security script?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Sun Feb 12, 2023 19:26    Post subject: security script? Reply with quote
Curious if this is still a going concern and something of value or outdated...? Have seen any updates, comments or questions in a long time. Is there a more comprehensive version of this elsewhere?

https://wiki.dd-wrt.com/wiki/index.php/Useful_Scripts#Small_Security_Script_.28Firewall.29
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Feb 13, 2023 7:31    Post subject: Reply with quote
Why do you need this script at first place...
some of the values are already in use ..you can check those one by one Laughing Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Mon Feb 13, 2023 14:42    Post subject: Reply with quote
The question was to ask if the information refereneced on this site is relevant.
Based on your reply...? :/
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Feb 13, 2023 15:26    Post subject: Reply with quote
Have you read the forum guidelines and relevant information...yet..lots of helpful pointers..!
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=332703
As you have this account since 2015, i presume you have some basic knowledge on DDWRT Cool
Some of the information on the wiki is referencing old routers and old builds...so, you have to find that for yourself...its not bad to ask and get an answer...sadly i do not maintain the wiki nor i know
if all stuff there is still applicable...neither i know who is updating those at all...but in your case you can waste time and find those values for yourself...there is a sysctrl page in the web interface where you can find some of the values...(are in use)..where for the others you need to use CLI...

DDWRT in its current state accommodates lots of changes since those wiki articles are made..and wiki as well forum both are mostly driven by volunteering and people that love to help and spend time here around...so, no blame for that...

As i asked above what is the reason you need this information...so in that order someone can have a better answer.. Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Feb 13, 2023 18:21    Post subject: Reply with quote
"Windows XP" in the contents of that section of the wiki should be quite the pointer. The script was probably developed when WRT54* routers were the bees knees, but I would have to check history of article. You can cat the values of all of those parameters and make adjustments to the script, if you really feel like it's necessary.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Mon Feb 13, 2023 19:35    Post subject: Reply with quote
I looked at the wiki history this script is from 2007 last edit was 2009, so safe to say completely ignore the script.

If concerned about anything firewall related be sure to be running latest build available, is r51679 at this moment.
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Tue Feb 14, 2023 15:36    Post subject: Reply with quote
Reason for asking is trying to lock router down with additions to iptables which block various attacks, scans, and malicious activity for systems which also require access from the internet for various functions. Yes, aware this script doesn't touch iptables. It was found while searching the topic.

There are tons of examples, some contradicting or overlapping significantly. Granted if security was a primary concern, dd-wrt while powerful probably isn't the end-all best choice as a perimeter device. Sure others have gone very far down this path. If anyone has, the question is largely pointed in their direction.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Feb 14, 2023 17:28    Post subject: Reply with quote
By default DDWRT has an SPI firewall (can google to find out more about it) and uses iptables as well ipset (router model current firmware build matters)..so you can do some more with those..bear in mind DDWRT has not all the iptables modules in use...

You can install fail2ban or similar, like snort or suricata and run it from Entware on usb.. router needs to be powerful to be able to run those..preferably PC box...

some recent thread on fail2ban
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333851

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum