New preconfigured router purchsed - how to safety check?

Installing and Using OpenWrt
1

Hi Everyone,

This is a bit of a NooB question so please be patient with me. I think this would be useful for any future novices getting into the world of OpenWRT and LEDE too :slight_smile:

I have just purchased a modified router (old BT Homehub 5A) with 21.02.1. I have configured it with my own VDSL, Wifi SSID's, SQM and such and wanted to know, now it is working to my requirement, if there is a logical and methodical way to double check if there were any "Hacker" like modifications made under the hood by the person selling the router to me. Can someone please let me have a few pointers as to which bits of the system to check to make sure that nothing sinister has been setup/modified by the seller?

If it is not possible to do then am I best backing up my config, doing a sysupgrade using LEDE interface to overwrite the current build and then restoring my config from the backup (or would that simply backup and bad bits and restore them on the fresh build).

Many thanks
P

2

The only way to be sure is re-flash the router firmware and re-configure it from scratch.

7 Likes
3

Hi,

I thought that might be the case.

For now.. I have done the following:

  1. GRC Shields up - all ports - checked and they are all "Stealth" and upnp is not reponding (I set teh FW to drop rather than reject)
  2. Checked scheduled tasks in LEDE and there are not any
  3. Checked Startup - Local startup - it is empty
  4. Set WAN6 to not start at system start (as my ISP does not support IPv6) - interestingly when I did this the memory usage dropped quite a bit so double positive).
  5. Set a password (obviously)
  6. Made sure SSH for dropbear to be LAN only

I am guessing though that this is only playing at the edges because any serious "bad actor" would be setting scripts and services outside of the LEDE interface view (am I right here??). and so the only really safe option is to do as OldNavyGuy suggested and re-flash and setup from scratch.

thanks
Paul

4

I also SSH'd to the router and did a ps. This is the output. can some guru cast an eye over it and let me know if there is anything of concern or anyting that warrants closer inspection / analysis. I really don't want to reflash unless I have to as the connection/router is being used all day by the wife for work and finding a window when I can do all of this means sitting up all night :frowning:

root@OpenWrt:~# ps
  PID USER       VSZ STAT COMMAND
    1 root      1632 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    3 root         0 IW<  [rcu_gp]
    4 root         0 IW<  [rcu_par_gp]
    6 root         0 IW<  [kworker/0:0H-kb]
    8 root         0 IW<  [mm_percpu_wq]
    9 root         0 SW   [ksoftirqd/0]
   10 root         0 IW   [rcu_sched]
   11 root         0 SW   [migration/0]
   12 root         0 SW   [cpuhp/0]
   13 root         0 SW   [cpuhp/1]
   14 root         0 SW   [migration/1]
   15 root         0 SW   [ksoftirqd/1]
   17 root         0 IW<  [kworker/1:0H-kb]
   18 root         0 IW<  [netns]
   35 root         0 IW   [kworker/0:1-eve]
   40 root         0 IW   [kworker/1:1-eve]
  177 root         0 SW   [oom_reaper]
  178 root         0 IW<  [writeback]
  180 root         0 SW   [kcompactd0]
  185 root         0 IW<  [pencrypt_serial]
  187 root         0 IW<  [pdecrypt_serial]
  200 root         0 IW<  [kblockd]
  201 root         0 IW<  [blkcg_punt_bio]
  225 root         0 IW<  [kworker/u5:0]
  229 root         0 SW   [watchdogd]
  251 root         0 SW   [kswapd0]
  338 root         0 IW<  [kthrotld]
  435 root         0 IW<  [ipv6_addrconf]
  444 root         0 IW   [kworker/1:2-eve]
  482 root         0 SW   [ubi_bgt0d]
  487 root         0 IW<  [kworker/0:1H-kb]
  488 root         0 IW<  [kworker/1:1H-kb]
  502 root         0 IW   [kworker/0:2-rcu]
  558 root         0 SW   [ubifs_bgt0_2]
  602 ubus      1280 S    /sbin/ubusd
  603 root       940 S    /sbin/askfirst /usr/libexec/login.sh
  637 root      1044 S    /sbin/urngd
  767 root         0 IW<  [cfg80211]
  793 root         0 IW<  [ath10k_wq]
  794 root         0 IW<  [ath10k_aux_wq]
  795 root         0 IW<  [ath10k_tx_compl]
 1104 logd      1264 S    /sbin/logd -S 64
 1156 root      2220 S    /sbin/rpcd -s /var/run/ubus/ubus.sock -t 30
 1448 root      4288 S    /usr/sbin/hostapd -s -g /var/run/hostapd/global
 1449 root      4192 S    /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
 1511 root      1788 S    /sbin/netifd
 1568 root      1480 S    /usr/sbin/odhcpd
 1990 root      4364 S    /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -u /ubus -t 60 -T 30 -k 0 -A 1 -n 3 -N 10
 2479 root      1148 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 192.168.1.254:22 -p fdbb:473b:26a6::1:22
 2974 dnsmasq   1416 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411
 3010 root      1792 S    /sbin/vdsl_cpe_control -i10_00_10_00_00_04_00_07 -n /sbin/dsl_notify.sh -f /tmp/lantiq-vrx20
 3120 root      1256 S<   /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.n
 3172 root         0 SW   [autbtex]
 3173 root         0 SW   [pmex_ne]
 3175 root         0 SW   [pmex_fe]
 3686 root      1296 S    /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan lcp-echo-interval 1 lcp-echo-failure 5
 4105 root         0 IW   [kworker/u4:0-ev]
 4410 root         0 IW   [kworker/u4:2-ev]
 4908 root      1172 R    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 192.168.1.254:22 -p fdbb:473b:26a6::1:22
 4909 root      1260 S    -ash
 4918 root      1252 R    ps
5

