Joined: 31 Jul 2021 Posts: 1889 Location: All over YOUR webs
Posted: Tue Nov 23, 2021 13:02 Post subject:
What egc said exactly.
DD-WRT is a router FW, a Rpi or any other machine just running a web server, may allow anything and their mothers by default.
I can say for sure without examining all the firewall rules or security mechanisms in place in the FW, that prevent httpd from doing this by default, I have a sneaking suspicion that's the cause for the failure as you noted.
I wouldn't expect my router accessible to the outside world, with default configs to allow execution of scripts somewhere in its directories, and if the router just allowed this by default, I would consider it insecure and security issue ripe for abuse.
Via SSH you are essentially the root user, and its up to you to understand the implications of opening yourself up to what that entails.
You also have a built in light http server in the FW, you can also enable that allow it outside access and perhaps the webinterface restrictions wont apply there (again idk what restrictions are in place of the top of my head) and you maybe able to reproduce your Rpi scenario that way too.
Joined: 04 Aug 2018 Posts: 1355 Location: Appalachian mountains, USA
Posted: Tue Nov 23, 2021 18:25 Post subject:
Yeah, what they said.
Set up ssh with key authorization (NOT user/pass), get everything working first from inside your network, and only then try doing things from the WAN. If you are coming from a linux box you'll want to use ssh-agent to streamline access.
Anyway, the key here is that the ssh client on that friendly linux box (at least on my old Fedora system) can take an argument that is a command to be run on the ssh server's system. This can be a many-line command in quotes or a short command to run what you have in /opt. You can write a few short scripts or bash functions on that linux box to streamline things. _________________ 4 Linksys WRT1900ACSv2 routers on 49081, 2 on 48141: VLANs, VAPs, NAS, client mode, OpenVPN client (AirVPN), DDNS, wireguard servers and clients (AzireVPN), three DNSCrypt DNS providers (incl Quad9) via VPN clients.
I understand the security implications, however I think if I can work out how to execute a script remotely via a specific port, then I should also be able to work out how to add some username/password authentication to said port/directory to prevent unauthorised access.
I would like to use php on my server to execute a script on the router (just in case my question was not clear in the first instance - if anyone else has done something like that).
I believe you need to setup NetCat in DD-WRT that listens to port 5280, then execute a script accordingly. For that, you need to install Entware. Also, you have to consider security and firewall issues.
DropBear SSH of DD-WRT supports remote command execution! Look it up via Google. It's installed by default. I believe Raspberry Pi's Linux distribution has OpenSSH as well.
Lastly, the following query had some interesting results: