OpenWrt security hardening

Good news, OpenWrt has reasonable security by default.

If you are inexperienced in hardening and firewall and web security, there is no need to worry, OpenWrt is hardened by default in a sufficient way, such that non-experienced muggles can use it right away, without being worried.

...with one important single exception:

You need to set a password on your OpenWrt root account. The root account is the default OpenWrt admin account on your device. The next chapter will show you how to do this.

This page also contains some general information about security of OpenWrt and what you should do in general, to keep your router in a properly secured state.

Setting the root password

Set the root password using web interface.

  1. Navigate to LuCI → System → Administration → Router Password.
  2. Enter the new password in the Router Password section.
  3. Click Save & Apply a the bottom of the page.

You can also set the root password using command-line interface. 

passwd

Securing TTY and serial console

Enable password prompt for TTY and serial console. 

uci set system.@system[0].ttylogin="1"
uci commit system
service system restart

Authentication for OpenWrt TTY and serial console is disabled by default. Using TTY and serial console requires physical access to the device. You can reduce the attack surface by enabling authentication.

Note that hardware attacks on serial console pins are also possible. However, it requires physical access, time and skills.

Disabling Linux single user mode

Single user mode is available through GRUB and allows to boot without password. An attacker is then able to change root password and reboot. A solution would be to lock-down OpenWrt booloader process, to make sure that booting in Linux single user mode is impossible. This has to be discussed and this is not yet documented.

I am an expert, show me some extra hardening...

If you have 8MB flash or more and share your home network with other people, it is good practice to activate HTTPS for your LuCI web interface.

If you don't ever use your LuCI web interface at all, you can disable the uHTTPd webserver.

My OpenWrt web interface page is always open in the background for ease of access...

...and that is a very bad idea.

Treat your root account with some sane respect.

Do what every major company does with the root accounts of their Linux servers:

  • Stay away from admin access (SSH and web interface), when you don't need it
  • Close/Log off your root admin sessions once your are done administrating (not 8h later)
  • Only connect as root, when really in the need for administration
  • Don't share your root password with others
  • Don't share your root password with others, even if they promise some hot skateboarding penguins pictures in return

I don't need to set a root password, when I am the only user. Right?....

Congratulations that you do not have to share precious bandwidth with others, but you still need to set a root password.

Any web site you call from a browser in your home network (e.g. those that promise hot skateboarding penguins pictures) could easily use so called cross-site request forgery to access web interface of your OpenWrt device, without you noticing it and then do evil things there.

If no root password is set, such malicious sites could manipulate your OpenWrt device in a way that you won't like. So just go and set a password on your root account now.

Let's just open this one single port for incoming traffic, what could possibly go wrong?...

Handle firewall rules with care:

  • Do not expose services on the WAN Internet port, if you do not understand the security implications. Automatic scanners of evil fources and script kids will find any open port on your WAN side sometimes within minutes and will then run extensive intrusion software suits on such open ports, probing a lot of attack vectors without any manual effort. The Internet is permanently being scanned for careless people.
  • if you want to access home services while being on the road, consider using a WireGuard VPN instead of opening service-related ports publically on the WAN side.
  • Unfortunately a lot of online games have lots of “recommended settings” to permanently open various port ranges for best gaming experience. Before blindly following these practices, check first, if any server connection problems are due to a double NAT situation of cascaded routers at your home.
  • Always use reasonable comments, when you add your own customized firewall rules (e.g. “...that's the rule that a random nice guy on the Internet asked me to add, promising me some really hot skateboarding penguins pictures in return...”)

If you have already performed various firewall changes on your OpenWrt device and now lost overview of your custom rules, you can always reset all your OpenWrt settings back to the to the initial default (see trouble shooting section).

So I've switched from insecure vendor firmware to OpenWrt. Finally, I am safe forever...

Not so fast...

Did you notice that even OpenWrt firmware gets updated from time to time?

As with your former vendor firmware, you should check regularly, whether OpenWrt has released new firmware and apply these updates to your device. There is even a configuration backup and restore feature, such that you do not have to start from scratch after each update.

I have custom packages installed...

