GL-Inet security

Hi

I have Gl-inet brume router that should face internet (it’s an edge router). It’s job is to secure a server over internet. The SSH and VPN access are needed.

I have a few questions.

  • I can’t see what firmware gl-inet uses. Is it possible to install coreboot, or some sort of trusted firmware?

  • Are OpenWRT and ssh and VPN clients released versions or older snapshot versions? Any risk here, with using special vpn and ssh clients or OS version?

  • Can SSH be hardened by command line via sshd_config as in desktop Linux (of course using dropbear)? The GUI may not offer all configuration options.

  • Is deploying brume on edge facing public internet secure? OpenWRT is used mostly in WiFi products.

I am just trying to see the security of Brume for this use case.

Thank you!

GL uses uBoot with OpenWRT on top. You can see the exact version if you log into Luci. Coreboot is only interesting on x86 full size PC’s, where the bios is closed source and can be full of bugs. It does not apply to routers where the bootloader is fully open source and hardened over many years. You just have to keep in mind the features, you might want to flash your own custom uBoot removing firmware flashing or tftp support.

SSH and VPN will be the versions that OpenWRT had for that release version, you can also check those via command line.

You can set up sudo, remove root login and more like you can do on full size Linux via the config yes. Here is some info about that:

It will only be as secure as your configuration. Even a Cisco router can be insecure if the person does not know what they are doing when configuring it. OpenWRT is usually more updated than run of the mill consumer router firmwares that can have very old kernels. So I would say it falls into prosumer / low end enterprise. It’s not a 10 000 dollar router, so you get what you pay for.

Usually you will have more issues with the server itself than the router for security.

2 Likes