Enable Web Interface Over SSH?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
commandar
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 7

PostPosted: Wed Mar 19, 2008 2:20    Post subject: Enable Web Interface Over SSH? Reply with quote
I have a remote location that apparently never had remote web access to the router config enabled.

I already have a hole punched in the firewall for SSH on another port on a box inside that network, and am able to SSH into the router from there.

Is there an NVRAM flag or something similar I can flip to allow remote web config access on the router via SSH?

Thanks in advance. Smile
Sponsor
bkmo
DD-WRT User


Joined: 18 Oct 2007
Posts: 385
Location: Grecia, Costa Rica

PostPosted: Wed Mar 19, 2008 3:06    Post subject: Reply with quote
This should have been easy to find with a search. it is answered every few days.

nvram set httpd_enable=1
nvram set http_enable=1
nvram commit

you can just reboot, or start httpd from the commandline

httpd -p 80
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Wed Mar 19, 2008 4:14    Post subject: Reply with quote
also,

nvram set remote_management=1
nvram set http_wanport=8080
nvram set httpsd_enable=1
nvram set https_enable=1
nvram set remote_mgt_https=1
nvram commit
reboot

Then connect:

https://yourWANIP:8080/

But I still agree with bkmo. You should try using search more often.

P.S. - I have just added these instructions to the Wiki here -> Web Interface - Regaining Access. If anyone shall ask this question again in the future, you now have an easier point of reference.
bige
DD-WRT Novice


Joined: 19 Jan 2008
Posts: 2

PostPosted: Wed Mar 19, 2008 11:26    Post subject: Reply with quote
You could also setup tunneling in your SSH client and not enable remote https management. For example, in Putty you could add:
Souce Port: 9000
Destination: localhost:80

After making the SSH connection, fire up your browser and connect to http://localhost:9000/

This would tunnel the connection through SSH. In the above example, the source port (9000) is the port you use on your local client machine to connect to the destination (router on port 80).

I hope this helps.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Wed Mar 19, 2008 11:36    Post subject: Reply with quote
Welcome bige 8)

That's a very good point! It's a secure solution, while also having benefit of saving valuable router resources (no need for extra HTTPS service running in the background). Just encrypt the HTTP traffic through SSH tunnel.
bige
DD-WRT Novice


Joined: 19 Jan 2008
Posts: 2

PostPosted: Wed Mar 19, 2008 20:19    Post subject: Reply with quote
I use the SSH tunnel a lot so I don't have to open many ports to the world, and like you said the entire connection is encrypted. It works well for RDP connections as well. I also like the ability to use the router as a proxy server through the SSH tunnel. Most networks allow port 22 through.
commandar
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 7

PostPosted: Wed Mar 19, 2008 21:26    Post subject: Reply with quote
soulstace wrote:
also,

nvram set remote_management=1
nvram set http_wanport=8080
nvram set httpsd_enable=1
nvram set https_enable=1
nvram set remote_mgt_https=1
nvram commit
reboot

Then connect:

https://yourWANIP:8080/

But I still agree with bkmo. You should try using search more often.

P.S. - I have just added these instructions to the Wiki here -> Web Interface - Regaining Access. If anyone shall ask this question again in the future, you now have an easier point of reference.


Thanks. I had found bits and pieces of how to handle this locally, but was having trouble getting everything together for enabling the remote connection. The help is very appreciated.

bige wrote:
You could also setup tunneling in your SSH client and not enable remote https management. For example, in Putty you could add:
Souce Port: 9000
Destination: localhost:80

After making the SSH connection, fire up your browser and connect to http://localhost:9000/

This would tunnel the connection through SSH. In the above example, the source port (9000) is the port you use on your local client machine to connect to the destination (router on port 80).

I hope this helps.

That helps quite a bit, actually. I actually needed SSH-HTTP tunneling for another aspect of the project I'm working on, so this actually takes care of how to set that up as well. Thanks. Smile
DjStraw
DD-WRT Novice


Joined: 09 Dec 2008
Posts: 37

PostPosted: Tue Jan 05, 2010 7:46    Post subject: Reply with quote
Thanks, work via Telnet..
jamerson
DD-WRT Novice


Joined: 15 Oct 2013
Posts: 9

PostPosted: Wed Oct 16, 2013 22:28    Post subject: Reply with quote
bige wrote:
I use the SSH tunnel a lot so I don't have to open many ports to the world, and like you said the entire connection is encrypted. It works well for RDP connections as well. I also like the ability to use the router as a proxy server through the SSH tunnel. Most networks allow port 22 through.

i will be much happier if i could see this tutorial somewhere to configure my router!
really most secure than open ports to the world!
PacoW
DD-WRT Novice


Joined: 15 Oct 2013
Posts: 2

PostPosted: Thu Oct 17, 2013 15:26    Post subject: Reply with quote
I usually apply extra security measurements to my external SSH connections by:
  1. using some random port in a high range, other than the standard port 22
  2. renaming the root user (how: http://www.dd-wrt.com/wiki/index.php/Script_Examples#Change_root_username)
Why? For convenience I once opened the standard SSH port to the world and my log revealed that people running scripts tried gaining access. I assume they look at random systems for standard ports, known exploits, common usernames (root, admin, user, system) and a list of commonly used passwords. Although they never manage to gain access, I just do not want them to know about my SSH port. After switching to a non-standard port, my log didn't show any more attempts, because the scripts do not do a time-consuming port scan.

If you don't want to do change the port or the username, using a very(!) strong password may be sufficient.

