This is a bit of a NooB question so please be patient with me. I think this would be useful for any future novices getting into the world of OpenWRT and LEDE too
I have just purchased a modified router (old BT Homehub 5A) with 21.02.1. I have configured it with my own VDSL, Wifi SSID's, SQM and such and wanted to know, now it is working to my requirement, if there is a logical and methodical way to double check if there were any "Hacker" like modifications made under the hood by the person selling the router to me. Can someone please let me have a few pointers as to which bits of the system to check to make sure that nothing sinister has been setup/modified by the seller?
If it is not possible to do then am I best backing up my config, doing a sysupgrade using LEDE interface to overwrite the current build and then restoring my config from the backup (or would that simply backup and bad bits and restore them on the fresh build).
GRC Shields up - all ports - checked and they are all "Stealth" and upnp is not reponding (I set teh FW to drop rather than reject)
Checked scheduled tasks in LEDE and there are not any
Checked Startup - Local startup - it is empty
Set WAN6 to not start at system start (as my ISP does not support IPv6) - interestingly when I did this the memory usage dropped quite a bit so double positive).
Set a password (obviously)
Made sure SSH for dropbear to be LAN only
I am guessing though that this is only playing at the edges because any serious "bad actor" would be setting scripts and services outside of the LEDE interface view (am I right here??). and so the only really safe option is to do as OldNavyGuy suggested and re-flash and setup from scratch.
I also SSH'd to the router and did a ps. This is the output. can some guru cast an eye over it and let me know if there is anything of concern or anyting that warrants closer inspection / analysis. I really don't want to reflash unless I have to as the connection/router is being used all day by the wife for work and finding a window when I can do all of this means sitting up all night
You have to make a decision: Either you want to be sure that no malicious content from the previous owner remains on your device, or not.
"I want to be sure, but I don't want to reflash." is not an option, IMHO.
You have to make up your mind of what you want to do?
To verify the integrity of the firmware by a reflash should have been done before anything else.
Work at nights…well that is kind of “the name of the game” for network techs. That is the reason complete countries stops working at the morning sometimes. When that happens we know the night shift had a bad night when trying to upgrade something…
But you will pretty soon need to upgrade to 21.02.2 anyway so you will have to deal with the free time anyway.
Or do as I do. Have two identical routers and shift between them when upgrading or “testing new stuff”.
Problem is (for my limited experience) I don't know how to install a particular package without an internet connection on the 2nd (being worked on) router while connected to my "off the live network" laptop. I got the new router but I struggled to see a way to install the SQM QoS package without the device being connected to WAN/PPP (without radically changing the config first to make it a dumb AP, doing the installation of SQM QOS, and then changing the config back to being a VDSL router).
If someone can point me in teh right direction to be able to download SQM-QOS and the right command to install it and all of its dependencies while WAN is down (I can use winscp to copy files over) then I would be really grateful.
It's a home scenario remember - not on office with me working nights I've kind of been forced into the situation by the wife working from home due to Covid restrictions in my country at the moment. Normally - in normal times I would have the whole day to myself and could take the network out at will.
But the WAN conection is the DSL (adsl / copper telephone wire) port on this VDSL router.
It does have a WAN ethernet port but out of the box with OpenWRT I am not sure this does anything.
The OpenWRT project will likely have a 21.02.x release in the near future. New releases typically address security issues and bug fixes. If your security concerns are at a level that leads you to question the validity of your purchase, you will certainly be reflashing the update.
Everything u need is on those links. The first has the new firmware to reflash.
The 2nd is the pdf which shows you everything from flashing first time, to updating and how to reconfigure for WAN or VDSL