OpenWrt as operating system for server

We also have your other question of cyber security and there you have some work to do.

To say in the first place you know what you are doing and say you have the cyber security under full control is like mega much bad karma and is a cyber criminal magnet😂

Not that long ago last year a Finnish psychiatric company's CEO stood and held up his new diploma of good cyber security and during the interview the bad guys had been inside the system for a year already and was stealing the patient data while they celebrated their good security.

If you believe a IP table will stop unwelcome guests to your server. Then the statistics say you already have unwelcome guests inside the system.

The whole world wish it is that easy but again and again that is proven wrong.

The bad guys only need to find one hole in your amour and you need to find them all but you only talk about ssh.
At the same time you have given a lot of detailed information about everything you do and how your network is built up in this tread. All information was released without reason since it wasn’t needed for the question in the first place. Especially that you are a iOS app developer was interesting so if they get your server then they can probably move laterally in the system and spread all the way to Apples iOS. So you have made yourself a high value target just by writing a lot about everything you do instead of just fix the problem by sharing just enough information to fix the problem.

Sounds like a future botnet member.
Long enough open vulnerabilities are most suited to exploit.

Definitely never Debian. I've always been more fond to any other distribution, one of personal favourites being Gentoo. Next comes Arch. Debian and ubuntu are bloat-ware in my opinion. It's pointless to install a "clean" install that takes gigabytes and requires hours to remove stuff until it's any good. Even though arch and centos use systemd as well, I am not fond of it too. Maybe I'm old school that way that logging should go elsewhere than journald and keeping tabs on what services are supposed to start and which are running should be simpler, like in Alpine..

And apt is no different from yum or dnf. If you mix packages from different distributions/versions, you find yourself in the world of pain eventually.

Cyber security in full control. Yes, on the level that I require it to be. I am hosting a website, not a server that holds classified documents- only public and published data is held there. I just need to have it there, without anyone changing it to fit their purposes and change it to a site for side-boob.

Didn't know we have a psychiatric companies here.. Mental health facilities in Finland afaik are.. Well, let's say, not that well funded as they would be needed.. And still my site has screen shots and link to App Store - so it's not a theft that I am afraid of, it's more a bad review since developer won't be available if issue was found..

Yes, all the information is indeed provided. But it's not a secret. I also can say that I have a safe at my home that comes with 2 ways to open it, digital keypad and physical key, but without further knowledge of combination or location of key, all this is trivial information - most safes these days have one or more ways (without breaking it) to go in, so do servers, otherwise it would be impossible to manage them.

And calm down a bit- spread all the way to Apple's iOS? I assume this talk is about my home's gateway, getting past that to my network and through that to my server- Stop being paranoid. OpenWRT is more often updated than most commercially available router's stock firmwares and yet, they provide enough safe environment. I know people who have about 10 years old cable modems, and it's fine.

And so what if I have equipment in my network? What are doing with yours? There's a router sitting and nothing connected to it and you get freaked out as there just was a new nightly available that you didn't have time to install? o_O

Problem is more on your end. Maybe I am in a denial if I say that my home network works fine and is safe enough. That said, it sounds like I don't have a problem with that.
Wiki is full of entries about possibilities - it's just as much information that is provided here, just take your pick and once in a while you end up with end-point that takes advantage of technology described in selected entry.

I am some what a super-social person. I can talk to strangers about things that some people think are private, but yet, only give enough information that it cannot be used against me. I see here no ip addresses, all these posts are written on my laptop after work hours from various locations through my phone's hotspot, so even this way, there's not much of traces to me or to my home. I earlier confessed that I use my phone while driving, I haven't yet seen anyone taking me down for a crime- even though a confession is here written and gravatar is a modification of my face from 15 years, and even my name is used here as a userid- still I am at large.

If my outdated version of system in my gateway is that big deal to you; have a nice flight, and welcome to Finland- go ahead and update it, I haven't seen need for that in years. Okay, due to covid, invitation is a bit pointless.... But offer was there merely to point out where the problem lies..

I got this a long time ago in your posts. But then you say this and I find this very interesting indeed, are you sure you haven’t heard about this thing called SolarWinds lately?

