Fail2Ban to LuCi

username_unavailable · June 14, 2024, 6:28pm

Hi!

How to install Fail2Ban to protect LuCi from brute force in LAN (!). Network is open, I know it is not good. I don’t want to set password. No I don’t need guest network.

Please, help me to install fail2ban to luci : )

admon · June 14, 2024, 6:31pm

Well, since you already know about your security flaws I can just link to the official (!) wiki about how to secure luci: https://openwrt.org/docs/guide-user/luci/luci.secure#securing_against_brute-force_attacks

There is no recommendation for fail2ban for luci - I am not even sure if it's possible.

username_unavailable · June 14, 2024, 6:59pm

@admon but it is nginx in Gl one


uHTTPd is the web server responsible of hosting the Luci web interface. By default uHTTPd listens to 0.0.0.0 which makes it accessible from the local network.

To prevent LuCI web interface from being brute-forced from attackers already in the local network, we are going to edit the uHTTPd config file and change its settings, so it only listens to localhost.

admon · June 14, 2024, 7:00pm

You can do the same with nginx.

The only "real" way to protect the interface is by making it not available to everyone.

username_unavailable · June 14, 2024, 7:01pm

I just need to add rate limit. In app of gl there is such feature…

admon · June 14, 2024, 7:02pm

Yeah, but luci is a 3rd party app. So you would need to talk to the luci developers about this one.
And since they wrote in the wiki that they think protecting luci by using an SSH tunnel is the best way ... I doubt they will add something like a rate-limit at all.

username_unavailable · June 14, 2024, 7:05pm

Is it possible on android? I don’t have PC as it is redundant for me

admon · June 14, 2024, 7:06pm

I don't know, depends on the SSH client possibilities.

username_unavailable · June 14, 2024, 7:10pm

Why separate interfaces? Why devs not just write plugin(s) and theme for default Luci to customise it?

admon · June 14, 2024, 7:12pm

Developers choose separate interfaces because that's how GL devices are designed. It's not something we can change, so there's no need to discuss it further.

Luci is some extra and for many people not needed anyway.

username_unavailable · June 14, 2024, 7:14pm

But I am using exactly it. Because firewall in GL gui castrated (no block options), no custom plugins gui (luci supports it), no custom path to hosts files (lush in DNSMASQ supports it) and much more…

admon · June 14, 2024, 7:16pm

Understandable. I use it by myself, sometimes.

But in that case, you must accept that there are some extra steps to go if you want to stay secure. Or you choose a password that long that there is no way to bruteforce it.

Edit:
You could even stop nginx and only spin it up when you need it. That would be pretty secure.

username_unavailable · June 14, 2024, 7:19pm

You mean for admin? Can I at least change root username? Do you have examples (not your own)? I see every single password can be easily brute forced as everyone knows that letters can be replaced by digits etc

admon · June 14, 2024, 7:20pm