Option to disable wirless login?

[cooloutac]

No. The gui is just an IP whitelist with no concepts of interfaces. Doing it with ebtables is a bit more precise since you can specify the interface you want to block.

Also, what’s with the constant ranting about consumer grade embedded devices sucking at security? It wasn’t much better in 1999.

What’s your threat model and what are you protecting against?

In 1999 tomato and dd-wrt were actually active. People wrote defensive programs. They didn't throw their hands up quoting threat models and deem layers of security as too trivial to bother with. Or consider them too boring or less lucrative to work on.

Using the word threat model makes me cringe, because its whats wrong with the security industry. There is no such thing. Its a phrase companies use to justify cost savings. For a consumer, ALL actors are in your threat model. For what we are talking about costs and usability are not affected.

And maybe I am misunderstanding that command. Still seems you are specifying ip address. And how do I enter that command? telnet? ssh? I don' want those enabled at all. Thats a whole other potential problem. and fyi I would also block the 8443 https port.

 

[cooloutac]

No, not wlan1. The names of the interfaces vary between models, but for most of the routers (like the RT-AC68U) its:

2.4GHz primary = eth1
5GHz primary = eth2

2.4GHz guest1 = wl0.1
2.4GHz guest2 = wl0.2
2.4GHz guest3 = wl0.3

5GHz guest1 = wl1.1
5GHz guest2 = wl1.2
5GHz guest3 = wl1.3

Guest network is definitely good idea for iot devices. But if hostile they still gonna scan your mac and ip over air. Or the guy in his car in front of his house will. then its just a matter of crackin the wpa password.

If you enable ssh or telnet. Its even worse.

 

[cooloutac]

Geeks nowadays say mac address filtering is totally useless. Well then. specifying an ip address would be even more so then.

 

[ColinTaylor]

@cooloutac It is apparent that asuswrt and asuswrt-merlin is not suitable for your needs. I suggest that you investigate openwrt or dd-wrt. Better still, use your asus as a dumb access point behind a pfSense router.

Goodbye.

 

[RMerlin]

Those routers are still readily available if you consider them so highly. The 90s as I recall was a lot of 802.11b and WEP and I’m not confident that it was as good as you remember it

802.11b was ratified in 1999, so it`s highly unlikely that you were seeing WEP-based routers in the 90s. Router only started to become common in houses in the early 2000's.

n 1999 tomato and dd-wrt were actually active.

The Tomato project started in 2006. It was based on the Linksys GPL code released for the WRT54G, which was filled with more security holes and buffer overruns that you could count. It took years for its code to get cleaned up.

The DD-WRT project started in 2005...


As for ISP routers, they are the worst you can get security-wise. They almost never get any security updates for starter. Take a look at your ISP router as to when was its last firmware update. Check the dnsmasq and openssl version they use - it's highly likely that these are 6-10 years old. The only firmwares that I'm aware of that use OpenSSL or dnsmasq versions released in 2018 are open sourced firmware, or business/prosumer-class products. Asuswrt-Merlin, Tomato, DD-WRT, OpenWRT - all of these use component versions that are less than a year old.


Please, folks, try to get some facts checked before making random claims about how open source firmware have lost their way, they're horrible security wise, and so on. For standard home usage class routers, open source firmware are way, way ahead of commercial/stock firmware releases. And unlike Netgear or D-Link, we don't ship firmware releases with backdoors in them. So in my book, in 2018, an open source firmware is still more secure than the majority of stock firmware found in routers you can buy at Best Buy.

 

[skeal]

Well said Eric!

 

[cooloutac]

No, not wlan1. The names of the interfaces vary between models, but for most of the routers (like the RT-AC68U) its:

2.4GHz primary = eth1
5GHz primary = eth2

2.4GHz guest1 = wl0.1
2.4GHz guest2 = wl0.2
2.4GHz guest3 = wl0.3

5GHz guest1 = wl1.1
5GHz guest2 = wl1.2
5GHz guest3 = wl1.3

same for ac66u b1 model?, but ok so only temporarily allow telnet then shut it off. do ssh?

 

[cooloutac]

802.11b was ratified in 1999, so it`s highly unlikely that you were seeing WEP-based routers in the 90s. Router only started to become common in houses in the early 2000's.



The Tomato project started in 2006. It was based on the Linksys GPL code released for the WRT54G, which was filled with more security holes and buffer overruns that you could count. It took years for its code to get cleaned up.

