Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:security:secure.access [2020/10/04 00:35] – [LuCI] redundant link vgaetera | docs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Secure your router's access | + | ====== Secure |
| There are some possibilities to grant access to the router (or to any PC/Server): | There are some possibilities to grant access to the router (or to any PC/Server): | ||
| - ask for nothing: anybody who can establish a connection gets access | - ask for nothing: anybody who can establish a connection gets access | ||
| Line 7: | Line 7: | ||
| If you ask for username/ | If you ask for username/ | ||
| - | If you use an unencrypted connection, | + | If you use an unencrypted connection, |
| If you use an encrypted connection, any eavesdropper would have to decrypt the packets first. | If you use an encrypted connection, any eavesdropper would have to decrypt the packets first. | ||
| Line 13: | Line 13: | ||
| How long it takes to decrypt the content, depends on the algorithm and key length you used. | How long it takes to decrypt the content, depends on the algorithm and key length you used. | ||
| - | Also, as long as an attacker has network access to the console, | + | Also, as long as an attacker has network access to the console, |
| - | He does not have to do that himself: he can let his computer(s) do the guessing. | + | They does not have to do that themself: they can let their computer(s) do the guessing. |
| To render this option improbable or even impossible you can: | To render this option improbable or even impossible you can: | ||
| - not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges | - not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges | ||
| Line 42: | Line 42: | ||
| - Dependent on you situation you may want to employ an [[wp> | - Dependent on you situation you may want to employ an [[wp> | ||
| - | ===== Create a non-privileged user in OpenWrt ===== | + | ===== Protecting web interface |
| - | Example that adds a user called nicolaus: | + | |
| - | < | + | |
| - | opkg update | + | |
| - | opkg install shadow-useradd | + | |
| - | useradd nicolaus | + | |
| - | </ | + | |
| - | Or add the user by hand (Take care that **uid/gid** (e.g.=1000) are not already in use!) | + | |
| - | < | + | |
| - | / | + | |
| - | /etc/group: GROUP: | + | |
| - | / | + | |
| - | passwd USER | + | |
| - | </ | + | |
| - | However, you can't ssh to this user yet. | + | |
| - | To enable ssh access, you should make a password for that user, create his home folder and most importantly **indicate the shell** of that user: | + | |
| - | < | + | |
| - | passwd nicolaus | + | |
| - | mkdir /home | + | |
| - | mkdir / | + | |
| - | chown nicolaus / | + | |
| - | vi / | + | |
| - | | + | |
| - | </ | + | |
| - | + | ||
| - | ==== Allow temporary privileged access using sudo ==== | + | |
| - | First, you should install '' | + | |
| - | < | + | |
| - | opkg install sudo | + | |
| - | </ | + | |
| - | Additionally, | + | |
| - | Now you can follow **ONE** of the methods below to choose how the user should be able to run commands as '' | + | |
| - | + | ||
| - | === Method 1: ' | + | |
| - | In this method any user can temporarily run commands as root only if he knows the root password. | + | |
| - | This way when the user runs a command with '' | + | |
| - | + | ||
| - | For enabling this method you should open the file '''/ | + | |
| - | < | + | |
| - | visudo | + | |
| - | </ | + | |
| - | Then uncomment the 2 lines below in that file and then save | + | |
| - | < | + | |
| - | ## Uncomment to allow any user to run sudo if they know the password | + | |
| - | ## of the user they are running the command as (root by default). | + | |
| - | Defaults targetpw | + | |
| - | ALL ALL=(ALL) ALL # WARNING: only use this together with ' | + | |
| - | </ | + | |
| - | This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe. | + | |
| - | + | ||
| - | One usecase can be allowing remote ssh with password from WAN: For more security (still less than RSA key) you can only allow users other than root to ssh with their password (optionally on a custom port) from WAN. | + | |
| - | And for even more security you can request root's password after running '' | + | |
| - | Therefor in this scenario a hacker should find 3 different strings **user' | + | |
| - | Even if the user's account get compromised, | + | |
| - | + | ||
| - | === Method 2: ' | + | |
| - | In this method, after logging in by the desired user, when you enter '' | + | |
| - | The end result is similar to how you use '' | + | |
| - | + | ||
| - | For enabling this method you should also enter the command | + | |
| - | < | + | |
| - | visudo | + | |
| - | </ | + | |
| - | And then add a line allowing your user, under comment "## User privilege specification": | + | |
| - | < | + | |
