【OpenWrt】安全性设置

Posted by 西维蜀黍 on 2022-03-19, Last Modified on 2023-05-02

SSH

打开 系统 -> 管理权 -> SSH访问

  • 指定监听接口为 lan 仅可内网访问。
  • 修改默认端口为其他端口,如30001等非常用端口。
  • 不允许密码验证
  • 不允许 root 用户凭密码登录

打开 系统 -> 管理权 -> SSH秘钥 上传SSH公钥。

仅能使用与公钥配对的私钥才可使用SSH登录终端。

密码

设置一个很强的密码

网络

不允许ping路由器

不允许

Secure LuCI

HTTPS on OpenWrt

Refer to https://openwrt.org/docs/guide-user/luci/luci.secure

Tunneling LuCI HTTP protocol through SSH

Setting up the SSH-tunnel

If you are willing to spend a little effort to setup SSH-tunnel, here is a simple guide for some popular SSH clients. This guide is just about setting up a local port forwarding to LuCI web interface.

This setup will forward all traffic passing through port 8000 from 127.0.0.1 on your local machine (desktop or laptop) to port 80 of your OpenWrt device, which has a local address of 127.0.0.1. You may understand better by viewing this graph.

Local machine OpenWrt device
127.0.0.1:8000 127.0.0.1:80
sending packets → receiving packets
receiving response ← sending response

All traffic bypassing through port 8000 on local machine will be forwarded to port 80 on the remote machine. That’s why this SSH-tunnel setup is called local port forwarding.

OpenSSH client

This is the standard SSH client for GNU/Linux and BSD distributions. To establish an SSH tunnel for LuCI web interface access, just add a local port forwarding options to the command line. Make necessary adjustments if needed (hostname, port, identity file, etc).

ssh -L127.0.0.1:8000:127.0.0.1:80 root@openwrt.lan

The SSH-tunnel is active as long as the SSH session is active.

For convenient setup, you may create host profile for this setup. Edit ~/.ssh/config file and add the following line. For more explanation about all available configuration, refer to ssh_config. Be sure to make necessary adjustments if needed.

Host luci-tunnel
	Hostname openwrt.lan
	Port 22
	User root
	LocalForward 127.0.0.1:8000 127.0.0.1:80

After creating the above configuration, the SSH-tunnel can be started by issuing the following command.

ssh luci-tunnel

The command will read luci-tunnel host profile and set up the SSH-tunnel accordingly.

Accessing LuCI via SSH-tunnel

To access LuCI web interface securely, type http://127.0.0.1:8000/ instead of http://openwrt.lan/ or http://192.168.1.1/. The traffic between your browser to uHTTPd webserver is encapsulated within SSH-tunnel, so that the http traffic gains the same level of SSH traffic encryption.

If you have finished accessing LuCI web interface, don’t forget to end the SSH session.

Securing against brute-force attacks

uHTTPd is the web server responsible of hosting the Luci web interface. By default uHTTPd listens to 0.0.0.0 which makes it accessible from the local network.

To prevent LuCI web interface from being brute-forced from attackers already in the local network, we are going to edit the uHTTPd config file and change its settings, so it only listens to localhost.

uci -q delete uhttpd.main.listen_http
uci add_list uhttpd.main.listen_http="127.0.0.1:80"
uci add_list uhttpd.main.listen_http="[::1]:80"
uci -q delete uhttpd.main.listen_https
uci add_list uhttpd.main.listen_https="127.0.0.1:443"
uci add_list uhttpd.main.listen_https="[::1]:443"
uci commit uhttpd
/etc/init.d/uhttpd restart

Reference