You are in one hand so super interested in securing your data and access but on the other hand you really doesn’t seem to care about securing your access just by running outdated software and not optimized software for the task.

Come on! You have some in every city I guess😂
Welcome to EU where HBTQ and equality is the thing and mental health is not a problem. Finland is a country that have been a pioneer of private outsourcing of state functions a long time, actually better at the work than Sweden. We kind of copied your idea in the 90’s but we are not long after Finland. If you actually know anything at all and have even little interest in cyber security you can NOT have missed this GDPR breach if you actually live in Finland or Scandinavia! This breach was actually huge in the hole of EU.
Are you sure you are from EU at all and you didn’t just borrow the name and picture to infiltrate OWRT by social engineering?

Reply to multiple posts from multiple authors follows:

There has to be something wrong with you. First of all we were talking about psychiatric company that was Finnish, I do know about case in EU-but I just really don't care, unless you are 100% sure they were using a gateway equipped with owrt, we have different systems and it's more likely that they have better than I - therefor it's a calculated risk factor. Actually I can give you some guidance on cyber security, only way to keep your network not being hacked is that you take scissors and cut the wire, get a old style printer that was used in offices back in '90s, those kind that has endless paper feeding that you can rip into parts within specified lengths, direct all your logging to that, then there's no way that logs will be removed by unwanted visitors, in fact, put this printer to fire-proof cabinet and get a armed guard for it, don't forget to pay him well, that gives some loyalty, but you'd be better if you would hire another one to guard that other guard. In fact, loose the computer and get old fashioned typewriter, and still there's a risk that you get hacked, someone might get access to that typewriter and write a memo impersonating you and counterfeits your signature and is able that way to provide damage.

And there would be no point infiltrating here with any technique, if I'd do what you proposed, that would be to cause harm to real person that I would be impersonating by writing here and there these confessions in writing to get authorities to get interested in this person.

This is what you sound, you compare my home network to HBTQ, and think that I care that much, all I care is my obligation to host my site and there's a certain way that I am interested doing it.

And last thing, no we don't- mental healthcare is often in the news in here that it's out-resourced and what we instead have, is first aid, where they write a pass to you, since you cannot even sign-on to special care of almost any kind (not just mental healthcare, let's say you need a specialist on burn wounds, been there..) - you cannot login to those facilities, there's a byrocracy behind this. This is called "free" healthcare that we have, attempt is to keep it as cheap as possible and as difficult as possible so people would avoid getting help if not in a emergency so that services won't be overcrowded. There's commercial help available, that way it's far more faster and efficient, but the problem is that we don't have insurances like in U.S. that would cover it- afaik there's a pricy insurance for children and it must be purchased when child is less than certain age (I don't remember what this age was) and that covers healthcare in commercial facilities. And then there's employers provided and legally required care, but it's not oversight in any way, so smaller companies just won't provide it.

Super interested in security? Not that much, I just want a system that works for me and is even attempt of security. I guess we all do in the end. With my web server, this is more crucial also of the reason that provider requires that clients take care of security in some level or contract is voided, and there's a good reason; they provide equipment and connections and are more or less responsive of how it's being used and too insecure system might be considered or used for abuse.

About that outdated software, I have a laptop that still runs with Windows XP-- It's fine that you go on the edge but don't take it so hard if everyone else does not; your mileage may vary as they say and I'm solely responsive for my own security and me asking for opinion here is in general a good thing as I am taking care that way of some of my security. But it seems that you are selling some kind of commercial version of Debian or security service, sorry to turn you down, but I ain't buy-in'.

You don’t get it do you. You asked us how big chance it is for a breach on your server and I answered 100%.
What else answer is it? 83%? What should we then do with the other 17%? What is 1%x100 chance defined as in the first place? Is the “chance” even a measurable thing?
Normally you would make a risk assessments of the different risks and value the different risks and work with the risk values.

You say you have the situation under control. Well my Finnish fresh real life example was meant to show that people that say so openly with confidence don’t have the situation under control. And the repeating cases worldwide be it companies, governments or private homes they all fall for the cyber criminals because they don’t take the problem seriously.

You have asked a lot of questions during this tread but you never likes the answers, you just go on and on with huge replies without a real goal with the tread. You just say no whatever answer we give you.
You actually have the answer already for your favorite O/S on the server!

