Greetings,
I am new to OpenWRT, but not new to networking and firewalls.
I have my device working as desired, but need some guidance on the security aspect.
Device: Netgear WAC104 Netgear WAC104
It is currently running:
OpenWrt SNAPSHOT r15563-3bd8f660a4 / LuCI Master git-21.020.56896-af422b1
I set it up as a DumbAP as per the guides here on the forum.
It is working exactly as I wanted, no problems on that front.
My questions are about security.
Historically, I have never allowed admin interfaces to be available via WiFi, only via wired LAN. As it is currently configured, I do not see a way to do that. So my questions are:
Am I worrying about something that I do not need to? If I give it a strong password and or use custom ports and users, is that sufficient?
If I should prevent luci/ssh access via WiFi, the only way I see to accomplish that is to re-enable the firewall and routing, thus making it a smart AP again. I do not have enough experience with this hardware or OpenWRT to know if that will add enough overhead to affect traffic speeds?
I like to disable remote access of the default admin accounts (root in this case), and use custom users with tiered privileges. Since this is Linux based, I know I can do that via CLI, but will LuCi still function correctly? (and allow logins from a user that is not root).
(To be fully transparent, I have not researched this question in the forums yet, it may already be answered)
I am open to any and all input or advice, and I thank you for your time in advance.
Configs to follow.
-jk3wl
Yep, use strong Wi-Fi and root passwords and enable encryption and it should be fine in most cases.
If you feel like paranoid, there're more options such as tunneling over SSH or VPN.
Enabling and setting up firewall is also possible and it shouldn't negatively affect performance since there's no NAT involved.
Although privilege separation for SSH is feasible, it might be difficult for LuCI.
You could put your WLAN on a different subnet, and have uhttpd only listen on the wired subnet. It's a rather easy solution. Not ideal if you want/need your WiFi devices to be able to talk to your wired clients though.
Hi vgaetera,
Yes, already using strong passwords, and have already setup SSL for LuCi.
Configuring SSH with only certs auth was on my short todo list.
Was contemplating disabling non-SSL, but I do like the idea of just disabling the uhttpd service altogether, and only turning it on via SSH as needed. Once configured, I will not have a need to get into this thing very often anyway.
Given all of that, I see no need to go further and complicate it more than necessary.
Thank you for the insight and "extra set of eyes".