[off topic] SSH Security Hints
  1. DD-WRT's CLI has two users: root and reboot. They both have the same password. Logging in as reboot is just a fast way to reboot the router. You might also want to rename this user.
  2. I myself rely on the security measures mentioned above, but please do not underestimate the potential hardware damage a malicious hacker can do. Once logged in, he could set the TX power and the overclock frequency to the maximum. He could also more subtly damage your non-volatile memory by running a script that does millions of writes to NVRAM or JFFS.
  3. When connecting to a DD-WRT system, it reveals the OS before having to enter a password. A malicious hacker seeing you are using DD-WRT might do some extra effort to hack his way in, because he might want to damage your hardware if he knows about the potential hardware exploits I described above. You might change the file /tmp/loginprompt.
  4. At this moment I'm using a build which doesn't have this feature, but I saw one having a setting called 'limit SSH access'. I assume it blocks access to systems that repeatedly use wrong passwords. That's seems OK to me, but I couldn't set this to 'on', because it was set to 'off' after applying settings. (I haven't searched for more information about this feature yet, so I may have done something wrong.)
  5. Most people here already know this. Never use Telnet, because any data (even your password) is sent unencrypted.
[/off topic]

Have a nice day!
PacoW Very Happy

_________________
On duty
- Linksys WRT54GL v1.1 / DD-WRT r14929 std / private LAN+WLAN
- Linksys WRT54G v2.2 / DD-WRT r14929 std / neighbour's WLAN
- Linksys WRT54GL v1.1 / DD-WRT r14929 std / my server's firewall

Off duty
- Linksys WAP54G v1.0 (depreciated: unreliable)
- Linksys WRT54G v7.0 (DD-WRT not supported)
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI

PostPosted: Tue Mar 12, 2024 21:48    Post subject: Disabling Local Access to Web Interface when not using it Reply with quote
soulstace wrote:
also,

nvram set remote_management=1
nvram set http_wanport=8080
nvram set httpsd_enable=1
nvram set https_enable=1
nvram set remote_mgt_https=1
nvram commit
reboot

Then connect:

https://yourWANIP:8080/

But I still agree with bkmo. You should try using search more often.

P.S. - I have just added these instructions to the Wiki here -> Web Interface - Regaining Access. If anyone shall ask this question again in the future, you now have an easier point of reference.


Hey, I'm trying to disable my DD-WRT web interface completely from SSH when I'm not using the web interface of DD-Dwrt. Open-WRT has a command to enable and disable Luci (web interface). I'm wondering if these commands you posted are going to do the same thing? I just want to ssh into my router, and enable the web interface locally only when I use it to make changes, and then disable it with ssh after I'm done using it and making changes.

What commands that you have listed will do this? I'm not sure which ones do which for disabling and re-enabling. Let me know. Thanks

_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 960
Location: WV, USA

PostPosted: Wed Mar 13, 2024 3:21    Post subject: Reply with quote
That post you quoted is 16 years old. Things have change a lot since then. It is not recommended to enable http(s) access on your WAN port at all (or ssh for that matter). For remote access, use Wireguard.
_________________
Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate

Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r53562
Features in use: multiple VLANs over single trunk port

Linksys EA8500 WDS Station x2 - DD-WRT r53562

Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port.

OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.

Forum member #248
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Wed Mar 13, 2024 10:40    Post subject: Reply with quote
Two commands setpasswd and setuserpassword might interest you. They alter the password and/or username of the WEBUI. The WEBUI password is also the password of root in /tmp/etc/passwd.

You can also move the WEBUI port using 'nvram http_lanport=9999' if you wanna use port 80 as the port for Lighttpd the regular web server. You might wanna set http_wanport to an impossible value!

BTW, you can launch WEBUI directly using command 'httpd -n -p 9999' (-p is port number) when in a shell, ignoring WEBUI-related nvram values. Then WEBUI would not stay alive all the time without your attention, only in an SSH session. And before you logout, you might wanna stop WEBUI by 'killall httpd' or 'service httpd stop'!


One thing: Better set http_enable=1 BEFORE you flash a new DD-WRT build just in case the upgrade went wrong.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw


Last edited by mwchang on Wed Mar 13, 2024 12:51; edited 6 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Mar 13, 2024 10:56    Post subject: Re: Disabling Local Access to Web Interface when not using i Reply with quote
atomicamp wrote:
Hey, I'm trying to disable my DD-WRT web interface completely from SSH


disable

Code:
nvram set http_enable=0
nvram set https_enable=0
service httpd restart


enable

Code:
nvram set http_enable=1
nvram set https_enable=1
service httpd restart

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Wed Mar 13, 2024 12:36    Post subject: Reply with quote
after nvram set whatever is used... to preserve/save the settings nvram commit is needed... Smile


if you turn 0ff SSh from services page than no SSh at all..
to secure SSh, telnet, https , http local microserver..you can add iptables rules..

those are only an examples(U have to tailor it to your config..interfaces, clients and ect..

iptables -I INPUT -i br0 -p tcp --dport 443 -m state --state NEW -j REJECT
or general
iptables -I INPUT -i br0 -p tcp --dport 443 -j REJECT

iptables -I INPUT -i br0 -p tcp --dport 443 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

xx.xx.xx.xx.xx.xx is the mac address on that device that you want to allow.. Cool

you can use it along with IP's too..(you'd need to give a static IP to those clients)

iptables -I INPUT -i br0 -p tcp --dport 443 -s 192.168.1.100 -j ACCEPT

but anyway old thread..with various content... Laughing

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum