I needed elinks for a custom script, but it wasn't in OpenWrt 15.
opkg update opkg remove wpad-mini odhcpd odhcp6c opkg install wpad git perl openssh-client Install a few packages, but only if really needed. netstat -tulpn | grep LISTEN tcp 0 0 y.y.y.y:53 0.0.0.0:* LISTEN 1184/dnsmasq tcp 0 0 y.y.y.y:xxxxx 0.0.0.0:* LISTEN 920/dropbearĬonnect the router to the internet, config it (temporary start uhttpd if needed for pppoe, date/time, etc. Reboot the router, you should only see the following services listening only on the internal network, nothing else. Update DNS IP's, whatever you want to use (for the custom scripts, if there are any on the router) rm /etc/nf echo 'nameserver 1.1.1.1' > /etc/nf List listen_http 'y.y.y.y:80' #list listen_http ':80' list listen_https 'y.y.y.y:443' #list listen_https ':443' /etc/init.d/uhttpd disable Uhttpd should only listen on internal networks and if not used, disable it. usr/sbin/iptables -I INPUT -p tcp -dport xxxxx -j ACCEPT /usr/sbin/iptables -P INPUT DROPĭownload your hosts file for adblock function scp hosts should only listen on internal networks vi /etc/nf vi /etc/config/dropbearĬonfig dropbear option PasswordAuth 'off' option Port 'xxxxx' option Interface 'lan' SSHD should only allow pubkey login, and should be only reachable from internal networks. sysctl -a | grep -i ipv6 | grep -i disable | sed 's/ //g s/0$/1/g' > /etc/nf sed -i 's/REJECT/DROP/g' /etc/config/firewall Modify the ACCEPT to DROP where you want to block, ex.: vi /etc/config/firewallĪllow-DHCPv6 Allow-MLD Allow-ICMPv6-Input Allow-ICMPv6-Forwardĭisable IPv6 if you are not using it. vi /etc/config/networkĬonfig interface 'lan' option ipaddr 'y.y.y.y'Ĭonfig system option hostname 'NEW-HOSTNAME-HERE'īad guys don't follow the RFC too. scp ~/.ssh/id_rsa.pub ssh the routers default IP.
Modify the password to a good one ( 63 char long, fully random), use a password manager (start SSH - Dropbear via webgui if needed): ssh your SSH key from your secure desktop. Modify the root password to something simple. wget But always use the newest, this URL could be old! Xxxxx -> the non-default port for SSHD y.y.y.y -> the IP for the router, use a non-default one, ex.: 192.168.26.1, etc.ĭon't connect the router to the internet, only after it says 'Connect the router to the internet' Use an ad/malware domain filtering in the /etc/hosts file This one is used for connecting to the ISP and forward the internet connection to other routers and run a few custom scripts No wifi needed - a bigger & better router does that HW: 1043ND v1.1 or any other from the shelf with enough built-in storage.