The DD-WRT project started in 2005...


As for ISP routers, they are the worst you can get security-wise. They almost never get any security updates for starter. Take a look at your ISP router as to when was its last firmware update. Check the dnsmasq and openssl version they use - it's highly likely that these are 6-10 years old. The only firmwares that I'm aware of that use OpenSSL or dnsmasq versions released in 2018 are open sourced firmware, or business/prosumer-class products. Asuswrt-Merlin, Tomato, DD-WRT, OpenWRT - all of these use component versions that are less than a year old.


Please, folks, try to get some facts checked before making random claims about how open source firmware have lost their way, they're horrible security wise, and so on. For standard home usage class routers, open source firmware are way, way ahead of commercial/stock firmware releases. And unlike Netgear or D-Link, we don't ship firmware releases with backdoors in them. So in my book, in 2018, an open source firmware is still more secure than the majority of stock firmware found in routers you can buy at Best Buy.

ok well wrt54g my all time fav router. at least 10 years old no? figured 20. times have changed.

 

[cooloutac]

@cooloutac It is apparent that asuswrt and asuswrt-merlin is not suitable for your needs. I suggest that you investigate openwrt or dd-wrt. Better still, use your asus as a dumb access point behind a pfSense router.

Goodbye.

ty for comments. yes I will try everything.

 

[cooloutac]

802.11b was ratified in 1999, so it`s highly unlikely that you were seeing WEP-based routers in the 90s. Router only started to become common in houses in the early 2000's.



The Tomato project started in 2006. It was based on the Linksys GPL code released for the WRT54G, which was filled with more security holes and buffer overruns that you could count. It took years for its code to get cleaned up.

The DD-WRT project started in 2005...


As for ISP routers, they are the worst you can get security-wise. They almost never get any security updates for starter. Take a look at your ISP router as to when was its last firmware update. Check the dnsmasq and openssl version they use - it's highly likely that these are 6-10 years old. The only firmwares that I'm aware of that use OpenSSL or dnsmasq versions released in 2018 are open sourced firmware, or business/prosumer-class products. Asuswrt-Merlin, Tomato, DD-WRT, OpenWRT - all of these use component versions that are less than a year old.


Please, folks, try to get some facts checked before making random claims about how open source firmware have lost their way, they're horrible security wise, and so on. For standard home usage class routers, open source firmware are way, way ahead of commercial/stock firmware releases. And unlike Netgear or D-Link, we don't ship firmware releases with backdoors in them. So in my book, in 2018, an open source firmware is still more secure than the majority of stock firmware found in routers you can buy at Best Buy.

no they are better then asus even for the simple factnot default passwords on everything.

think asus now has unique code for ssid but still not for basic admin login lol.

not to menttion measly firewall options for enhanced security. Verizon uses actiontec with a powerful firewall.

for example verizon fios always has topnotch security. even with their government backdoor lol.

They do force ou to upgrade router but support it for a good amoun of time.

 

[cooloutac]

I will say the wireless stability and rangeon thses asus istop notchthough.

 

[RMerlin]

no they are better then asus even for the simple factnot default passwords on everything.

Asus forces you to change from the default password when you first plug it in to configure it. They even refuse to let you use too obvious passwords such as "password" or "admin", and have implemented a password strength validator in the webui.

for example verizon fios always has topnotch security. even with their government backdoor lol.

Many ISPs use SmartRG, D-Link, Zyxel and even Asus (T-Mobile's TM-AC1900). I wouldn't trust any of these devices security-wise compared to any other router running OpenWRT, Tomato or Asuswrt-Merlin.

 

[cooloutac]

My point is you shouldn't have to do any of that. It should be a unique name and password written on the router like they do for ssid. And if you want to change it thats up to you. This is what some isp's are already doing.

What if somebody sess someone moving into a new house. waits for him to set up his network to beat him on the first login. I'm pretty sure I didn't do anything but plug it in and use the ssid password on the back before setting up any admin password... my mistake nobody is perfect. I actually might of went days. SOme might go weeks, years, or forever victimized. to sound dramatic.

To be honest I really assumed this is 2018 when I bought it, and asus already got sued, and no way they have a default first login..... disabling wireless admin is more basic then eventhat though lol.

I say these things cause I love the company I use alot of asus products. And I don't say this for me i'm a target just for posting here.

