Another Security Question about ports and seccomp

I've been reading about making my router as secure as possible.
harden the Linux kernel, disable all LAN traffic, change ssh port, super secure root and admin passwords, etc.

My question: how can I disable all open ports, except 22, 80, 443 and 1194. BTW, does port 1194 need to be open for my VPN to work or can I route all traffic through that port only? Goal is to disable unauthorized scripts, attacks, etc from taking over the router.

Is it worth it to install seccomp and isolate only those processes that control the WAN?

How can I disable output ports that allow, for example, a keylogger to send all of my keystrokes to a web address on an unused port? Is that even possible?

Finally, is there any tool that monitors what ip address you're connected to and only allows data to be sent to that IP and drops everything else? Say, I'm watching a youtube video on whatever ip but a keylogger is sending my HDD contents to some ip that is not youtube. Any way to stop that?

The guide for setting up guest WLAN allowing only HTTP and HTTPS traffic on OpenWrt wiki can achieve that.

I'd suggest you to read this first. Ten Immutable Laws Of Security (Version 2.0)

That would be however a quite tedious task to do. For instance, in order to allow YouTube to function, you have to allow tons of 3rd party websites to work, as shown in this screenshot.

In other words, all your other security measures could be invalidated if your computer cannot be trusted.

1 Like

I think you also need to read:

All ports are closed on WAN in default OpenWrt (aside from IPv4 DHCP-reply and others needed for a functioning WAN), as I recall.

You have to open any port for a package/service you install/run.

I think you need to learn a little more about security. There is no "IANA reserved port for malicious keyloggers".


I'm not even sure you understand what a keylogger is. In the case you describe, I would advise you to "not install a keylogger".

1 Like