User Tools

Site Tools


zh:docs:guide-user:security:openwrt_security

FIXME This page is not fully translated, yet. Please help completing the translation.
(remove this paragraph once the translation is finished)

加固您的LEDE设备

好消息是LEDE默认情况下有合理的安全保障。
如果你在加固和防火墙和网络安全方面缺乏经验,就不必担心。 默认情况下,LEDE是以一种足够安全的方式“加固”的,这样没有经验的麻瓜们就不必担心,可以立即使用它。

…但是有一个重要且唯一的例外:
您需要在您的LEDE“root”管理帐户上设置密码。“root”帐户是设备上的默认LEDE管理员帐户。下一章将向您展示如何做到这一点。

此页面还包含有关LEDE安全性的一些常用信息以及您通常应该做什么,以使您的路由器保持适当的安全状态。

设置“root”账户的密码

要在Web管理GUI上初始设置(或稍后更改)“root”管理帐户密码,请转到http://192.168.1.1 → 系统/管理

  • 在“路由器密码”处输入新密码
  • 单击页面底部的“保存并应用”

或者您也可以使用命令行的“passwd”命令设置密码。

我是专家,给我看看其他的“加固”方式...

  • 如果您有大于等于8MB的闪存ROM并与其他人共享您的家庭网络,那么为您的LuCi Admin Web GUI激活HTTPS是一个很好的方案。由于这需要一些可用的闪存空间,因此在当前版本中,默认情况下不会激活HTTPS (除非那些闪存空间 <=4MB 的设备不再受LEDE支持)。设备的维护者也可能在默认情况下已经在设备专用的的LEDE版本中激活了HTTPS。在这种情况下,您就不需要再进行其他操作,因为您已经立即获得了这个安全防护。(注意:ssh管理访问在默认情况下始终是ssl加密的)
    1. opkg update
    2. opkg install luci-ssl
    3. /etc/init.d/uhttpd restart
    4. 现在,您可以通过 https://192.168.1.1 访问Web管理界面。
  • 如果您根本不使用LuCi Web管理界面,甚至可以禁用LuCi(Web管理界面):
    1. 禁止LuCi自动重启: /etc/init.d/uhttpd disable
    2. 停止LuCi的服务: /etc/init.d/uhttpd stop
  • 如果您已经禁用了Web管理界面并希望重新启用它:
    1. 启动LuCi的自动重启: /etc/init.d/uhttpd enable
    2. 启动LuCi的服务: /etc/init.d/uhttpd start

我的LEDE Web管理界面需要一直在后台打开以便于访问...

…这是个很坏的主意。

以理智的态度对待你的管理员root帐户。 只使用Linux服务器的“root”帐户执行每个主要的操作:

  • 当您不需要时,请远离管理员访问(ssh和Web管理界面)
  • 完成管理后,关闭/注销root管理会话(而不是8小时后)
  • 只有当确实需要管理时,才作为root连接
  • 不要与其他人共享您的root密码
  • 不要和其他人分享你的root密码,即使他们答应给你一些Katy Perry的火辣图片作为回报。

当我是唯一的用户时,我不需要设置“root”密码。对吗?....

恭喜您不必与他人共享宝贵的带宽,但您仍然需要设置root密码。

因为你从家庭网络的浏览器中访问的任何网站(例如那些承诺有Katy Perry的火辣的网站)都可以很容易地使用所谓的“跨站点请求伪造”来访问你的LEDE设备的管理界面,一旦你没有注意到它,它就很容易在那里做坏事。如果没有设置“root”密码,那么此类恶意站点可能会以您不喜欢的方式操作LEDE设备。

所以现在就去为你的“root”帐户设置一个密码吧。

Let's just open this one single port for incoming traffic, what could possibly go wrong?...

Handle firewall rules with care:

  • Do not expose services on the WAN Internet port, if you do not understand the security implications. Automatic scanners of evil fources and script kids will find any open port on your WAN side sometimes within minutes and will then run extensive intrusion software suits on such open ports, probing a lot of attack vectors without any manual effort. The Internet is permanently being scanned for careless people.
  • if you want to access home services while being on the road, consider using openVPN instead of opening service-related ports publically on the WAN side.
  • Unfortunately a lot of online games have lots of “recommended settings” to permanently open various port ranges for best gaming experience. Before blindly following these practices, check first, if any server connection problems are due to a double NAT situation of cascaded routers at your home.
  • Always use reasonable comments, when you add your own customized firewall rules (e.g. “…that's the rule that a random nice guy on the Internet asked me to add, promising me some really hot Katy Perry pictures in return…”)

If you have already performed various firewall changes on your LEDE device and now lost overview of your custom rules, you can always reset all your LEDE settings back to the to the initial default (see trouble shooting section).

So I've switched from insecure vendor firmware to LEDE. Finally, I am safe forever...

Not so fast…

Did you notice that even LEDE firmware gets updated from time to time?

As with your former vendor firmware, you should check regularly, whether LEDE has released new firmware and apply these updates to your device. There is even a configuration backup and restore feature, such that you do not have to start from scratch after each update.

I have custom packages installed...

As with the firmware you should also keep an eye on the custom packages you install. There are several hundreds of optional packages. Not all security problems of those packages get addressed by LEDE system upgrades, but instead require you to manually upgrade the packages as well.

If you are using custom packages, you should run a opkg update;opkg list-upgradable from time to time. This shows your installed packages that have available updates. You then install package upgrades manually by running opkg upgrade SOMEPACKAGENAME. Note that not every listed package upgrade is due to security issues, it can also be a harmless bug fix or feature extension.

An update will continue to use your existing service configuration, but for critical LEDE environments, a manual config backup never hurts as safety precaution before upgrading packages…

Note: LEDE uses a read-only root file system plus a differential extension partition for all package installs and upgrades. When wanting to maximize usage of your precious flash space, it tends to be a better approach, to applying up-to-date LEDE firmware and then reinstall your packages instead of only upgrading packages, when expecting larger volumes of upgrades.

A word about high-value weak points on LEDE

LEDE devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpached security flaw in one of these services.

These high-value services in particular are:

  • the webserver running LuCi (based on LUA) for LEDE GUI admin access
  • the dropbear SSH server for LEDE commandline admin access
  • The SFTP deamon for GUI file explorer admin access (only if manually activated, it's not there by default)
  • Samba SMB share to provide user network file shares (only if manually activated, it's not there by default)

It is up to your personal responsibility, to counter such weak points on your LEDE device(s):

  • set a “root” password
  • keep your LEDE firmware up to date
  • when you have Samba and/or SFTP activated manually: check regularly, if there are package ugrade available for Samba and SFTP and apply those upgrades
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
zh/docs/guide-user/security/openwrt_security.txt · Last modified: 2019/02/18 16:35 by tmomas