As with the firmware you should also keep an eye on the custom packages you install. There are several hundreds of optional packages. Not all security problems of those packages get addressed by OpenWrt system upgrades, but instead require you to manually upgrade the packages as well.

If you are using custom packages, you should run a opkg update; opkg list-upgradable from time to time. This shows your installed packages that have available updates. You then install package upgrades manually by running opkg upgrade <package>. Note that not every listed package upgrade is due to security issues, it can also be a harmless bug fix or feature extension.

An update will continue to use your existing service configuration, but for critical OpenWrt environments, a manual config backup never hurts as safety precaution before upgrading packages...

Note: OpenWrt uses a read-only root file system plus a differential extension partition for all package installs and upgrades. When wanting to maximize usage of your precious flash space, it tends to be a better approach, to applying up-to-date OpenWrt firmware and then reinstall your packages instead of only upgrading packages, when expecting larger volumes of upgrades.

Blindly upgrading packages (manually or via script) can lead you into all sorts of trouble.

Just because there is an updated version of a given package does not mean it should be installed or that it will function properly. Ensure yourself before doing upgrade that it would be safe. Almost for sure avoid upgrading core packages.

There are two ways to manage and install packages in OpenWrt: with the LuCI web interface (System > Software), and via the command line interface (CLI). Both methods invoke the same opkg comand. As of OpenWrt 19.07.0, the LuCI interface now has an 'Updates' tab with a listing of packages that have available upgrades. The LuCI Upgrade... button performs the same opkg upgrade command that is discussed in this article. The same warnings apply to upgrading packages using LuCI and the CLI.

Generally speaking, the use of opkg upgrade is very highly discouraged. It should be avoided in almost all circumstances. In particular, bulk upgrading is very likely to result in major problems, but even upgrading individual packages may cause issues. It is also important to stress that this is distinctly different from the sysupgrade path for upgrading OpenWrt releases (major versions as well as maintenance upgrades). opkg upgrade will not update the OpenWrt version. Only sysupgrade can do that. The two are not equivalent.

Unlike the “big distros” of Linux, OpenWrt is optimized to run on systems with limited resources. This includes the opkg package manager, which does not have built-in ABI (Application Binary Interface) compatibility and kernel version dependencies verification. Although sometimes there may be no issues, there is no guarantee and the upgrade can result in various types of incompatibilities that can range from minor to severe, and it may be very difficult to troubleshoot. In addition, the opkg upgrade process will consume flash storage space. Since it does not (and cannot) overwrite the original (stored in ROM), it must store the upgraded packages in the r/w overlay.

In the vast majority of cases, any security patches of significant importance/risk will be rapidly released in an official stable maintenance release to be upgraded using the sysupgrade system. This is the recommended method for keeping up-to-date.

Those looking to be on the bleeding edge can consider using the snapshot releases, but should be mindful of the differences between stable and snapshot. Or, alternatively, build a custom image with the desired updated packages included in that image. The remaining users who still want to use opkg upgrade should only do so with selected individual packages (do not bulk update, and do not blindly update) and they should be aware that problems may occur that could necessitate a complete reset-to-defaults to resolve.

If you're already having issues, or wish to “undo” the upgraded packages: create a backup (optional; can be restored after the reset is complete) and then perform a reset to defaults (firstboot).

If you do choose to upgrade packages, especially with a script, you have been warned. Don't complain on the forum, and be ready to deal with the consequences, troubleshooting, and resolution yourself.

See also

A word about high-value weak points on OpenWrt

OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpatched security flaw in one of these services. This could lead to malicious malware redirect attacks where website redirects to a malware site and so on.

These high-value services in particular are:

  • The webserver running LuCI (based on Lua) for OpenWrt web interface access
  • The dropbear SSH server for OpenWrt command-line admin access
  • The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default)
  • Samba SMB share to provide user network file shares (only if manually activated, it's not there by default)

It is up to your personal responsibility, to counter such weak points on your OpenWrt device(s):

  • Set a root password
  • Keep your OpenWrt firmware up to date
  • When you have Samba and/or SFTP activated manually: check regularly, if there are package upgrade available for Samba and SFTP and apply those upgrades
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/01/21 19:48
  • by spectredev