Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:security:secure.access [2020/09/23 17:54] – update links vgaetera | docs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Secure your router's access | + | ====== Secure |
| There are some possibilities to grant access to the router (or to any PC/Server): | There are some possibilities to grant access to the router (or to any PC/Server): | ||
| - ask for nothing: anybody who can establish a connection gets access | - ask for nothing: anybody who can establish a connection gets access | ||
| Line 6: | Line 6: | ||
| - ask for username and merely a **'' | - ask for username and merely a **'' | ||
| - | If you ask for username/ | + | If you ask for username/ |
| + | If you use an unencrypted connection, | ||
| - | If you use an encrypted connection, any eavesdropper would have to decrypt the packets first. This is always possible. How long it takes to decrypt the content, depends on the algorithm and key length you used. | + | If you use an encrypted connection, any eavesdropper would have to decrypt the packets first. |
| - | + | This is always possible. | |
| - | Also, as long as an attacker has network access to the console, he can always run a brute-force attack to find out username and password. He does not have to do that himself: he can let his computer(s) do the guessing. To render this option improbable or even impossible you can: | + | How long it takes to decrypt the content, depends on the algorithm and key length you used. |
| + | Also, as long as an attacker has network access to the console, they can always run a brute-force attack to find out your username and password. | ||
| + | They does not have to do that themself: they can let their computer(s) do the guessing. | ||
| + | To render this option improbable or even impossible you can: | ||
| - not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges | - not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges | ||
| - | - by letting the SSH server [[docs: | + | - by letting the SSH server [[docs: |
| - by blocking incoming connections to those ports (TCP 22, 80 and 443 by default) in your firewall | - by blocking incoming connections to those ports (TCP 22, 80 and 443 by default) in your firewall | ||
| - make it more difficult to guess: | - make it more difficult to guess: | ||
| - don't use the username '' | - don't use the username '' | ||
| - don't use a weak password with 8 or less characters | - don't use a weak password with 8 or less characters | ||
| - | - don't let the SSH server | + | - don't let the SSH server |
| - use the combination of | - use the combination of | ||
| + | - set up [[docs: | ||
| - username different than '' | - username different than '' | ||
| - | - tell '' | + | - tell Dropbear |
| - | - public key authentication. Your public keys can be specified in Administation -> System -> SSH-keys. The [[docs: | + | |
| - | {{ : | + | |
| - | + | ||
| - | ===== System Hardening ===== | + | |
| + | ===== System hardening ===== | ||
| If you have an external disk you may want to [[docs: | If you have an external disk you may want to [[docs: | ||
| ===== Network hardening ===== | ===== Network hardening ===== | ||
| - | - [[https:// | + | - [[https:// |
| * See detailed instructions at: [[docs: | * See detailed instructions at: [[docs: | ||
| - [[http:// | - [[http:// | ||
| Line 40: | Line 42: | ||
| - Dependent on you situation you may want to employ an [[wp> | - Dependent on you situation you may want to employ an [[wp> | ||
| - | ===== Create a non-privileged user in OpenWrt | + | ===== Protecting web interface |
| - | Example that adds a user called nicolaus: | + | For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. |
| - | < | + | If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either |
| - | opkg update | + | * [[docs: |
| - | opkg install shadow-useradd | + | * Follow [[docs: |
| - | useradd nicolaus | + | - While luci-ssl automatically installs px5g that can be utilized, you can also use openssl to generate your own certificate authority and certs, then use that certificate authority to sign the certificate you use for uhttpd. Certificates can also be named or placed in whatever directory you wish by editing |
| - | </ | + | - Optionally instruct the server to not listen on plain HTTP anymore: |
| - | Or add the user by hand (Take care that **uid/gid** (e.g.=1000) are not already in use!) | + | uci commit uhttpd |
| - | < | + | /etc/init.d/uhttpd restart |
| - | / | + | </ |
| - | /etc/group: GROUP: | + | uci set uhttpd.main.listen_http=" |
| - | /etc/shadow: USER: | + | uci set uhttpd.main.listen_https=" |
| - | passwd USER | + | uci set uhttpd.main.redirect_https=" |
| - | </ | + | uci commit |
| - | However, you can't ssh to this user yet. To enable ssh access, you should make a password for that user, create his home folder and most importantly | + | /etc/init.d/uhttpd restart |
| - | < | + | |