 

[kfp]

Using the word threat model makes me cringe, because its whats wrong with the security industry. There is no such thing. Its a phrase companies use to justify cost savings. For a consumer, ALL actors are in your threat model. For what we are talking about costs and usability are not affected.

Even for a consumer, time and money is still finite. Even if you care about ALL the actors you still have to prioritize on what to secure first. If you think usability doesn't matter then you might as well power off the device you're reading this on right now.

And maybe I am misunderstanding that command. Still seems you are specifying ip address. And how do I enter that command? telnet? ssh? I don' want those enabled at all. Thats a whole other potential problem. and fyi I would also block the 8443 https port.

Maybe you shouldn't just throw your hands up and actually just Google it?
https://linux.die.net/man/8/ebtables

telnet is removed from Merlin's fork already, and I'll bet you money httpd has more bugs than openssh. If you're blocking 8443 how do you configure anything in the first place? If you're blocking it only from the wireless interfaces then you can just do that for SSH, I honestly don't understand your concern on this.

My point is you shouldn't have to do any of that. It should be a unique name and password written on the router like they do for ssid. And if you want to change it thats up to you. This is what some isp's are already doing.

That depends on how unique it is. I don't know which specific modem/router you're thinking of but a lot of the credentials are just generated with the hardware MAC. That's not more secure than having users set one up on first use.

What if somebody sess someone moving into a new house. waits for him to set up his network to beat him on the first login.

My logins will fail and I will reset the device.

I'm pretty sure I didn't do anything but plug it in and use the ssid password on the back before setting up any admin password... my mistake nobody is perfect. I actually might of went days. SOme might go weeks, years, or forever victimized. to sound dramatic.

I don't think an initial setup is too much of an ask to be honest (I'd actually like the router to be not operational until a wifi + web password is set), but this is a balancing act between security and usability and everyone has a different opinion on that.

I say these things cause I love the company I use alot of asus products. And I don't say this for me i'm a target just for posting here.

Target of what? What's your threat model?

 

[Odkrys]

How are you sure every user has ethernet devices?
It is not a good idea.
Request ASUS to make all the devices have different initial passwords.

 

[amplatfus]

No, not wlan1. The names of the interfaces vary between models, but for most of the routers (like the RT-AC68U) its:

2.4GHz primary = eth1
5GHz primary = eth2

2.4GHz guest1 = wl0.1
2.4GHz guest2 = wl0.2
2.4GHz guest3 = wl0.3

5GHz guest1 = wl1.1
5GHz guest2 = wl1.2
5GHz guest3 = wl1.3

Thank you. So for eth1 it would be this one?

 ebtables -I INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) ---port 80 -j DROP

All the best!

Sent from my ONE A2003 using Tapatalk

 

[ColinTaylor]

Thank you. So for eth1 it would be this one?

 ebtables -I INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) ---port 80 -j DROP

It would be except you've made a typo on the port parameter.

If you want to automate it I'd suggest putting these 2 lines in firewall-start. That's because unfortunately there isn't a user script associated with the WiFi setup. You'll also need to remember to reboot the router if you make any changes to the WiFi.

ebtables -D INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP
ebtables -I INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP

 

[amplatfus]

It would be except you've made a typo on the port parameter.

If you want to automate it I'd suggest putting these 2 lines in firewall-start. That's because unfortunately there isn't a user script associated with the WiFi setup. You'll also need to remember to reboot the router if you make any changes to the WiFi.

ebtables -D INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP
ebtables -I INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP

I have:

router@asus:/tmp/home/root# brctl show
bridge name   bridge id       STP enabled   interfaces
br0       8000.3497f6229900   no                vlan1
                                               eth1

I added in /jffs/scripts/firewall-start:

ebtables -D INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP
ebtables -I INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP

I restarted router. And I still have access to router login page via WiFi.
Please, do you have any suggestion?
Thank you!

 

[ColinTaylor]

What do you get from the following command?

ebtables -L

I'm assuming you're accessing your router with HTTP and not HTTPS?

 

[amplatfus]

What do you get from the following command?

ebtables -L

I'm assuming you're accessing your router with HTTP and not HTTPS?

Thanks for fast post. I am using HTTP. The Output is:

router@asus:/tmp/home/root# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 1, policy: ACCEPT
-p IPv4 -i eth1 --ip-dst 192.168.0.1 --ip-proto tcp --ip-dport 80 -j DROP

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Hope you have some advice.
Appreciate your reply. Thanks!