Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:security:secure.access [2023/09/15 04:53] – simplify configuration, avoid duplicating manuals vgaeteradocs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera
Line 1: Line 1:
-====== Secure your router's access ======+====== Secure access to your router ======
 There are some possibilities to grant access to the router (or to any PC/Server): There are some possibilities to grant access to the router (or to any PC/Server):
   - ask for nothing: anybody who can establish a connection gets access   - ask for nothing: anybody who can establish a connection gets access
Line 42: Line 42:
   - Dependent on you situation you may want to employ an [[wp>Intrusion prevention system]] like [[wp>fail2ban]] or better yet implement your own one based on ''logtrigger''.   - Dependent on you situation you may want to employ an [[wp>Intrusion prevention system]] like [[wp>fail2ban]] or better yet implement your own one based on ''logtrigger''.
  
-===== Creating a user ===== +===== Protecting web interface =====
-Create an unprivileged test user and set him a password: +
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install shadow-useradd +
- +
-# Create a user +
-useradd -m -s /bin/ash test +
- +
-# Set user password +
-passwd test +
-</code> +
- +
-Or add the user by hand using a unique UID and GID: +
- +
-<code bash> +
-# Edit configs +
-vi /etc/passwd +
-vi /etc/group +
-vi /etc/shadow +
- +
-# Create home directory +
-mkdir -p /home/test +
- +
-# Set permissions +
-chown test:test /home/test +
- +
-# Set user password +
-passwd test +
-</code> +
- +
-The resulting configs should look like this: +
- +
-<code bash> +
-# Check configs +
-> grep -e test /etc/passwd /etc/group /etc/shadow +
-/etc/passwd:test:x:1000:1000::/home/test:/bin/ash +
-/etc/group:test:!:1000: +
-/etc/shadow:test:$1$uPzGJ3jI$n7ld4E73SPsIx0QTXPMfu1:19615:0:99999:7::: +
-</code> +
- +
-==== Granting privileges with sudo ==== +
-Grant root privileges to the test user with sudo. +
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install shadow-groupadd shadow-usermod sudo +
- +
-# Create sudo group +
-groupadd -r sudo +
- +
-# Add user to group +
-usermod -a -G sudo test +
- +
-# Configure sudoers +
-cat << EOF > /etc/sudoers.d/00-custom +
-%sudo ALL=(ALL) ALL +
-EOF +
-</code> +
- +
-See also: [[man>visudo]] +
- +
-=== ppp === +
-If you are using ppp in the default configuration with username and password in ''/etc/config/network'', then the unprivileged user can read it from pppd's command line (with e.g. ''ps w''). +
-To prevent that, you can add "''user <username>''" to ''/etc/ppp/options'' and "''<username> * <password>''" to ''/etc/ppp/{chap|pap}-secrets'' and then remove the username / password options from uci configuration. +
- +
-Of course ''/etc/ppp/{chap|pap}-secrets'' should not be world readable: +
-<code> +
-chmod go-rw /etc/ppp/chap-secrets +
-</code> +
- +
-===== LuCI =====+
 For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol.
 If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either
Line 136: Line 62:
  
 If you require remote SSH access, follow the hardening instructions on SSH mentioned above. If you require remote SSH access, follow the hardening instructions on SSH mentioned above.
 +
 +===== Protecting PPP credentials =====
 +When using PPP, protect its credentials from unprivileged users.
 +
 +<code bash>
 +PPP_IF="wan"
 +PPP_USER="$(uci -q get network.${PPP_IF}.username)"
 +PPP_PASS="$(uci -q get network.${PPP_IF}.password)"
 +cat << EOF >> /etc/ppp/options
 +user ${PPP_USER}
 +EOF
 +cat << EOF >> /etc/ppp/chap-secrets
 +${PPP_USER} * ${PPP_PASS}
 +EOF
 +cat << EOF >> /etc/ppp/pap-secrets
 +${PPP_USER} * ${PPP_PASS}
 +EOF
 +chmod go-rw /etc/ppp/*-secrets
 +uci -q delete network.${PPP_IF}.username
 +uci -q delete network.${PPP_IF}.password
 +uci commit network
 +/etc/init.d/network restart
 +</code>
  
  • Last modified: 2023/09/15 17:59
  • by vgaetera