.essentials#providing_encryption|activate HTTPS]] for your LuCI web interface. If you have 8MB flash or more and share your home network with other people, it is good practice to [[docs:guide-user:luci:luci.essentials#providing_encryption|activate HTTPS]] for your LuCI web interface.
  
Line 55: Line 56:
 Treat your root account with some sane respect. Treat your root account with some sane respect.
  
-Do what every major company does with the "rootaccounts of their Linux servers:+Do what every major company does with the root accounts of their Linux servers:
   * Stay away from admin access (SSH and web interface), when you don't need it   * Stay away from admin access (SSH and web interface), when you don't need it
   * Close/Log off your root admin sessions once your are done administrating (not 8h later)   * Close/Log off your root admin sessions once your are done administrating (not 8h later)
Line 62: Line 63:
   * Don't share your root password with others, even if they promise some hot skateboarding penguins pictures in return   * Don't share your root password with others, even if they promise some hot skateboarding penguins pictures in return
    
-===== I don't need to set a 'rootpassword, when I am the only user. Right?.... =====+===== I don't need to set a root password, when I am the only user. Right?.... =====
 Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password. Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password.
  
-Because any web site you call from a browser in your home network (e.g. those that promise hot skateboarding penguins pictures) could easily use so called "cross site request forgeryto access web interface of your OpenWrt device, without you noticing it and then do evil things there. If no 'root' password is set, such malicious sites could manipulate your OpenWrt device in a way that you won't like.+Any web site you call from a browser in your home network (e.g. those that promise hot skateboarding penguins pictures) could easily use so called [[wp>Cross-site_request_forgery|cross-site request forgery]] to access web interface of your OpenWrt device, without you noticing it and then do evil things there.
  
-So just go and set a password on your "rootaccount now.+If no root password is set, such malicious sites could manipulate your OpenWrt device in a way that you won't like. 
 +So just go and set a password on your root account now.
  
 ===== Let's just open this one single port for incoming traffic, what could possibly go wrong?... ===== ===== Let's just open this one single port for incoming traffic, what could possibly go wrong?... =====
Line 105: Line 107:
 ===== A word about high-value weak points on OpenWrt ===== ===== A word about high-value weak points on OpenWrt =====
 OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpatched security flaw in one of these services. OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpatched security flaw in one of these services.
-This could lead to malicious malware redirect attacks where [[https://secure.wphackedhelp.com/blog/wordpress-malware-redirect-hack-cleanup/#wordpress_site_redirects_to_another_site|website redirects to a malware site]] and so on.+This could lead to malicious malware redirect attacks where [[https://attack.mitre.org/techniques/T1189/|website redirects to a malware site]] and so on.
  
 These high-value services in particular are: These high-value services in particular are:
-  * the webserver running LuCI (based on LUA) for OpenWrt web interface access +  * The webserver running LuCI (based on LUA) for OpenWrt web interface access 
-  * the dropbear SSH server for OpenWrt command-line admin access+  * The dropbear SSH server for OpenWrt command-line admin access
   * The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default)   * The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default)
   * Samba SMB share to provide user network file shares (only if manually activated, it's not there by default)   * Samba SMB share to provide user network file shares (only if manually activated, it's not there by default)
  
 It is up to your personal responsibility, to counter such weak points on your OpenWrt device(s): It is up to your personal responsibility, to counter such weak points on your OpenWrt device(s):
-  * set "rootpassword +  * Set a root password 
-  * keep your OpenWrt firmware up to date +  * Keep your OpenWrt firmware up to date 
-  * when you have Samba and/or SFTP activated manually: check regularly, if there are package upgrade available for Samba and SFTP and apply those upgrades+  * When you have Samba and/or SFTP activated manually: check regularly, if there are package upgrade available for Samba and SFTP and apply those upgrades
  
  • Last modified: 2024/01/21 19:48
  • by spectredev