Advice for basic security setup for new router

Installing and Using OpenWrt
1

Hi all

I just installed stable 23.05.5 on a cheap NanoPi R4S. It has a WAN and a LAN port. No WiFi. LAN port goes to my unmanaged Netgear switch with all my wired home devices , including one wireless access point.

I got it up and running very quickly, only doing the below changes (nothing else in FIREWALL etc). Everything is working well.

Question: with my vanilla install plus below basic security measures, is my setup secure , as of today?

Any major things I should change in FIREWALL settings or other areas of OpenWrt? Or this is good?

Minor things I did:

  1. Changed root password for Luci webpage to something very long and secure
  2. Setup SSH key for SSH. Also disabled SSH password authentication, so it is only via SSH key
  3. Forced https for Luci web page
  4. Setup DNS of TLS (DoT)
  5. SSH only on LAN interface

Thanks in advance

2

you're good to go, as it is.

2 Likes
3

Thanks @frollic :pray:

4

Continue with this:
https://openwrt.org/docs/guide-user/security/openwrt_security

1 Like
5

Maybe change SSH port from the default 22?

1 Like
6

Can easily be circumvented using a port scanner.
Better to just bind dropbear only to lan.

2 Likes
7

Fair point...

8

Thanks, I forgot to mention that I had done this. is this what you mean?

image
image1222×1104 81.4 KB

9

Neither are necessary with the default firewall config. There's no external access to port 22.

2 Likes