A few security related configuration questions

Sorry if one of more questions somehow have been answered here before, but the search function of this website is not working in my browser, so I can't find them.

After succesfully flashing OpenWrt 18.06.5 on my TP-Link WDR4300 N750, I have a few configuration questions, hopefully they can be answered easily by just yes or no. :smile:

Someone on reddit (i'm not allowd to post more than 2 links here) says: "don't expose your password to the WAN"

Q: Maybe a silly question but I guess he is talking about when loggin into the WebUi LuCI of the router you should never open other websites for obvious reasons right, and pull out the internet cable?

In the Openwrt docs I can find: .....not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges

  1. by letting the SSH serverdropbear and the web-Server not listen on the external/WAN port
  2. by blocking incoming connections to those ports (TCP 22, 80 and 443 by default) in your firewall

Q: Is it really necessarry not to let the SSH server and webServer listen to the WAN port in my case when I only use it as a Wifi-router, connected to my ISPcable modem? And how do I disble it?

Remote Admin Access is turned on by default. Routersecurity dot org is advising to turn is off. I think I don't need it.

Q:What would you do?

I would like to connect my Wifi printer to my router. But I don't want to access the internet, or the other way round.

Q: Where can I find simple information how to block it? In my old router the was a single button I could click and that was it.

I have created a Wifi guest network [https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan ].

Q: Is it really separated from my LAN?

Many thanks.

He means not to let web or ssh open on the internet with only password authentication, as it can be brute forced.

By default they are blocked on the firewall. If you need them you can open them.

Then turn it off.

This example is very close to what you want. Just don't use destination address.



Thanks for your reply! Very helpfull. I appreciate it.

You're welcome!
If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).



I have also changed the dropbear interface to LAN.

You could disable password authentication on the WAN and log into SSH with keys. It depends if you administrate the router from the internet.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.