Securing OpenWrt Setups ( recomendations )


#1

Some guy in this community ( may be a very experienced ) is not giving a nice suggestion to the users. He i think dude to lack if exposure to crypto and how PKI work , i saw is giving wrong information to users and also given in past

According to me some of his misconceptions are :

this whole thread is not justifying the way we are not suggesting the user about the things can do in today's world
instead some guys want just to stick with wiki pages

I offered the demonstartion too . which i am still offering , but before that make up a mind what is good for the community ? tell about the latest things not yet on wiki or just follow wiki ?

its just a brief , if anyone wants i can describe more


#2
  • Again, please refrain from paging me to a topic I have not participated in.
  • Please provide the name of a CA that issues wildcard certificates for the ROOT DOMAIN ZONE or a TOP-LEVEL DOMAIN. I will then refer them to the FBI. Otherwise stop taking my words out of context.
  • Your Wordpress page was created AFTER my posts. Hardly credible as a scholarly reference.
  • Your suggestions contradict all Wikis, so you're responsible for editing them!
  • Please stop attempting to confuse users in this community.

#3

why do you need root domain certificate and tld certificate dude ?


#4

do you even trying to see what i want to contribute ? just assuming wrong wrong and saying what you read


#5

yes created just now . so ?


#6

Please refer to ORIGINAL thread - where you began taking me out of context:

Yes, but perhaps you need to read what I said, so you stop telling people I'm making bad recommendations.

https://guides.library.harvard.edu/HistSciInfo/secondary

Lastly, this thread seems to be misplaced in the wrong category.


#7

ok put it where you guys and me are treated equally . not where people just follow you blindly


#8

Done, I moved the thread to the Talk about Documentation category.

In addition, please stop saying me, as you already stated:

You have been told multiple times:

Your choice. Everyone can make an account: https://openwrt.org/start?do=register


#9

did you see what's in the blog ??


#10

I did, hence how I knew when it was created! LOL

  • It doesn't mention OpenWrt whatsoever
  • Nor does it tell a user how to install the packages on OpenWrt needed to do what the blog suggests
  • 100% of your blog covers what is usually considered Enterprise use-cases
  • I'm not sure how your blog spun off from assisting a user with SSL in LuCI

It would be more helpful to the users in the community to assist them with issues/configurations, instead of causing them confusion.


#11

Are you fine with sharing your luci password with your neighbour ( and you dont know how this happened ) ?
plese go point to point reply


#12

I guess you wish to play games again.

  • If someone SHARES something, they are aware.
  • If they don't know, they are unaware.

Just make your point, please. As your blog is about wireless, and now you have once again went back to LuCI. This is getting ridiculous, sir.

No I am not fine with sharing, nor my neighbor knowing without my knowledge...so how do you suppose that would occur to OpenWrt users - and what do you suggest to fix it?

Lastly, after you make the suggestion, do you plan to edit the Wikis yourself!?!?


#13

thats the point . this is the only thing dude i wanted you and all members to know

suppose you opened 192.168.1.1 and luci username and password page come . This is where you need to be aware , how will you confirm that its your luci and not other router ( a honeypot ) or not MITM

and yes its not openwrt specific , but we can save our community users from this


#14
  • Physically plug into the router while all its other interfaces are disconnected/disabled (this is how you setup a router in most cases, especially commercial ones)
  • If another device was spoofing 192.168.1.1, you would fail to get Internet
  • Verify ARP MAC matches serial of router you purchased
  • This is a chicken-and-the-egg theory
    • the devices needs Internet to install the LuCI SSL package
    • you have not even mentioned that yet
    • most importantly the router has to be configured first

(Also, what does this have to do with a certificate? Certs are issued to domain names...)

:laughing:

LOL...

  • Save them from configuring their own routers!?!?
  • Save them from breaking-and-entering their neighbor's house to plug into their router "accidentally"!?!?

#15

wrong again


#16

Unless they spoofed Internet too. It doesn't matter when no other device is connected. Now please stop playing and make a point.


#17

you bought router
correct that you dont put wifi on and plugged LAN cable configured and unplugged from lan
now you enable wifi all ok ?

now ?

from here learn yourself how can you get exploit ? ok


#18

Not OK...I didn't magically understand anything...I'm expecting you to explain something here...

Also, if you're implying that a 192.168.1.1 can be spoofed via Wireless LAN...LOL

The only thing I understand - is that you're implying WiFi, in all its forms, is insecure.

Am I correct?

If someone is this security paranoid, as I suggested:

Using a management VLAN only addresses all your concerns:

  • No WiFi
  • Physically at device
  • Configured to be only port/network LuCI/SSH is reachable from

Last option is console access, only.


#19

dude i understand one thing only , you are really not in favour of any advancement , its fine your choice keep LAN wire with you configure safely

al da best


#20

I wish you well too; but for someone as security paranoid as you, don't get me wrong:

I'd turn off uHTTPd and dropbear and run console only.

I can't imagine a network security person like yourself not taking that as sound advice.

(The LAN wire chide was funny, but again, used to take me out of context.)