Enable Web Interface Over SSH?

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
commandar
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 7

PostPosted: Wed Mar 19, 2008 2:20    Post subject: Enable Web Interface Over SSH? Reply with quote
I have a remote location that apparently never had remote web access to the router config enabled.

I already have a hole punched in the firewall for SSH on another port on a box inside that network, and am able to SSH into the router from there.

Is there an NVRAM flag or something similar I can flip to allow remote web config access on the router via SSH?

Thanks in advance. Smile
Sponsor
bkmo
DD-WRT User


Joined: 18 Oct 2007
Posts: 385
Location: Grecia, Costa Rica

PostPosted: Wed Mar 19, 2008 3:06    Post subject: Reply with quote
This should have been easy to find with a search. it is answered every few days.

nvram set httpd_enable=1
nvram set http_enable=1
nvram commit

you can just reboot, or start httpd from the commandline

httpd -p 80
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Wed Mar 19, 2008 4:14    Post subject: Reply with quote
also,

nvram set remote_management=1
nvram set http_wanport=8080
nvram set httpsd_enable=1
nvram set https_enable=1
nvram set remote_mgt_https=1
nvram commit
reboot

Then connect:

https://yourWANIP:8080/

But I still agree with bkmo. You should try using search more often.

P.S. - I have just added these instructions to the Wiki here -> Web Interface - Regaining Access. If anyone shall ask this question again in the future, you now have an easier point of reference.
bige
DD-WRT Novice


Joined: 19 Jan 2008
Posts: 2

PostPosted: Wed Mar 19, 2008 11:26    Post subject: Reply with quote
You could also setup tunneling in your SSH client and not enable remote https management. For example, in Putty you could add:
Souce Port: 9000
Destination: localhost:80

After making the SSH connection, fire up your browser and connect to http://localhost:9000/

This would tunnel the connection through SSH. In the above example, the source port (9000) is the port you use on your local client machine to connect to the destination (router on port 80).

I hope this helps.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Wed Mar 19, 2008 11:36    Post subject: Reply with quote
Welcome bige 8)

That's a very good point! It's a secure solution, while also having benefit of saving valuable router resources (no need for extra HTTPS service running in the background). Just encrypt the HTTP traffic through SSH tunnel.
bige
DD-WRT Novice


Joined: 19 Jan 2008
Posts: 2

PostPosted: Wed Mar 19, 2008 20:19    Post subject: Reply with quote
I use the SSH tunnel a lot so I don't have to open many ports to the world, and like you said the entire connection is encrypted. It works well for RDP connections as well. I also like the ability to use the router as a proxy server through the SSH tunnel. Most networks allow port 22 through.
commandar
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 7

PostPosted: Wed Mar 19, 2008 21:26    Post subject: Reply with quote
soulstace wrote:
also,

nvram set remote_management=1
nvram set http_wanport=8080
nvram set httpsd_enable=1
nvram set https_enable=1
nvram set remote_mgt_https=1
nvram commit
reboot

Then connect:

https://yourWANIP:8080/

But I still agree with bkmo. You should try using search more often.

P.S. - I have just added these instructions to the Wiki here -> Web Interface - Regaining Access. If anyone shall ask this question again in the future, you now have an easier point of reference.


Thanks. I had found bits and pieces of how to handle this locally, but was having trouble getting everything together for enabling the remote connection. The help is very appreciated.

bige wrote:
You could also setup tunneling in your SSH client and not enable remote https management. For example, in Putty you could add:
Souce Port: 9000
Destination: localhost:80

After making the SSH connection, fire up your browser and connect to http://localhost:9000/

This would tunnel the connection through SSH. In the above example, the source port (9000) is the port you use on your local client machine to connect to the destination (router on port 80).

I hope this helps.

That helps quite a bit, actually. I actually needed SSH-HTTP tunneling for another aspect of the project I'm working on, so this actually takes care of how to set that up as well. Thanks. Smile
DjStraw
DD-WRT Novice


Joined: 09 Dec 2008
Posts: 37

PostPosted: Tue Jan 05, 2010 7:46    Post subject: Reply with quote
Thanks, work via Telnet..
jamerson
DD-WRT Novice


Joined: 15 Oct 2013
Posts: 9

PostPosted: Wed Oct 16, 2013 22:28    Post subject: Reply with quote
bige wrote:
I use the SSH tunnel a lot so I don't have to open many ports to the world, and like you said the entire connection is encrypted. It works well for RDP connections as well. I also like the ability to use the router as a proxy server through the SSH tunnel. Most networks allow port 22 through.

i will be much happier if i could see this tutorial somewhere to configure my router!
really most secure than open ports to the world!
PacoW
DD-WRT Novice


Joined: 15 Oct 2013
Posts: 2

PostPosted: Thu Oct 17, 2013 15:26    Post subject: Reply with quote
I usually apply extra security measurements to my external SSH connections by:
  1. using some random port in a high range, other than the standard port 22
  2. renaming the root user (how: http://www.dd-wrt.com/wiki/index.php/Script_Examples#Change_root_username)
Why? For convenience I once opened the standard SSH port to the world and my log revealed that people running scripts tried gaining access. I assume they look at random systems for standard ports, known exploits, common usernames (root, admin, user, system) and a list of commonly used passwords. Although they never manage to gain access, I just do not want them to know about my SSH port. After switching to a non-standard port, my log didn't show any more attempts, because the scripts do not do a time-consuming port scan.

If you don't want to do change the port or the username, using a very(!) strong password may be sufficient.

[off topic] SSH Security Hints
  1. DD-WRT's CLI has two users: root and reboot. They both have the same password. Logging in as reboot is just a fast way to reboot the router. You might also want to rename this user.
  2. I myself rely on the security measures mentioned above, but please do not underestimate the potential hardware damage a malicious hacker can do. Once logged in, he could set the TX power and the overclock frequency to the maximum. He could also more subtly damage your non-volatile memory by running a script that does millions of writes to NVRAM or JFFS.
  3. When connecting to a DD-WRT system, it reveals the OS before having to enter a password. A malicious hacker seeing you are using DD-WRT might do some extra effort to hack his way in, because he might want to damage your hardware if he knows about the potential hardware exploits I described above. You might change the file /tmp/loginprompt.
  4. At this moment I'm using a build which doesn't have this feature, but I saw one having a setting called 'limit SSH access'. I assume it blocks access to systems that repeatedly use wrong passwords. That's seems OK to me, but I couldn't set this to 'on', because it was set to 'off' after applying settings. (I haven't searched for more information about this feature yet, so I may have done something wrong.)
  5. Most people here already know this. Never use Telnet, because any data (even your password) is sent unencrypted.
[/off topic]

Have a nice day!
PacoW Very Happy

_________________
On duty
- Linksys WRT54GL v1.1 / DD-WRT r14929 std / private LAN+WLAN
- Linksys WRT54G v2.2 / DD-WRT r14929 std / neighbour's WLAN
- Linksys WRT54GL v1.1 / DD-WRT r14929 std / my server's firewall

Off duty
- Linksys WAP54G v1.0 (depreciated: unreliable)
- Linksys WRT54G v7.0 (DD-WRT not supported)
Display posts from previous:    Page 1 of 1
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum