Reflashing Turris Omnia to factory

Hi all.

I bought a Turris Omnia in order to learn a little bit more about networks (I have very little knowledge beyond basic understanding of how TCP/IP works; I mean I know what’s a VLAN and the commands to set up a basic one but that’s basically all).
I have a little bit more knowledge about Linux system administration, but not a high-level either. I’ve been introduced to OpenWRT a few years ago but don’t remember a thing (except that it’s Linux and it’s good).

Problem is, after unboxing my Turris, I plugged it on the net and left it for a few days before I had time to read the doc, and it’s then (so, after a few days) that I learned that the Turris comes with a standard factory password, not one that is unique.

So after a few days on the net with a factory password, it’s a quite safe bet to consider it compromised.
For something that is as crucial for security than the router itself, I should really nuke it from orbit, it’s the only way to be sure.

But since the Turris is quite costly (not saying that it’s not worth it, just that I’d prefer not to throw away something of this price) and a nuke probably even more (even not counting the cost of putting it in orbit), I’d like to try another approach.

So what should I do to be sure of getting rid of the worst compromise that could have happened ?
And how should I do it ?

Without initial configuration, devices connected to LAN ports don’t have access to the Internet.
And initial configuration is possible only from LAN ports, not from the Internet (WAN port).
If you want to be sure, that your Omnia is safe, you can use 3 LED rescue mode (press RESET button and release it when 3 LEDs are shining) and your Omnia will be in factory reset mode (like after unboxing).
You can find details in documentation: Omnia - Turris Documentation.

Hello,
we do not ship our products with any factory password. During the initial configuration you are forced to set your own password to be able to configure the rest of the networking etc.

For reset to factory settings, follow the instructions on Omnia - Turris Documentation

1 Like

Simply fake news or information completely misunderstood/misinterpreted.
Please state where you found this so it can be corrected (if it exists).
In addition to the above mentioned truth: Ports are closed, so there is nothing that could be reached from the internet (WAN-port).

2 Likes

Your Omnia most likely did not get compromised so to not to scare other users I’ve let myself change the subject to more precise and less scary one.

2 Likes

Since I can’t find it precisely, I might have misunderstood/misremembered the part “There is no password during initial setup.” and mixed it with “it comes with the factory password”.

Anyway I did reset to factory setup, thanks.

So, I did the reset to factory settings and followed the standard setup instructions (with a moderately secure passphrase).

Since I did not configure anything to allow remote configuration, am I right to consider that it is still safe from any WAN-originating configuration modification ?

Or is the security a real problem ?

Also, I did not configure any specific firewall rule yet.
Should I ? Where to get the good practices ?

Turris OS has firewall ruleset configured by default.

Edit: For additional security you can enable dynamic firewall and threat detection in ReForis which updates rules and ipset hashsets.

1 Like

Also, I need to turn off the lights at night and apparently it needs to be done through a cron task and anyway I find that I’ll learn more by using CLI and configuration files than by using Foris or LuCI.
So I’d need SSH access but until I’m confident in the security of my configuration, I don’t want to allow SSH connection from the WAN or the Wi-fi, only from the LAN ports.
Is there a way to have that ? I only find results on allowing SSH as a whole.

I think you can set all leds to 000000 by cron at night.

rainbow all 000000

And restart rainbow by another cron job in the morning.

Regading ssh it is by default only from LAN(which includes wifi but excludes guest network) unless you change firewall to allow ssh from wan. If need only from lan ports you need to change the network config.

1 Like

Sorry I was just answering when @iron-maiden was faster… Maybe it helps as well…

As to turning off the LEDs - it can be easily done by LuCI → System → Schduled tasks. Add for example following lines:

30 0 * * * rainbow intensity 0 # LEDs off each day at 0:30
0 7 * * * rainbow intensity 1 # LEDs on each day at 7:00 with lowest intensity

and remember to save changes.
Note: you need to manually restart the cron service if the crontab file was empty before editing (by command /etc/init.d/cron restart)
Crontab file (lines) have format m h dom mon dow command where: m - min 0-59, h - hour 0-23, dom - day/month 1-31, mon - month 1-12, dow - day/week 0-6 (0 for Sunday).
In the same way you could switch WiFi on/off, for example:

30 0 * * * wifi down
0 7 * * * wifi

2 Likes

Thanks. Though apparently 0 is the maximum intensity and 7 is off (so rainbow all 7 I guess).
What are the users for ssh ?
I tried “turris” but then the password set on initial configuration only gets “permission denied, please try again”.

Thanks.
I don’t need to precise “all” ?
I thought that rainbow waited for a LED number ?

What I meant by ‘000000’ is the hex color code. It is not intensity.

2 Likes

I tried to find how to do that in LuCI but couldn’t find a way ?

Search Documentation [Turris wiki] for LED :wink:

1 Like

Beside all these safer way is to configure ssh with pub key.

Since I don’t need it never tried it. Even not sure how to isolate wifi from lan. If not doable last resort could be by some new firewall rules to prevent wifi adapters’ interfaces to access to ssh. Additionally any lan port also can be assigned to the guest network, so you should consider that also.

See some Linux documentation for cron and crontab interfaces, for example cron(8) — cron — Debian buster — Debian Manpages and crontab(5) — cron — Debian buster — Debian Manpages