In the previous two articles, Blue Dot Network introduced how to configure DDNS to bind a custom domain name for public remote access on LEDE/OpenWRT firmware routers.
Additionally, a trusted certificate can be bound to the custom domain name for HTTPS access. Blue Dot Network will also introduce how to configure IPv6 for public access in the future.
However, due to testing progress, we have not yet resolved the IPv6 port forwarding issue, so we will first introduce a special feature on security enhancement.
The Dangers of Public Access:
Enabling public access to routers is necessary for some users, as sometimes public access is indeed required, such as when replacing a local area network or accessing a server.If you do not need it, Blue Dot Network strongly recommends disabling public access, as configuring public access means your router will be exposed on the internet.There are various scripts and bots online that continuously probe devices for potential vulnerabilities. Once a vulnerability or weak password is discovered, these bots will exploit it.If the router is compromised by a hacker, the devices in the local area network will also become very dangerous, including but not limited to installing ransomware or mining software through vulnerabilities.Therefore, unless necessary, Blue Dot Network does not recommend enabling public access. If public access is indeed needed, it is recommended to configure it according to the following strategies.
Some Security Recommendations from Blue Dot Network:
1. Use a Strong Password: Since the default username root is already exposed, using a weak password can easily lead to bot intrusion.It is recommended that users use a password consisting of more than 20 characters, including uppercase letters, lowercase letters, numbers, and special symbols. If using a password manager, it can automatically generate such passwords.For example, a password like this: CECL3&9i-cGF6@FRmRGj2*bkk2. Upgrade Firmware Promptly: The OPENWRT project team releases various updates daily, most of which are fixes for known issues, but sometimes there are security issues as well.It is recommended that users regularly upgrade the router firmware to fix potential security weaknesses, as once serious vulnerabilities are not addressed in time, they can soon be exploited.3. Disable SSH Public Access: Public SSH access to the router can be achieved through DDNS and port forwarding, but enabling this feature will also lower router security.If you must use SSH public access, please configure it in the system’s management settings, configure public and private key access, and disable direct password login for the root account.Also, please change the SSH port and do not use the default port 22. Not using the default port, prohibiting password login, and using private key login can significantly enhance security.4. Disable Router PING Function: Some scripts and bots will pre-check whether the IP responds, and if there is a response, they will continue to use scripts to probe.By default, the LEDE firmware has IPv4-icmp enabled, which allows PING. It is recommended that users disable this feature as most users do not need it at all.Operation Path: Network, Firewall, Pass Rules, Allow-Ping, remove the enablement of the rule. After removing it, PINGing the router will directly yield no response.Hot
WeChat will launch cloud storage for chat records starting at 130 yuan per year
Door
The reason for unbanning the keyword “idiot” is like this
Pushing
Tencent QQ’s big move: Can’t use it without changing the phone number?
RecommendedCCTV investigates rental accounts: 33 yuan to rent “Honor of Kings” for 2 hours
