Router Access Security

The default seems to be to allow login access to the router via http (ethernet and WiFi) and SSH (WAN and LAN). I would prefer to limit login access to only the physical LAN ports via the ethernet ports (ie, no access form the WAN and no access from the LAN WiFi connections).

If I change Dropbear to only listen to the LAN, that prevents login access from the WAN (good!).

What can I change to only allow login acces from the LAN ethernet ports and not the LAN WiFi clients?

thanks.

I assume you know that there is a difference to the interface listened on and what access is allowed by firewall (see 19.07.4 SSH interface "unspecified" by default)

Well if you want to do it on interface level you would need to create two LAN interfaces (one assigned to LAN and one for Wifi) like it is done with a Guest Wifi but then you would need to route between the two (performance?) if you want to use devices in your wired LAN from your Wifi.

Or you would need to do it on a IP level with the firewall and exclude a certain range from the DHCP pool. But that would only give you limited safety.

2 Likes

oh....I didn't realize that there was a difference between "listening" and "acting upon". It makes sense that even though dropbear is listening the firewall rule will still block the access attempt from the WAN.

I now have a few more questions that came to mind...

  1. What would happen if I delete the dropbear instance altogether? Would that just prevent the router from listing for SSH connections altogether on any port?
  2. I'm assiming that the Web Admin GUI on 192.168.1.1 is be default not accessible from the WAN by any means. Am I correct in this assumption?

Thanks.

Yes. (don't do it)

Correct, nothing is allowed from the wan by default.

3 Likes

Thanks. I understand the concept of what you are saying here. At this point my OpenWRT skill level is not good enough to do this.

Is anyone else concerned about LuCi login access via wifi? The issue I see is that someone could try to login to LuCi over Wifi while brute force attacking the password. They could do this for hours/days/months and I would have no idea that they are trying to do this. Maybe there is another way to protect login to Luci by putting in an anti-scan or throttling mechanism that only allows only so many login attempts per unit time? Is there a way to setup LuCi access with Two Factor Authenitcation or SSH keys? Or maybe there are some other safeguards that I am not aware of.

Thanks for any comments or perspectives on this.

If you have your WiFi clients on a different network (example, wired clients on 192.168.1.0/24 and WiFi SSID Test clients on 192.168.2.0/24), you could create a firewall rule to block access to port 80/443 on your router from that subnet. In essence, src addr 192.168.2.0/24 any srcport, dst 192.168.2.1 dstport 80,443 REJECT.

And yes, you can set your SSH server on OpenWRT to allow logins via public key only. Under System - Administration - SSH Access make sure Password authentication & Allow root logins with password
is unchecked. Then add your public key on the SSH Key page.

Some ideas for further security:

  • SSH public key access only on a separate management interface (wired, specific port on the device)
  • Luci configured for HTTPS (see luci-ssl package on the wiki) to prevent sniffing/MITM attacks
  • Luci only accessible from the management interface (tweak the listening interface in the configuration, harden with firewall rules)

In case something goes wrong, make sure you know how to use OpenWRTs builtin reset functionality, that allows you to temporarily go back to factory settings and fix potential configuration issues that might prevent you from gaining access to your device.

2 Likes

As a recap, what I want is to allow login to the router via Luci or SSH only trough the physical ethernet ports. Not via the Wifi. So I had an idea that I think would get me what I want but not sure if its feasible. I would lose one of the LAN ports but that is OK by me.....

My router currently has 4 ports designated to the LAN and 1 port designated to the WAN like this:
LAN = LAN1, LAN2, LAN3, LAN4 ports
WAN = WAN port

Could I rededicated one of the LAN ports to a new "VLAN" called LAN2 and then only allow LuCi and SSH access on that port? So in the end I'd have this:

LAN = LAN1, LAN2, LAN3 ports [for normal use]
LAN2 = LAN4 port [only allow router login via LuCi or SSH on this LAN2 dedicated to this task]
WAN = WAN port

If this gets me what I want, how would I go about doing this?

Thanks.

Yes

As you wrote just for LAN4 configure a new VLAN
Network - Switch (having that VLAN untagged on LAN4 and tagged on CPU)
Than you can add an Interface via Network - Interface and assign it to the VLAN

Thank you faser!

I’m starting to get this. I added the VLAN “3” then added interface LAN2 with a bridge interface to eth0.3.

So what do I do for the firewall settings and Traffic Rules for LAN and LAN2? I want to block LuCi and SSH access on LAN but allow it to LAN2. I also don’t want LAN2 to have access to the WAN.

Thanks for your help. I feel like I’m starting to understand how things work but not quite enough confidence to be kicked out of the nest yet.... :slight_smile:

Well as you now have a new interface you can make LUCI and SSH only listen on that interface (be careful not to log yourself out (maybe try LUCI first).
In terms of firewall just create a new Zone for that interface and don't allow any forwardings then you would not have LAN2 access to WAN.

Just suggest you create a backup before the next steps.

Ok thanks. I’ll try the next steps tomorrow morning.

I'm making progress. I have both LAN and LAN2 working. SSH only works on LAN2 but LuCi still works on both LAN1 and LAN2. I don't see anywhere to dissable LuCi on LAN1?

LUCI is the webinterface running on the webserver uhttpd

Personally, I approach this with the firewall. You can change the default behavior of the non-management VLANs to drop or reject "input" and/or you can create traffic rules to drop/reject from the non-management zone(s) to the router itself. You'll likely want to create rules to allow DHCP and DNS from those zones.

I see LuCi in the installed software and uhttpd in the startup tab. But I don’t see anywhere that you can tell LuCi “where to listen” like you can do for SSH. It seems to be listening on all interfaces that I created.

Did you read the webpage I linked? e.g. listen_http
Specifies the ports and addresses to listen on for plain HTTP access.

Well, that's possible but you don't really need that if your sole access is to deny wireless clients access to the router.

Refer to the guest WiFi page that @vgaetera mentioned.

2 Likes