| - | passwd nicolaus | + | |
| - | mkdir /home | + | |
| - | mkdir / | + | |
| - | chown nicolaus / | + | |
| - | vi /etc/passwd | + | |
| - | | + | |
| </ | </ | ||
| - | ==== Allow temporary privileged access using sudo ==== | + | Can mandatory client certificate checking be set up with uhttpd? -> [[http://lists.infradead.org/pipermail/ |
| - | First, you should install '' | + | |
| - | <code> | + | |
| - | opkg install sudo | + | |
| - | </code> | + | |
| - | Additionally, | + | |
| - | === Method 1: ' | + | If you require remote SSH access, follow |
| - | In this method any user can temporarily run commands as root only if he knows the root password. This way when the user runs a command with '' | + | |
| - | For enabling this method you should open the file '''/ | + | ===== Protecting PPP credentials ===== |
| - | < | + | When using PPP, protect |
| - | visudo | + | |
| - | </ | + | |
| - | Then uncomment the 2 lines below in that file and then save | + | |
| - | < | + | |
| - | ## Uncomment to allow any user to run sudo if they know the password | + | |
| - | ## of the user they are running the command as (root by default). | + | |
| - | Defaults targetpw | + | |
| - | ALL ALL=(ALL) ALL # WARNING: only use this together with ' | + | |
| - | </ | + | |
| - | This method is more secure because you don't need to protect | + | |
| - | One usecase can be allowing remote ssh with password from WAN: For more security | + | <code bash> |
| - | + | PPP_IF=" | |
| - | === Method 2: ' | + | PPP_USER=" |
| - | In this method, after logging in by the desired user, when you enter '' | + | PPP_PASS=" |
| - | + | cat << EOF >> / | |
| - | For enabling this method you should also enter the command | + | user ${PPP_USER} |
| - | <code> | + | EOF |
| - | visudo | + | cat << EOF >> / |
| - | </code> | + | ${PPP_USER} * ${PPP_PASS} |
| - | And then add a line allowing your user, under comment "## User privilege specification": | + | EOF |
| - | < | + | cat << EOF >> / |
| - | ## | + | ${PPP_USER} * ${PPP_PASS} |
| - | ## User privilege specification | + | EOF |
| - | ## | + | chmod go-rw / |
| - | root ALL=(ALL) ALL | + | uci -q delete network.${PPP_IF}.username |
| - | nicolaus ALL=(ALL) ALL | + | uci -q delete network.${PPP_IF}.password |
| + | uci commit network | ||
| + | / | ||
| </ | </ | ||
| - | === Method 3: ' | ||
| - | This method is very similar to Method 2, except that it allows any member of group ' | ||
| - | |||
| - | For activating this method first you should allow group ' | ||
| - | |||
| - | < | ||
| - | visudo | ||
| - | </ | ||
| - | |||
| - | And then uncomment the line below: | ||
| - | |||
| - | < | ||
| - | ## Uncomment to allow members of group sudo to execute any command | ||
| - | %sudo ALL=(ALL) ALL | ||
| - | </ | ||
| - | |||
| - | Second you should create group ' | ||
| - | |||
| - | < | ||
| - | opkg install shadow-groupadd | ||
| - | groupadd --system sudo | ||
| - | </ | ||
| - | |||
| - | And finally add your current user to the group ' | ||
| - | |||
| - | < | ||
| - | opkg install shadow-usermod | ||
| - | usermod -a -G sudo nicolaus | ||
| - | </ | ||
| - | |||
| - | This method is more convenient because you can simply allow '' | ||
| - | |||
| - | === ppp === | ||
| - | If you are using ppp in the default configuration with username and password in ''/ | ||
| - | |||
| - | Of course ''/ | ||
| - | < | ||
| - | chmod go-rw / | ||
| - | </ | ||
| - | |||
| - | ===== WebUI ===== | ||
| - | |||
| - | For [[docs: | ||
| - | * [[docs: | ||
| - | * Set up SSL protected access with uhttpd using the following steps (verified with 15.05) | ||
| - | - Install cert generator and web server TLS plugin:\\ < | ||
| - | - //While luci-ssl automatically installs px5g that can be utilized, you can also use openssl to generate your own certificate authority and certs, then use that certificate authority to sign the certificate you use for uhttpd. | ||
| - | - Note that uhttpd-mod-tls is not needed after r35295 in Jan2013. But you need a ustream-ssl wrapper library on top of the actual SSL library (polarssl, mbedtls, cyassl, openssl). Luci-ssl includes by default libustream-mbedtls (since Dec2016). | ||
| - | - Optionally instruct the server to not listen on plain HTTP anymore:\\ < | ||
| - | **OR** Rebind to LAN only and redirect all http requests to https: | ||
| - | - < | ||
| - | uci set uhttpd.main.listen_http=192.168.1.1: | ||
| - | uci set uhttpd.main.listen_https=' | ||
| - | uci set uhttpd.main.redirect_https=' | ||
| - | uci commit | ||
| - | </ | ||
| - | - Restart the web server to trigger certificate generation: | ||
| - | - Optionally remove the key generator: | ||
| - | * If you are running older software (8.x) see this [[https:// | ||
| - | |||
| - | Can mandatory client certificate checking be set up with uhttpd? -> [[http:// | ||
| - | |||
| - | If you require remote SSH access, follow the hardening instructions on SSH mentioned above. | ||