Does Luci that come with GL GUI have any brute force protections by default? If no, how to protect it?
Searched via google and found many recommendations to use Fail2Ban but it is blocking IP, isn’t it? In LAN it won’t work, or I am wrong?
It will work in lan by blocking the offending IP.
Can you help me to configure it? I need to protect my Luci especially from someone that has access to my LAN…
Just use a secure non guessable password for LuCi - no need to waste your time for extra configurations!
Most bruteforce protections work by locking down the account (which you don’t want to do with LuCi admin) or blocking the offending IP.
I afraid every password can be brute forced
What do you mean? Like iPhone do if more than 5 attempts wrong? That is totally normal.
The best way is to add local CAPTCHA but I think this cannot be done, unfortunately.
In LAN too?
Yes. The lan IP that attacked LuCi.
Generate password using this:
Best way would be disabling the GUI if you don’t need them and go by SSH per default. (Using an SSH key)
Unfortunately, GUI needs to be present because if I can understand commands, another person - no (it is my personal business router n)
Can you guide me through settings?
Something like R"pw%vWTw1n-,1?22_; given. Where to store something like this? This cannot be easily written somewhere. Also I don’t think that only strong password can protect Luci from brute force
You can’t bruteforce passwords with 16 and more characters. It would take way to much time.
Use a password manager for saving passwords like this.
So you say that I can be safe only by password? Even if it is business router and person have infinite amount of time?
If it‘s a business router you will
- disable the GUI
or
- disable access to the GUI
and
- use a pssword with 24+ characters
You see, I am owner of small business and mostly I set something. N
But, if I am away, there is another person that should have access to settings if something will happen… I think that I can deny everyone from it and allow only internal clients, but I also think that LAN password can be intercepted by something like deauth attack…
I think this is reasonable, but one question. If attacker have access to LAN and placed nearby (so bad actor can try to brute force infinite amount of time) how likely attacker will have access in this case?
(See)
The deauth attack isn’t dangerous for the password, but there are plenty of other ways. But to be honest: If an attacker is already inside your network, and you don’t know about it … you’re already going to lose. The router isn’t the most important thing you should be concerned about then.
That’s fair. So how to prevent attackers from entering my network?
Hidden SSID + 24+ character password? That’s all? Or there is some method to prevent brute force on entering network?
This is a topic that cannot be answered in general terms, as it has many dependencies. It depends on the size of the company, the purpose, the number of employees and the technology used.
Basically, you can say that deactivating Wi-Fi (or disconnecting the network so that Wi-Fi can only be used for surfing and has no access to internal systems) is a proven standard method for securing the internal network.
Otherwise, it also belongs in this category:
- Use a firewall (no, OpenWrt is usually not enough here)
- Network segmentation (not all devices are allowed to access everything)
- Antivirus solutions
- Install updates as quickly as possible
- Use secure passwords
- 2-factor authentication wherever possible
- Restrict user rights as far as possible
- Regular audits
- Document all systems
- Scan for vulnerabilities
- Monitoring (of both devices and security events)
- Look for a professional IT service provider, as they can usually provide entirely different resources.
I do all this professionally, but there’s a reason why my company usually charge 1000 EUR for an initial consultation for micro-enterprises…
We are using cellular connection (not cable). So this is this routerni
Can you recommend one?
Most of devices denied to access WAN, only few able to access it for now.
We use Linux ha-ha 
We are not so big. It is aka some shop where I sell some components for electronics n
Only 3 persons except me
All other points done 
Nope, can’t.
I really enjoy Sophos - but that’s because I working as an MSP, so it has a bias.
Anyway, thank you for your time!
I wish you the best!
1 Like