You have to make a decision: Either you want to be sure that no malicious content from the previous owner remains on your device, or not.
"I want to be sure, but I don't want to reflash." is not an option, IMHO.

6 Likes
6

You have to make up your mind of what you want to do?
To verify the integrity of the firmware by a reflash should have been done before anything else.

Work at nights…well that is kind of “the name of the game” for network techs. That is the reason complete countries stops working at the morning sometimes. When that happens we know the night shift had a bad night when trying to upgrade something…:joy:

But you will pretty soon need to upgrade to 21.02.2 anyway so you will have to deal with the free time anyway.

Or do as I do. Have two identical routers and shift between them when upgrading or “testing new stuff”.

1 Like
7

Hi flygarn12,

Two routers - that is what I have ....

Problem is (for my limited experience) I don't know how to install a particular package without an internet connection on the 2nd (being worked on) router while connected to my "off the live network" laptop. I got the new router but I struggled to see a way to install the SQM QoS package without the device being connected to WAN/PPP (without radically changing the config first to make it a dumb AP, doing the installation of SQM QOS, and then changing the config back to being a VDSL router).

If someone can point me in teh right direction to be able to download SQM-QOS and the right command to install it and all of its dependencies while WAN is down (I can use winscp to copy files over) then I would be really grateful.

It's a home scenario remember - not on office with me working nights :slight_smile: I've kind of been forced into the situation by the wife working from home due to Covid restrictions in my country at the moment. Normally - in normal times I would have the whole day to myself and could take the network out at will.

8

So... I think I am managing to answer my own question. I have downloaded
https://downloads.openwrt.org/releases/packages-21.02/aarch64_cortex-a72/luci/luci-app-sqm_git-21.188.55209-f161b40_all.ipk
and
https://downloads.openwrt.org/releases/packages-21.02/aarch64_cortex-a72/packages/sqm-scripts_1.5.1-1_all.ipk

I assume that I can copy these over to /tmp and then issue the commands in the following order:

opkg install /tmp/sqm-scripts_1.5.1-1_all.ipk
then
opkg install /tmp/luci-app-sqm_git-21.188.55209-f161b40_all.ipk

If someone could sanity check that this is correct then I think I will be good to go with a clean install

Thanks
Paul

9

Just plug the test router wan connection in the operational router lan connection and run everything as double NAT.

Just remember that the routers MUST have different gateway addresses.

10

But the WAN conection is the DSL (adsl / copper telephone wire) port on this VDSL router.
It does have a WAN ethernet port but out of the box with OpenWRT I am not sure this does anything.

11

The OpenWRT project will likely have a 21.02.x release in the near future. New releases typically address security issues and bug fixes. If your security concerns are at a level that leads you to question the validity of your purchase, you will certainly be reflashing the update.

1 Like
12

http://cdn1.expertreviews.co.uk/sites/expertreviews/files/styles/gallery/public/images/dir_423/er_photo_211684.jpg?itok=vMUO_VLG
Is it this one?
Usually these parallel dsl/wan connectors both work to the wan interface.
But it shouldn’t really matter for the porpous of getting a double nat setup. You can in the switch setup connect the port (or any port!) you want to vlan2 (wan).

1 Like
13

https://openwrt.ebilan.co.uk/viewtopic.php?t=266

Everything u need is on those links. The first has the new firmware to reflash.
The 2nd is the pdf which shows you everything from flashing first time, to updating and how to reconfigure for WAN or VDSL

1 Like
14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.