Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:security:secure.access [2023/09/15 04:32] – [Create a non-privileged user in OpenWrt] vgaeteradocs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera
Line 1: Line 1:
-====== Secure your router's access ======+====== Secure access to your router ======
 There are some possibilities to grant access to the router (or to any PC/Server): There are some possibilities to grant access to the router (or to any PC/Server):
   - ask for nothing: anybody who can establish a connection gets access   - ask for nothing: anybody who can establish a connection gets access
Line 42: Line 42:
   - Dependent on you situation you may want to employ an [[wp>Intrusion prevention system]] like [[wp>fail2ban]] or better yet implement your own one based on ''logtrigger''.   - Dependent on you situation you may want to employ an [[wp>Intrusion prevention system]] like [[wp>fail2ban]] or better yet implement your own one based on ''logtrigger''.
  
-===== Create a non-privileged user in OpenWrt ===== +===== Protecting web interface =====
-Create an unprivileged ''test'' user and set him a password: +
- +
-<code bash> +
-opkg update +
-opkg install shadow-useradd +
-useradd -m -s /bin/ash test +
-passwd test +
-</code> +
- +
-Or add the user by hand using a unique UID and GID: +
- +
-<code bash> +
-vi /etc/passwd +
-vi /etc/group +
-vi /etc/shadow +
-mkdir -p /home/test +
-chown test:test /home/test +
-passwd test +
-</code> +
- +
-The resulting configs should look like this: +
- +
-<code bash> +
-> grep -e test /etc/passwd /etc/group /etc/shadow +
-/etc/passwd:test:x:1000:1000::/home/test:/bin/ash +
-/etc/group:test:!:1000: +
-/etc/shadow:test:$1$uPzGJ3jI$n7ld4E73SPsIx0QTXPMfu1:19615:0:99999:7::: +
-</code> +
- +
-==== Allow temporary privileged access using sudo ==== +
-First, you should install ''sudo'': +
-<code> +
-opkg install sudo +
-</code> +
-Additionally, you must allow your desired user by manipulating '''/etc/sudoers''' by tool ''visudo''+
-Now you can follow **ONE** of the methods below to choose how the user should be able to run commands as ''root'': +
- +
-=== Method 1: 'sudo'ing by any user with root password (more secure) === +
-In this method any user can temporarily run commands as root only if they know the root password. +
-This way when the user runs a command with ''sudo'' they should enter root's password instead of their own password. +
- +
-For enabling this method you should open the file '''/etc/sudoers''' by entering the command +
-<code> +
-visudo +
-</code> +
-Then uncomment the 2 lines below in that file and then save +
-<code> +
-## Uncomment to allow any user to run sudo if they know the password +
-## of the user they are running the command as (root by default). +
-Defaults targetpw  # Ask for the password of the target user +
-ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw' +
-</code> +
-This method is more secure because you don't need to protect both root and privileged (sudoer) users to keep the whole system safe. +
- +
-One usecase can be allowing remote ssh with password from WAN: For more security (still less than RSA key) you can only allow users other than root to ssh with their password (optionally on a custom port) from WAN. +
-And for even more security you can request root's password after running ''sudo''+
-Therefor in this scenario a hacker should find 3 different strings **user's username**, **user's password** and **root's password** to get full access to the system. +
-Even if the user's account get compromised, then the intruder still can't damage your system because they don't have root password yet. +
- +
-=== Method 2: 'sudo'ing with the user's password === +
-In this method, after logging in by the desired user, when you enter ''sudo'' you should enter the user's password again. +
-The end result is similar to how you use ''sudo'' in Ubuntu or other popular Linux disros, but this method doesn't utilize group 'sudo' for this purpose. +
- +
-For enabling this method you should also enter the command +
-<code> +
-visudo +
-</code> +
-And then add a line allowing your user, under comment "## User privilege specification": +
-<code> +
-## +
-## User privilege specification +
-## +
-root ALL=(ALL) ALL +
-nicolaus ALL=(ALL) ALL +
-</code> +
- +
-=== Method 3: 'sudo'ing with the user's password if they are member of group 'sudo' (needs installing some packages) === +
-This method is very similar to Method 2, except that it allows any member of group 'sudo' to use ''sudo'' with their own password. +
-This method is exactly the same one used in Ubuntu and other popular Linux distros to allow '''sudo''' access for a user. +
- +
-For activating this method first you should allow group 'sudo' to use command ''sudo'' by entering +
- +
-<code> +
-visudo +
-</code> +
- +
-And then uncomment the line below: +
- +
-<code> +
-## Uncomment to allow members of group sudo to execute any command +
-%sudo ALL=(ALL) ALL  +
-</code> +
- +
-Second you should create group 'sudo'+
-You can do it by manually editing '''/etc/group''' but it's more standard to install and use tools for this purpose: +
- +
-<code> +
-opkg install shadow-groupadd +
-groupadd --system sudo +
-</code> +
- +
-And finally add your current user to the group 'sudo'+
-You can directly append your user to '''/etc/group''' but again it's better to use ''usermod'': +
- +
-<code> +
-opkg install shadow-usermod +
-usermod -a -G sudo nicolaus +
-</code> +
- +
-This method is more convenient because you can simply allow ''sudo'' access for any user you want, just by //''usermod -a -G sudo <USER>''// but takes more space (for installing new packages) than method 2 which may be more suitable for systems with very limited space. +
- +
-=== ppp === +
-If you are using ppp in the default configuration with username and password in ''/etc/config/network'', then the unprivileged user can read it from pppd's command line (with e.g. ''ps w''). +
-To prevent that, you can add "''user <username>''" to ''/etc/ppp/options'' and "''<username> * <password>''" to ''/etc/ppp/{chap|pap}-secrets'' and then remove the username / password options from uci configuration. +
- +
-Of course ''/etc/ppp/{chap|pap}-secrets'' should not be world readable: +
-<code> +
-chmod go-rw /etc/ppp/chap-secrets +
-</code> +
- +
-===== LuCI =====+
 For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol.
 If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either
Line 183: Line 62:
  
 If you require remote SSH access, follow the hardening instructions on SSH mentioned above. If you require remote SSH access, follow the hardening instructions on SSH mentioned above.
 +
 +===== Protecting PPP credentials =====
 +When using PPP, protect its credentials from unprivileged users.
 +
 +<code bash>
 +PPP_IF="wan"
 +PPP_USER="$(uci -q get network.${PPP_IF}.username)"
 +PPP_PASS="$(uci -q get network.${PPP_IF}.password)"
 +cat << EOF >> /etc/ppp/options
 +user ${PPP_USER}
 +EOF
 +cat << EOF >> /etc/ppp/chap-secrets
 +${PPP_USER} * ${PPP_PASS}
 +EOF
 +cat << EOF >> /etc/ppp/pap-secrets
 +${PPP_USER} * ${PPP_PASS}
 +EOF
 +chmod go-rw /etc/ppp/*-secrets
 +uci -q delete network.${PPP_IF}.username
 +uci -q delete network.${PPP_IF}.password
 +uci commit network
 +/etc/init.d/network restart
 +</code>
  
  • Last modified: 2023/09/15 17:59
  • by vgaetera