| - | ## | + | |
| - | ## User privilege specification | + | |
| - | ## | + | |
| - | root ALL=(ALL) ALL | + | |
| - | nicolaus ALL=(ALL) ALL | + | |
| - | </ | + | |
| - | + | ||
| - | === Method 3: ' | + | |
| - | This method is very similar to Method 2, except that it allows any member of group ' | + | |
| - | This method is exactly the same one used in Ubuntu and other popular Linux distros to allow ''' | + | |
| - | + | ||
| - | For activating this method first you should allow group ' | + | |
| - | + | ||
| - | < | + | |
| - | visudo | + | |
| - | </ | + | |
| - | + | ||
| - | And then uncomment the line below: | + | |
| - | + | ||
| - | < | + | |
| - | ## Uncomment to allow members of group sudo to execute any command | + | |
| - | %sudo ALL=(ALL) ALL | + | |
| - | </ | + | |
| - | + | ||
| - | Second you should create group ' | + | |
| - | You can do it by manually editing '''/ | + | |
| - | + | ||
| - | < | + | |
| - | opkg install shadow-groupadd | + | |
| - | groupadd --system sudo | + | |
| - | </ | + | |
| - | + | ||
| - | And finally add your current user to the group ' | + | |
| - | You can directly append your user to '''/ | + | |
| - | + | ||
| - | < | + | |
| - | opkg install shadow-usermod | + | |
| - | usermod -a -G sudo nicolaus | + | |
| - | </ | + | |
| - | + | ||
| - | This method is more convenient because you can simply allow '' | + | |
| - | + | ||
| - | === ppp === | + | |
| - | If you are using ppp in the default configuration with username and password in ''/ | + | |
| - | To prevent that, you can add "'' | + | |
| - | + | ||
| - | Of course ''/ | + | |
| - | < | + | |
| - | chmod go-rw / | + | |
| - | </ | + | |
| - | + | ||
| - | ===== LuCI ===== | + | |
| For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. | For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. | ||
| If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either | If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either | ||
| * [[docs: | * [[docs: | ||
| - | * Set up SSL protected access | + | * Follow [[docs: |
| - | - Install cert generator and web server TLS plugin:\\ < | + | - While luci-ssl automatically installs px5g that can be utilized, you can also use openssl to generate your own certificate authority and certs, then use that certificate authority to sign the certificate you use for uhttpd. Certificates can also be named or placed in whatever directory you wish by editing **/ |
| - | - //While luci-ssl automatically installs px5g that can be utilized, you can also use openssl to generate your own certificate authority and certs, then use that certificate authority to sign the certificate you use for uhttpd. Certificates can also be named or placed in whatever directory you wish by editing **/ | + | - Optionally instruct the server to not listen on plain HTTP anymore:\\ < |
| - | - Note that uhttpd-mod-tls is not needed after r35295 in Jan2013. But you need a ustream-ssl wrapper library on top of the actual SSL library (polarssl, mbedtls, cyassl, openssl). Luci-ssl includes by default libustream-mbedtls (since Dec2016). | + | uci commit |
| - | - Optionally instruct the server to not listen on plain HTTP anymore:\\ < | + | / |
| - | **OR** Rebind to LAN only and redirect all http requests to https: | + | </ |
| - | - < | + | uci set uhttpd.main.listen_http="192.168.1.1: |
| - | uci set uhttpd.main.listen_http=192.168.1.1: | + | uci set uhttpd.main.listen_https="192.168.1.1: |
| - | uci set uhttpd.main.listen_https='192.168.1.1: | + | uci set uhttpd.main.redirect_https="1" |
| - | uci set uhttpd.main.redirect_https='1' | + | |
| uci commit | uci commit | ||
| + | / | ||
| </ | </ | ||
| - | - Restart the web server to trigger certificate generation: | ||
| - | - Optionally remove the key generator: | ||
| - | * If you are running older software (8.x) see this [[https:// | ||
| Can mandatory client certificate checking be set up with uhttpd? -> [[http:// | Can mandatory client certificate checking be set up with uhttpd? -> [[http:// | ||
| If you require remote SSH access, follow the hardening instructions on SSH mentioned above. | If you require remote SSH access, follow the hardening instructions on SSH mentioned above. | ||
| + | |||
| + | ===== Protecting PPP credentials ===== | ||
| + | When using PPP, protect its credentials from unprivileged users. | ||
| + | |||
| + | <code bash> | ||
| + | PPP_IF=" | ||
| + | PPP_USER=" | ||
| + | PPP_PASS=" | ||
| + | cat << EOF >> / | ||
| + | user ${PPP_USER} | ||
| + | EOF | ||
| + | cat << EOF >> / | ||
| + | ${PPP_USER} * ${PPP_PASS} | ||
| + | EOF | ||
| + | cat << EOF >> / | ||
| + | ${PPP_USER} * ${PPP_PASS} | ||
| + | EOF | ||
| + | chmod go-rw / | ||
| + | uci -q delete network.${PPP_IF}.username | ||
| + | uci -q delete network.${PPP_IF}.password | ||
| + | uci commit network | ||
| + | / | ||
| + | </ | ||