Protect WAN access removing "banners" or dinamically open/close WAN access

[lmerega]

Hi all, I often have to work on my home router RT-N66U with Merlinwrt.
I had to open it using a non standard port, but I would like to have a more secure interface.
In fact it now shows the AsusWRT login screen.
I would like an anonymous login&password form.
Is there any way to implement it?

Alternatively, how could I enable/disable WAN accees using a script?

TIA

.luca

 

[RMerlin]

Use a VPN server instead.

 

[lmerega]

I usually use SSH tunnel.
The problem is that some of PCs I use do not have access to all ports (so I cannot use the SSH port).
Moreover not all of them can use VPN SW...

 

[RMerlin]

The router's web server is a swiss cheese of security holes. People should never expose it to the WAN.

 

[lmerega]

The router's web server is a swiss cheese of security holes. People should never expose it to the WAN.

I do understand and I totally agrre.
This is why I would like to open it on demand.
Is there a flag I can enable/disable in the http server and restart it using a cron job?

Thx again

 

[RMerlin]

Untested, but this should do the trick to enable it:

nvram set misc_http_x=1
service restart_httpd

Make sure you use HTTPS only, and move that to a different port than the default 8443 port.

 

[lmerega]

nvram set misc_http_x=1

This sets the correct flag in NVRAM. I can see the flag on or off but when restarting httpd, the new setting is not working.
I have to lcick "Apply" to make it work.
I noticed that "Apply" button calls "startapply.htm" but I do not understand what startapply.htm does

 

[RMerlin]

This sets the correct flag in NVRAM. I can see the flag on or off but when restarting httpd, the new setting is not working.
I have to lcick "Apply" to make it work.
I noticed that "Apply" button calls "startapply.htm" but I do not understand what startapply.htm does

The only thing restarted by that webpage is time, upnp and httpd. So, just restarting httpd should work - the page processed when hitting Apply does not matter.

You might want to try also restarting the firewall, just in case:

service restart_firewall

 

[lmerega]

Perfect!!!
Now I can start and stop WAN access sending an email.
Just to understand, you said:

The only thing restarted by that webpage is time, upnp and httpd

So why restarting the firewall did the trick?

TIA

 

[john9527]

So why restarting the firewall did the trick?

Because restarting the firewall is a subset of restarting upnp......and you need to restart the firewall to apply (or remove) the iptables rules that allow WAN access.