The default seems to be to allow login access to the router via http (ethernet and WiFi) and SSH (WAN and LAN). I would prefer to limit login access to only the physical LAN ports via the ethernet ports (ie, no access form the WAN and no access from the LAN WiFi connections).
If I change Dropbear to only listen to the LAN, that prevents login access from the WAN (good!).
What can I change to only allow login acces from the LAN ethernet ports and not the LAN WiFi clients?
Well if you want to do it on interface level you would need to create two LAN interfaces (one assigned to LAN and one for Wifi) like it is done with a Guest Wifi but then you would need to route between the two (performance?) if you want to use devices in your wired LAN from your Wifi.
Or you would need to do it on a IP level with the firewall and exclude a certain range from the DHCP pool. But that would only give you limited safety.
oh....I didn't realize that there was a difference between "listening" and "acting upon". It makes sense that even though dropbear is listening the firewall rule will still block the access attempt from the WAN.
I now have a few more questions that came to mind...
What would happen if I delete the dropbear instance altogether? Would that just prevent the router from listing for SSH connections altogether on any port?
I'm assiming that the Web Admin GUI on 192.168.1.1 is be default not accessible from the WAN by any means. Am I correct in this assumption?
Thanks. I understand the concept of what you are saying here. At this point my OpenWRT skill level is not good enough to do this.
Is anyone else concerned about LuCi login access via wifi? The issue I see is that someone could try to login to LuCi over Wifi while brute force attacking the password. They could do this for hours/days/months and I would have no idea that they are trying to do this. Maybe there is another way to protect login to Luci by putting in an anti-scan or throttling mechanism that only allows only so many login attempts per unit time? Is there a way to setup LuCi access with Two Factor Authenitcation or SSH keys? Or maybe there are some other safeguards that I am not aware of.
If you have your WiFi clients on a different network (example, wired clients on 192.168.1.0/24 and WiFi SSID Test clients on 192.168.2.0/24), you could create a firewall rule to block access to port 80/443 on your router from that subnet. In essence, src addr 192.168.2.0/24 any srcport, dst 192.168.2.1 dstport 80,443 REJECT.
And yes, you can set your SSH server on OpenWRT to allow logins via public key only. Under System - Administration - SSH Access make sure Password authentication & Allow root logins with password
is unchecked. Then add your public key on the SSH Key page.
Some ideas for further security:
SSH public key access only on a separate management interface (wired, specific port on the device)
Luci configured for HTTPS (see luci-ssl package on the wiki) to prevent sniffing/MITM attacks
Luci only accessible from the management interface (tweak the listening interface in the configuration, harden with firewall rules)
In case something goes wrong, make sure you know how to use OpenWRTs builtin reset functionality, that allows you to temporarily go back to factory settings and fix potential configuration issues that might prevent you from gaining access to your device.
As a recap, what I want is to allow login to the router via Luci or SSH only trough the physical ethernet ports. Not via the Wifi. So I had an idea that I think would get me what I want but not sure if its feasible. I would lose one of the LAN ports but that is OK by me.....
My router currently has 4 ports designated to the LAN and 1 port designated to the WAN like this:
LAN = LAN1, LAN2, LAN3, LAN4 ports
WAN = WAN port
Could I rededicated one of the LAN ports to a new "VLAN" called LAN2 and then only allow LuCi and SSH access on that port? So in the end I'd have this:
LAN = LAN1, LAN2, LAN3 ports [for normal use]
LAN2 = LAN4 port [only allow router login via LuCi or SSH on this LAN2 dedicated to this task]
WAN = WAN port
If this gets me what I want, how would I go about doing this?
Well as you now have a new interface you can make LUCI and SSH only listen on that interface (be careful not to log yourself out (maybe try LUCI first).
In terms of firewall just create a new Zone for that interface and don't allow any forwardings then you would not have LAN2 access to WAN.
Just suggest you create a backup before the next steps.
Personally, I approach this with the firewall. You can change the default behavior of the non-management VLANs to drop or reject "input" and/or you can create traffic rules to drop/reject from the non-management zone(s) to the router itself. You'll likely want to create rules to allow DHCP and DNS from those zones.
I see LuCi in the installed software and uhttpd in the startup tab. But I don’t see anywhere that you can tell LuCi “where to listen” like you can do for SSH. It seems to be listening on all interfaces that I created.
I reread about "listen_http" and that seemed to work great. I think I got everything working the way I want now. Since I'm new at this I'd like to post all of my config files for one final review to make sure I didn't make any mistakes in the overall setup that could lead to a functional or secuirty issue. What files should I post? Thanks for all of your help and the help of the other people that provided answers. Much appreciated!