D: So you’ve installed OpenWrt on your routerโcongrats! ๐ But before you celebrate, there’s one crucial step left: securing your OpenWrt setup. Without proper security configurations, your network could be vulnerable to attacks.
In this guide, we’ll walk you through essential OpenWrt security settings that you must configure to protect your network from hackers, malware, and unauthorized access. Letโs dive in! ๐
1. Change the Default Password ๐ก๏ธ
The first and most critical step is changing the default password (admin or blank).
โ How to do it:
- Log in to OpenWrtโs LuCI web interface (usually
http://192.168.1.1). - Go to System โ Administration.
- Set a strong password (use a mix of uppercase, lowercase, numbers, and symbols).
๐จ Why? Default passwords are publicly known, making your router an easy target.
2. Enable HTTPS for Secure Web Access ๐
By default, OpenWrt uses HTTP, which is not encrypted. Switching to HTTPS prevents eavesdropping.
โ How to do it:
- Install the
luci-sslpackage:opkg update && opkg install luci-ssl - Restart the web interface:
/etc/init.d/uhttpd restart - Now access your router via
https://192.168.1.1(ignore the self-signed certificate warning for now).
๐น Bonus: Install a real SSL certificate (Letโs Encrypt) for full security.
3. Disable Unnecessary Services ๏ฟฝ
OpenWrt runs several services by defaultโsome may not be needed and could pose security risks.
โ What to disable:
- Telnet (use SSH instead)
- HTTP (if you enabled HTTPS)
- IPv6 (if not in use)
โ How to disable:
- Go to System โ Startup.
- Disable unwanted services (
/etc/init.d/ disable).
โ ๏ธ Warning: Only disable services youโre sure you donโt need!
4. Set Up a Firewall & Block Unwanted Traffic ๐งฑ
OpenWrt includes a powerful firewall (fw3) to control incoming/outgoing traffic.
โ Essential firewall rules:
- Block WAN access to LuCI (prevent external attacks):
uci set firewall.@rule[-1].dest_port='80,443' uci set firewall.@rule[-1].proto='tcp' uci set firewall.@rule[-1].target='REJECT' uci commit /etc/init.d/firewall restart - Enable SYN flood protection (DDoS mitigation):
uci set firewall.@defaults[0].syn_flood=1 uci commit
5. Keep OpenWrt Updated โก
Outdated firmware = security vulnerabilities. Always update!
โ How to update:
- Check for updates:
opkg update && opkg list-upgradable - Upgrade packages:
opkg upgrade - For major releases, flash a new firmware image (backup config first!).
๐น Pro Tip: Enable automatic security updates (if available).
6. Use SSH Key Authentication (No Passwords!) ๐
Password-based SSH logins can be brute-forced. Switch to SSH keys for better security.
โ How to set up:
- Generate an SSH key on your PC:
ssh-keygen -t ed25519 - Copy the public key to OpenWrt:
ssh-copy-id root@192.168.1.1 - Disable password login in
/etc/ssh/sshd_config:PasswordAuthentication no
7. Enable Fail2Ban to Block Brute Force Attacks ๐จ
Fail2Ban automatically blocks IPs after repeated failed login attempts.
โ How to install & configure:
- Install Fail2Ban:
opkg install fail2ban - Configure it to monitor SSH/LuCI logs:
nano /etc/fail2ban/jail.localAdd:
[sshd] enabled = true - Start & enable Fail2Ban:
/etc/init.d/fail2ban start && /etc/init.d/fail2ban enable
8. Disable ICMP Ping Probes (Prevent Network Scanning) ๐ต๏ธ
Hackers often use ping scans to detect live routers.
โ How to block ICMP pings:
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='REJECT'
uci commit
/etc/init.d/firewall restartFinal Thoughts: Stay Safe! ๐ก๏ธ
OpenWrt is powerful but requires proper security hardening. By following these steps, youโll significantly reduce risks and keep your network safe.
๐น Extra Security Tips:
- Use VPN for remote access instead of exposing services.
- Regularly check logs (
logread) for suspicious activity. - Consider MAC address filtering for extra device control.
๐ Now your OpenWrt is locked downโhappy (and safe) networking! ๐ฏ
Did we miss anything? Let us know in the comments! ๐ฌ๐