Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:security:secure.access [2023/09/15 05:15] – update vgaeteradocs:guide-user:security:secure.access [2023/09/15 16:33] – [Elevating privileges with sudo] split vgaetera
Line 1: Line 1:
-====== Secure your router's access ======+====== Secure access to your router ======
 There are some possibilities to grant access to the router (or to any PC/Server): There are some possibilities to grant access to the router (or to any PC/Server):
   - ask for nothing: anybody who can establish a connection gets access   - ask for nothing: anybody who can establish a connection gets access
Line 42: Line 42:
   - Dependent on you situation you may want to employ an [[wp>Intrusion prevention system]] like [[wp>fail2ban]] or better yet implement your own one based on ''logtrigger''.   - Dependent on you situation you may want to employ an [[wp>Intrusion prevention system]] like [[wp>fail2ban]] or better yet implement your own one based on ''logtrigger''.
  
-===== Securing web interface =====+===== Protecting web interface =====
 For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol. For secure web access, OpenWrt can be accessed via HTTPS (TLS) instead of the unencrypted HTTP protocol.
 If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either If HTTP is not secure enough for you, you can disable the existing (unencrypted) web access and either
Line 63: Line 63:
 If you require remote SSH access, follow the hardening instructions on SSH mentioned above. If you require remote SSH access, follow the hardening instructions on SSH mentioned above.
  
-===== Creating a user ===== +===== Protecting PPP credentials ===== 
-Create an unprivileged test user and set him a password:+When using PPP, protect its credentials from unprivileged users.
  
 <code bash> <code bash>
-# Install packages +PPP_IF="wan" 
-opkg update +PPP_USER="$(uci -q get network.${PPP_IF}.username)" 
-opkg install shadow-useradd +PPP_PASS="$(uci -q get network.${PPP_IF}.password)" 
- +cat << EOF >> /etc/ppp/options 
-# Create a user +user ${PPP_USER}
-useradd -m -s /bin/ash test +
- +
-# Set user password +
-passwd test +
-</code> +
- +
-Or add the user by hand using a unique UID and GID: +
- +
-<code bash> +
-# Edit configs +
-vi /etc/passwd +
-vi /etc/group +
-vi /etc/shadow +
- +
-# Create home directory +
-mkdir -p /home/test +
- +
-# Set permissions +
-chown test:test /home/test +
- +
-# Set user password +
-passwd test +
-</code> +
- +
-The resulting configs should look like this: +
- +
-<code bash> +
-# Check configs +
-> grep -e test /etc/passwd /etc/group /etc/shadow +
-/etc/passwd:test:x:1000:1000::/home/test:/bin/ash +
-/etc/group:test:!:1000: +
-/etc/shadow:test:$1$uPzGJ3jI$n7ld4E73SPsIx0QTXPMfu1:19615:0:99999:7::: +
-</code> +
- +
-===== Granting privileges with sudo ===== +
-Grant root privileges to the test user with sudo by adding him to the privileged group. +
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install shadow-groupadd shadow-usermod sudo +
- +
-# Create sudo group +
-groupadd -r sudo +
- +
-# Add user to group +
-usermod -a -G sudo test +
- +
-# Configure sudoers +
-cat << EOF > /etc/sudoers.d/00-custom +
-%sudo ALL=(ALLALL +
-EOF +
-</code> +
- +
-See also: [[man>visudo]] +
- +
-===== Protecting pppd credentials ===== +
-When using pppd, protect its credentials from unprivileged users. +
- +
-<code bash> +
-cat << "EOF>> /etc/ppp/options +
-user <username>+
 EOF EOF
-cat << "EOF>> /etc/ppp/chap-secrets +cat << EOF >> /etc/ppp/chap-secrets 
-<username> <password>+${PPP_USER} ${PPP_PASS}
 EOF EOF
-cat << "EOF>> /etc/ppp/pap-secrets +cat << EOF >> /etc/ppp/pap-secrets 
-<username> <password>+${PPP_USER} ${PPP_PASS}
 EOF EOF
 chmod go-rw /etc/ppp/*-secrets chmod go-rw /etc/ppp/*-secrets
-uci delete network.wan.username +uci -q delete network.${PPP_IF}.username 
-uci delete network.wan.password+uci -q delete network.${PPP_IF}.password
 uci commit network uci commit network
 /etc/init.d/network restart /etc/init.d/network restart
 </code> </code>
  
  • Last modified: 2023/09/15 17:59
  • by vgaetera