Router takes internet from M2 board (not from ethernet!)
Is there any way to restrict using SSH to only ethernet cable (block LAN access via Wireless) if so, how? If no, can I disable SSH completely? Also how to prevent bruteforce Luci in LAN (my neighbor have some person that enjoys to mess with someone's routers, and i want to be one step forward to prevent "pranks").
And I wanna add some primitive Dos protections on router (as my neighbor told, he suffered from many pings and 80 port connections to router, so i wanna secure my router as much as possible until we willfigure out who is it). Any good firewall rules? I don't need highly advanced stuff, only a little bit higher than average.
Pings aren’t dos attacks, that is pretty much how internet looks like on a normal day.
Port 80 connections? P80 pings are target of opportunity pings to find targets with badly configured firewalls. By using OpenWrt you actually have a fully working firewall that blocks all ports to begin with.
Pings can however result in dos attacks if they find a interesting port in your router that is open. But there is no way to protect from a dos attack once it start.
You are on his network; if you are getting pinged it is local. You are, at least, double natted. You are not seeing pings from the internet.
And again:
The OpenWrt firewall will be fine out of the box. It's getting your network on its own subnet, if it is not already, and behind your WAN and firewall, you may not know how to do.
Anyway, this is your first day here so you may be limited to the number of posts in a 24 hour period.
I'd ask you to reconcile those two but I see you are really lost in the woods.
You need some basic network understanding for us to help.
And an OpenWrt device.
And remember:
Your replies are limited today; if you run out, come back tomorrow.
that is, now you can only enter Luci via https address 192.168.1.1 and port 32455 https://192.168.1.1:32455 this is what the address will look like
just check that you have a certificate in the uhttpd.crt
to check, make a backup, open it in winrar and see if it is there or not
if it is not there, then you will not be able to log in via https
there are viruses that are installed on devices, they attack the default ports for entering the router, using standard passwords
Please stop spreading FUD.
There is literally zero benefit in changing ports!
Disable weak ssh cipher and you already got rid of 99% of bots. Use fail2ban to kick the rest.
If you don't trust uhttpd then put nginx or haproxy in front but as this also gives you zero security benefit it's also useless if every post and get just gets passed through to the backend service.
If you really are paranoid then use ssh with a 2fa, and allow connections to Luci only from localhost.
Yeah... my "opinion". (We are not taking about a favorite color or food here...)
But, my "opinion" is more or less evidence based and follows "reasoning".
Like with changing ports; it has zero benefit.
What do you want to achieve here? So a port scan does not take like 1.5 sec but 3.5? And the potential attacker still knows that there is an open port/listening service. And probing a service port takes only a little bit of time. So the net result is nothing. The only thing you have intruduced that you now need to specify a port number on an URL when you want to use the WEB(!!!!) access. Which... you know... is normally on 80 or 443 because you know its HTTP! (Why do I even waste my time to respond to such nonsense in the first place?!)
And btw: What do you want to achieve with https only? If you are directly connected to your router, then you can even use telnet... https only provides you benefit if you connect through an trusted network (or doing it over the air with wifi).
The port may be whatever. But this isn’t a security setting.
It only defines a network address for the luci server to listen for, 192.168.1.1.
But it doesn’t control who can knock on the door or call the address.
It doesn’t either control from what zone the call come from since this is a bogus IP address and not any address connected to a gateway.
So it is like a dog, it comes running to you no matter if you whistle or call it by name.
The only way to do the uhttpd access secure is to control the “listening” address and port in the firewall as a destination. And in the same rule also define who can do the call as source.
But that also means you need to fine tune the zone (all zones!) input setting to reject and open all the specific ports needed.
Here are some rules that can go in mangle-prerouting to filter some bad stuff:
These rules are kinda like those shown under luci/network/firewall where it says drop invalid packets.
chain mangle_prerouting {
type filter hook prerouting priority -150;
ct state invalid, untracked counter drop
meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
tcp flags != syn ct state new counter drop
}
