Posted: Sun Feb 12, 2023 19:26 Post subject: security script?
Curious if this is still a going concern and something of value or outdated...? Have seen any updates, comments or questions in a long time. Is there a more comprehensive version of this elsewhere?
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Feb 13, 2023 7:31 Post subject:
Why do you need this script at first place...
some of the values are already in use ..you can check those one by one _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon Feb 13, 2023 15:26 Post subject:
Have you read the forum guidelines and relevant information...yet..lots of helpful pointers..!
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=332703
As you have this account since 2015, i presume you have some basic knowledge on DDWRT
Some of the information on the wiki is referencing old routers and old builds...so, you have to find that for yourself...its not bad to ask and get an answer...sadly i do not maintain the wiki nor i know
if all stuff there is still applicable...neither i know who is updating those at all...but in your case you can waste time and find those values for yourself...there is a sysctrl page in the web interface where you can find some of the values...(are in use)..where for the others you need to use CLI...
DDWRT in its current state accommodates lots of changes since those wiki articles are made..and wiki as well forum both are mostly driven by volunteering and people that love to help and spend time here around...so, no blame for that...
As i asked above what is the reason you need this information...so in that order someone can have a better answer.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Mon Feb 13, 2023 18:21 Post subject:
"Windows XP" in the contents of that section of the wiki should be quite the pointer. The script was probably developed when WRT54* routers were the bees knees, but I would have to check history of article. You can cat the values of all of those parameters and make adjustments to the script, if you really feel like it's necessary. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Reason for asking is trying to lock router down with additions to iptables which block various attacks, scans, and malicious activity for systems which also require access from the internet for various functions. Yes, aware this script doesn't touch iptables. It was found while searching the topic.
There are tons of examples, some contradicting or overlapping significantly. Granted if security was a primary concern, dd-wrt while powerful probably isn't the end-all best choice as a perimeter device. Sure others have gone very far down this path. If anyone has, the question is largely pointed in their direction.
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Tue Feb 14, 2023 17:28 Post subject:
By default DDWRT has an SPI firewall (can google to find out more about it) and uses iptables as well ipset (router model current firmware build matters)..so you can do some more with those..bear in mind DDWRT has not all the iptables modules in use...
You can install fail2ban or similar, like snort or suricata and run it from Entware on usb.. router needs to be powerful to be able to run those..preferably PC box...
some recent thread on fail2ban
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333851 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913