Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:security:secure.access [2023/09/15 04:53] – simplify configuration, avoid duplicating manuals vgaetera | docs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Secure your router's access | + | ====== Secure |
| There are some possibilities to grant access to the router (or to any PC/Server): | There are some possibilities to grant access to the router (or to any PC/Server): | ||
| - ask for nothing: anybody who can establish a connection gets access | - ask for nothing: anybody who can establish a connection gets access | ||
| Line 42: | Line 42: | ||
| - Dependent on you situation you may want to employ an [[wp> | - Dependent on you situation you may want to employ an [[wp> | ||
| - | ===== Creating a user ===== | + | ===== Protecting web interface |
| - | Create an unprivileged test user and set him a password: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install shadow-useradd | + | |
| - | + | ||
| - | # Create a user | + | |
| - | useradd -m -s /bin/ash test | + | |
| - | + | ||
| - | # Set user password | + | |
| - | passwd test | + | |
| - | </ | + | |
| - | + | ||
| - | Or add the user by hand using a unique UID and GID: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Edit configs | + | |
| - | vi / | + | |
| - | vi / | + | |
| - | vi / | + | |
| - | + | ||
| - | # Create home directory | + | |
| - | mkdir -p / | + | |
| - | + | ||
| - | # Set permissions | + | |
| - | chown test:test / | + | |
| - | + | ||
| - | # Set user password | + | |
| - | passwd test | + | |
| - | </ | + | |
| - | + | ||
| - | The resulting configs should look like this: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Check configs | + | |
| - | > grep -e test /etc/passwd /etc/group / | + | |
| - | / | + | |
| - | / | + | |
| - | / | + | |
| - | </ | + | |
| - | + | ||
| - | ==== Granting privileges with sudo ==== | + | |
| - | Grant root privileges to the test user with sudo. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Install packages | + | |
| - | opkg update | + | |
| - | opkg install shadow-groupadd shadow-usermod sudo | + | |
| - | + | ||
| - | # Create sudo group | + | |
| - | groupadd -r sudo | + | |
| - | + | ||
| - | # Add user to group | + | |
| - | usermod -a -G sudo test | + | |
| - | + | ||
| - | # Configure sudoers | + | |
| - | cat << EOF > / | + | |
| - | %sudo ALL=(ALL) ALL | + | |
| - | EOF | + | |
| - | </ | + | |
| - | + | ||
| - | See also: [[man> | + | |
| - | + | ||
| - | === ppp === | + | |
| - | If you are using ppp in the default configuration with username and password in ''/ | + | |
| - | To prevent that, you can add "'' | + | |
| - | + | ||
| - | Of course ''/ | + | |
| - | < | + | |
| - | chmod go-rw / | + | |
| - | </ | + | |
| - | + | ||
| - | ===== LuCI ===== | + | |
| For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. | For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. | ||
| If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either | If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either | ||
| Line 136: | Line 62: | ||
| If you require remote SSH access, follow the hardening instructions on SSH mentioned above. | If you require remote SSH access, follow the hardening instructions on SSH mentioned above. | ||
| + | |||
| + | ===== Protecting PPP credentials ===== | ||
| + | When using PPP, protect its credentials from unprivileged users. | ||
| + | |||
| + | <code bash> | ||
| + | PPP_IF=" | ||
| + | PPP_USER=" | ||
| + | PPP_PASS=" | ||
| + | cat << EOF >> / | ||
| + | user ${PPP_USER} | ||
| + | EOF | ||
| + | cat << EOF >> / | ||
| + | ${PPP_USER} * ${PPP_PASS} | ||
| + | EOF | ||
| + | cat << EOF >> / | ||
| + | ${PPP_USER} * ${PPP_PASS} | ||
| + | EOF | ||
| + | chmod go-rw / | ||
| + | uci -q delete network.${PPP_IF}.username | ||
| + | uci -q delete network.${PPP_IF}.password | ||
| + | uci commit network | ||
| + | / | ||
| + | </ | ||