I'm still new but learning a lot. Is there any way to sandbox Luci, SSH and any protocol that could access the flash in the same way the Qubes OS sandboxes certain apps?
You can do the following:
- Set up a VPN and allow LuCI/SSH only via the VPN interface.
- Allow LuCI only via SSH tunnel or just disable LuCI for good.
- Allow SSH authentication only to an unprivileged user.
- Set up SSH public key authentication and disable password authentication.
- Make sure the failsafe mode works properly before your experiments.
- Security level in general case from higher to lower: VPN > SSH > LuCI.