/g/ - Technology

install openbsd

[Make a Post]
[X]





OpenWRT Security Nanonymous No.5667 [D][U][F][S][L][A][C] >>5680
File: bb53fc96ea18f49422dc24110e60bf6e6346d262309770d4ca93d7d2519745ea.png (dl) (42.73 KiB)
I currently use OpenWRT router. How can I make it more secure and private?
Removed most of bloat packages (IPv6, PPP), removed HTTP server (connecting through SSH). What else can I do?
inb4 install openbsd
no, it's not possible

Nanonymous No.5669 [D] >>5670 >>5685
>no, it's not possible
Why not? Your hardware is not supported?
>removed HTTP server (connecting through SSH)
How does that work? Never read about this...

Will other people use or just you? Because you could make it a Tor router.
Some ideas (won't work with Tor):
- Find a DNS server that do not store logs and has dns-crypt support (OpenNIC has some).
- Configure dns-crypt
- Use Unbound to cache dns requests
- Make Unbound rules to block bad domains. Most use blocklists are:
Abuse.ch: http://abuse.ch
Spamhaus Zen: https://www.spamhaus.org/zen/
Wizcrafts: http://www.wizcrafts.net/
Dshield: https://secure.dshield.org/

- Use the firewall to block direct IPs. This list works on OpenBSD pf (you can probably convert to iptables):
https://rules.emergingthreats.net/fwrules/emerging-PF-ALL.rules

- If other people will use the same network, make QoS using the firewall. Change the priority for protocols. For example, you could raise priority of SSH and UDP (torrent). On OpenBSD it is the "queue" command on pf firewall, I don't know the equivalent on Linux. See also bufferbloat:
https://pauladamsmith.com/blog/2018/07/fixing-bufferbloat-on-your-home-network-with-openbsd-6.2-or-newer.html

- Squid server. This thing can do many strange stuff, even intercept and cache http requests (although I wouldn't recommend doing that). You can use to change the HTTP Header of all requests. This is useful for privacy (might fuckup your family's mobile connections, though).
- Check your Wifi configs. Use only WPA2 with PSK authentication and CCMP cipher. The passphrase should be 12-13 characters if you really care about security (don't use common words, as you might be vulnerable to dictionary attacks).

- Enable or disable hardware specific features, such as Wake on LAN and MTU values.

If I remember any other tip I'll post here...

Nanonymous No.5670 [D]
>>5669
>even intercept and cache http requests
I meant TLS encrypted HTTP requests. Basically a man-in-the-middle. Don't use that, it's dangerous.

Nanonymous No.5680 [D]
>>5667
>I currently use OpenWRT router. How can I make it more secure
Configure geoblocking(block all countries unless you host services on your network but why--just rent a fucking VPS), set up IDS with rule sets that auto updates, assign DNS servers(don't use the ISP's DNS servers), configure DNS over TLS, reject all clients from making DNS request directly--they must get their DNS queries solved by the OpenWRT router to prevent DNS hijacking, install/setup detection of brute force attacks from the LAN or internet side against the router and auto blocks them, disable ping request so internet recon and script kiddies have to wait until their probes timeout and then will be left wondering if the host exist/doesn't exist, optionally censor the interwebs for your users by enabling the web proxy so you can block ads, pron(if you have little children, questionable sites, restrict access to certain times only, etc..
<I don't use OpenWRT so I don't know how or if it can do these things.
>and private?
run tor on the router(you might fuck yourself when shopping and banking because your location is always changing)
List of DNS servers you can use: https://wiki.ipfire.org/dns/public-servers

Nanonymous No.5685 [D]
>>5669
>Why not? Your hardware is not supported?
My hardware has really poor OpenBSD support.
>How does that work? Never read about this...
Basically, I use SSH to access my router and configure everything in config files.
>Will other people use or just you?
I just bought that router to cut off from my family. They all use computers with Intel ME, pirated, outdated Wangblows and download spyware.