I don’t even get the question in the first place if you have done this for 15years and already have a huge home network. And now want to know if OWRT is a good server O/S?
With your programming knowledge this should not be a question in the first place.

Sell you a commercial Debian O/S...ok you got me on this one. Now we can sleep calmly when we know you have control over the situation. Good luck with your server whatever O/S you install😃

We have very different definitions.

100% means not just open ports on firewall, it means no firewall at all, and ssh set to permit empty passwords of root, and no root password and website offers downloads of ssh client software for all known OS's - or better yet, ssh replaced with telnet that doesn't even ask credentials, instead opens root shell immediately upon connection.
Or maybe on website, it sends notifications to people that click here to login as root..

And 0% means that firewall is bullet proof.

This question is still about firewall's capability to block unwanted connections. Thus unwanted visitors have possibility to breach in that way.
And I have asked only one question with follow-up questions of ideas, in case that iptables is not preferred in this thread, you have re-phrased my words to new questions.

So yes, I say no to every other answer besides the question that I asked, as I asked safety level of iptables that is patched in owrt, if this causes a problem on server use- I haven't reviewed patches, maybe they have optimised it in a fashion of router use and it's not preferred at all in server usage.

And my home network is far from huge. I know owrt is good os, I want to know if it's firewall is any good on server that hosts a website. How many times I need to ask this same question - and I also marked this as solved from the only answer that is relevant to my question. I am not asking if there are flaws in my design, or should I have a patched version of nginx or is my caddy configuration insecure.

And I apologise, now I see that this threads title is mis-leading, so it's kinda my fault if I gave impression that I am looking for answers to any other question. Ofcourse, you are all very welcome to contribute and share ideas; but I already have a design in my mind that I am about to follow, whether there would be better solutions or not. You cannot sell me idea about another OS, I already gave centos a green flag, and I chose that on the first place when I could had easily gone other way, let's say Debian for example here. I am interested to try another way, and I don't need solutions for other os's since I already have given them a try in form of centos, either there is point of trying this or not, it's something that I want to give a shot, maybe I'll go back to centos in a month or so, or maybe not, time will tell. But there's no point absolutely if firewall gives in to anyone as it's first line of defence.

And therefor, as I have a plan and design, I do know what I am doing- I am building something simple that provides content. I don't want outside administrators and so, connections to management services so firewall needs to work. That is my requirement.

bit late (given its marked solved), but has anyone mentioned 'tiny core linux' if OpenWRT wont do.

peace ad best wishes to all.

I sincerely hope that no one does, as the upgrade situation (for security issues) is truly horrible (non-existent) there. OpenWrt has opkg as package manager (no, it's not full-featured and not on par with rpm/{yum,dnf} or dpkg/ apt, but it can upgrade individual packages for bugfixes) - and you will get upgraded images for security issues (relevant to the preinstalled package set and router specific uses) rather quickly - and can compile them on your own at any time. Neither of this can be said about tinycorelinux.

Also I wouldn't recommend TCL for this purpose; OpenWRT has quite small footprint, but TCL has even smaller, it's aim seems to be minimal size and many of it's packages have quite a many features disabled, I haven't tried, and really don't even know if it has packages suitable for purpose available, but if they are available, they most likely lack a lot of capabilities, on the other hand, this improves security but on other hand, this might limit end-user. I don't have a lot of requirements, even mariadb that I currently have installed, isn't required at all- but still, it's quite a bummer that if one for example requires more, he needs to change OS completely.

And then there is this security side of TCL; it's not aiming for security, it's security therefor is quite nominal. Mostly TCL has it's brightest moments if you have a system that broke for some reason and you need something quickly that you can use to access it's files to backup them or if possible, fix the broken system. And also some manufacturer's have created a firmware/bios updates procedure that can be installed with TCL, which is actually superb. I'd hope more manufacturers would go that way actually..

@slh oh, that's the first Ive heard.

Is that view shared many other places (links/sources, to read) or is it your personal observation ?

Cheers and thanks for the views

edit: we should add, are you referring to the kernel (or other modular software that can be added and compiled oneself [it is opensourse]), or just that in its barebones state off the shelf it doesnt 'compare' ?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.