Hardening Router Security on OpenWRT, dd-wrt and other NOS


OpenWRT and dd-wrt are Open Source Linux router software that installs on a wide range of hardware. Today we look at steps to secure an OpenWRT router. For most users using OpenWrt default firewall configuration will fail a port scan test.

GRC ShieldsUP is an online port scanning service to test router security against hacker and denial of service (DOS) attacks. The purpose of this utility is to report the users of any ports that have been opened through their firewalls or through their NAT routers.

ShieldsUP can scan the most common file sharing ports and vulnerable port, as well as over (1-1056) service ports, and user defined ports to test and report router’s visibility on the internet including open port, ping reply, and unsolicited packets.

Step 1: Logon OpenWRT admin interface

  • Open browser
  • Enter IP address of router
  • Enter Admin logon and password

Step 2: Change ports from closed to stealth by not replying

  • Select tab Network – Firewall
  • Select General Settings
  • In wan:wan ?  DROP
  • Change input to drop , forward to drop
  • Press save & apply

Step 3: Don’t respond to Ping requests, Drop ICMP reply

  • In Firewall tab
  • Select Traffic Rules
  • In Allow ping select edit
  • Select action to drop
  • Press save & apply

Validating

To test ports

  1. Go to GRC | ShieldsUP!
  2. Click Proceed – All Service Ports

Leave a comment