Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:security:secure.access [2023/09/15 04:31] – [Create a non-privileged user in OpenWrt] vgaetera | docs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Secure your router's access | + | ====== Secure |
| There are some possibilities to grant access to the router (or to any PC/Server): | There are some possibilities to grant access to the router (or to any PC/Server): | ||
| - ask for nothing: anybody who can establish a connection gets access | - ask for nothing: anybody who can establish a connection gets access | ||
| Line 42: | Line 42: | ||
| - Dependent on you situation you may want to employ an [[wp> | - Dependent on you situation you may want to employ an [[wp> | ||
| - | ===== Create a non-privileged user in OpenWrt ===== | + | ===== Protecting web interface |
| - | Create an unprivileged user called test and set him a password: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | opkg update | + | |
| - | opkg install shadow-useradd | + | |
| - | useradd -m -s /bin/ash test | + | |
| - | passwd test | + | |
| - | </ | + | |
| - | + | ||
| - | Or add the user by hand using a unique UID and GID: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | vi / | + | |
| - | vi / | + | |
| - | vi / | + | |
| - | mkdir -p / | + | |
| - | chown test:test / | + | |
| - | passwd test | + | |
| - | </ | + | |
| - | + | ||
| - | The resulting configs should look like this: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | > grep -e test /etc/passwd /etc/group / | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | </ | + | |
| - | + | ||
| - | ==== Allow temporary privileged access using sudo ==== | + | |
| - | First, you should install '' | + | |
| - | < | + | |
| - | opkg install sudo | + | |
| - | </ | + | |
| - | Additionally, | + | |
| - | Now you can follow **ONE** of the methods below to choose how the user should be able to run commands as '' | + | |
| - | + | ||
| - | === Method 1: ' | + | |
| - | In this method any user can temporarily run commands as root only if they know the root password. | + | |
| - | This way when the user runs a command with '' | + | |
| - | + | ||
| - | For enabling this method you should open the file '''/ | + | |
| - | < | + | |
| - | visudo | + | |
| - | </ | + | |
| - | Then uncomment the 2 lines below in that file and then save | + | |
| - | < | + | |
| - | ## Uncomment to allow any user to run sudo if they know the password | + | |
| - | ## of the user they are running the command as (root by default). | + | |
| - | Defaults targetpw | + | |
| - | ALL ALL=(ALL) ALL # WARNING: only use this together with ' | + | |
| - | </ | + | |
| - | This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe. | + | |
| - | + | ||
| - | One usecase can be allowing remote ssh with password from WAN: For more security (still less than RSA key) you can only allow users other than root to ssh with their password (optionally on a custom port) from WAN. | + | |
| - | And for even more security you can request root's password after running '' | + | |
| - | Therefor in this scenario a hacker should find 3 different strings **user' | + | |
| - | Even if the user's account get compromised, | + | |
| - | + | ||
| - | === Method 2: ' | + | |
| - | In this method, after logging in by the desired user, when you enter '' | + | |
| - | The end result is similar to how you use '' | + | |
| - | + | ||
| - | For enabling this method you should also enter the command | + | |
| - | < | + | |
| - | visudo | + | |
| - | </ | + | |
| - | And then add a line allowing your user, under comment "## User privilege specification": | + | |
| - | < | + | |
| - | ## | + | |
| - | ## User privilege specification | + | |
| - | ## | + | |
| - | root ALL=(ALL) ALL | + | |
| - | nicolaus ALL=(ALL) ALL | + | |
| - | </ | + | |
| - | + | ||
| - | === Method 3: ' | + | |
| - | This method is very similar to Method 2, except that it allows any member of group ' | + | |
| - | This method is exactly the same one used in Ubuntu and other popular Linux distros to allow ''' | + | |
| - | + | ||
| - | For activating this method first you should allow group ' | + | |
| - | + | ||
| - | < | + | |
| - | visudo | + | |
| - | </ | + | |
| - | + | ||
| - | And then uncomment the line below: | + | |
| - | + | ||
| - | < | + | |
| - | ## Uncomment to allow members of group sudo to execute any command | + | |
| - | %sudo ALL=(ALL) ALL | + | |
| - | </ | + | |
| - | + | ||
| - | Second you should create group ' | + | |
| - | You can do it by manually editing '''/ | + | |
| - | + | ||
| - | < | + | |
| - | opkg install shadow-groupadd | + | |
| - | groupadd --system sudo | + | |
| - | </ | + | |
| - | + | ||
| - | And finally add your current user to the group ' | + | |
| - | You can directly append your user to '''/ | + | |
| - | + | ||
| - | < | + | |
| - | opkg install shadow-usermod | + | |
| - | usermod -a -G sudo nicolaus | + | |
| - | </ | + | |
| - | + | ||
| - | This method is more convenient because you can simply allow '' | + | |
| - | + | ||
| - | === ppp === | + | |
| - | If you are using ppp in the default configuration with username and password in ''/ | + | |
| - | To prevent that, you can add "'' | + | |
| - | + | ||
| - | Of course ''/ | + | |
| - | < | + | |
| - | chmod go-rw / | + | |
| - | </ | + | |
| - | + | ||
| - | ===== LuCI ===== | + | |
| For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. | For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. | ||
| If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either | If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either | ||
| Line 183: | Line 62: | ||
| If you require remote SSH access, follow the hardening instructions on SSH mentioned above. | If you require remote SSH access, follow the hardening instructions on SSH mentioned above. | ||
| + | |||
| + | ===== Protecting PPP credentials ===== | ||
| + | When using PPP, protect its credentials from unprivileged users. | ||
| + | |||
| + | <code bash> | ||
| + | PPP_IF=" | ||
| + | PPP_USER=" | ||
| + | PPP_PASS=" | ||
| + | cat << EOF >> / | ||
| + | user ${PPP_USER} | ||
| + | EOF | ||
| + | cat << EOF >> / | ||
| + | ${PPP_USER} * ${PPP_PASS} | ||
| + | EOF | ||
| + | cat << EOF >> / | ||
| + | ${PPP_USER} * ${PPP_PASS} | ||
| + | EOF | ||
| + | chmod go-rw / | ||
| + | uci -q delete network.${PPP_IF}.username | ||
| + | uci -q delete network.${PPP_IF}.password | ||
| + | uci commit network | ||
| + | / | ||
| + | </ | ||