How do I harden OpenWrt?

I'm interested in applying some hardening settings in Config-build.in like SSP, PIE, etc.

How is this done? Is it just a matter of editing a config file or does it require a recompile?

Those settings can only be changed if you make/compile your own builds/kernel.

Generally those settings doing not much on a "trusted" system with "trusted" applications. Most of those settings are already made in a sense of "balanced". Also in terms of hardening (IMO) this is only a small part of it. The most important part (IMO) is keeping the system lean in terms of installing only really necessary applications on a security relevant infrastructure. That said means e. g. no samba server on a router. Each application is a potential security issue. Also the kernel can only prevent certain kinds of missbehaves of applications. In addition to that I would add the firewall and an intrusion detection to the list of importance hardening a system. But a router has limited ressources in terms of ROM, RAM and CPU.

As I just can see even on Wikipedia the definition of hardening is not quite clear. But you can make your own definition like I did above and take your actions if you want. :slight_smile:
One of the referenced articles is showing a bunch of measures like: strong passwords, disabling unneeded user accounts, etc.

2 Likes

Of course, all this is good advice. My problem is I'm just planning to install a VPN on the router for travel, which means I have the problem of creating an incentive to compromise the router, but at the same time I won't have enough stuff running on there that additional hardening would break anything. Hardening makes a lot of sense in this case.

If I buy an OpenWrt router with auto-updating, like one form GL-iNet or Turris, would I have to recompile every time an update is released or can I just compile once and let it update normally from then on?

Yes you have to do so. A firmware is basically a filesystem image containing binaries/exectuables aka programs including the kernel. Those binaries cannot be changed like editing a textfile/configfile.

2 Likes

If they compile the firmware update for your target, you just need to install the firmware via sysupgrade.