I bought a Turris Omnia in order to learn a little bit more about networks (I have very little knowledge beyond basic understanding of how TCP/IP works; I mean I know what’s a VLAN and the commands to set up a basic one but that’s basically all).
I have a little bit more knowledge about Linux system administration, but not a high-level either. I’ve been introduced to OpenWRT a few years ago but don’t remember a thing (except that it’s Linux and it’s good).
Problem is, after unboxing my Turris, I plugged it on the net and left it for a few days before I had time to read the doc, and it’s then (so, after a few days) that I learned that the Turris comes with a standard factory password, not one that is unique.
So after a few days on the net with a factory password, it’s a quite safe bet to consider it compromised.
For something that is as crucial for security than the router itself, I should really nuke it from orbit, it’s the only way to be sure.
But since the Turris is quite costly (not saying that it’s not worth it, just that I’d prefer not to throw away something of this price) and a nuke probably even more (even not counting the cost of putting it in orbit), I’d like to try another approach.
So what should I do to be sure of getting rid of the worst compromise that could have happened ?
And how should I do it ?
Without initial configuration, devices connected to LAN ports don’t have access to the Internet.
And initial configuration is possible only from LAN ports, not from the Internet (WAN port).
If you want to be sure, that your Omnia is safe, you can use 3 LED rescue mode (press RESET button and release it when 3 LEDs are shining) and your Omnia will be in factory reset mode (like after unboxing).
You can find details in documentation: Omnia - Turris Documentation.
Hello,
we do not ship our products with any factory password. During the initial configuration you are forced to set your own password to be able to configure the rest of the networking etc.
Simply fake news or information completely misunderstood/misinterpreted.
Please state where you found this so it can be corrected (if it exists).
In addition to the above mentioned truth: Ports are closed, so there is nothing that could be reached from the internet (WAN-port).
Since I can’t find it precisely, I might have misunderstood/misremembered the part “There is no password during initial setup.” and mixed it with “it comes with the factory password”.
So, I did the reset to factory settings and followed the standard setup instructions (with a moderately secure passphrase).
Since I did not configure anything to allow remote configuration, am I right to consider that it is still safe from any WAN-originating configuration modification ?
Also, I need to turn off the lights at night and apparently it needs to be done through a cron task and anyway I find that I’ll learn more by using CLI and configuration files than by using Foris or LuCI.
So I’d need SSH access but until I’m confident in the security of my configuration, I don’t want to allow SSH connection from the WAN or the Wi-fi, only from the LAN ports.
Is there a way to have that ? I only find results on allowing SSH as a whole.
I think you can set all leds to 000000 by cron at night.
rainbow all 000000
And restart rainbow by another cron job in the morning.
Regading ssh it is by default only from LAN(which includes wifi but excludes guest network) unless you change firewall to allow ssh from wan. If need only from lan ports you need to change the network config.
Sorry I was just answering when @iron-maiden was faster… Maybe it helps as well…
As to turning off the LEDs - it can be easily done by LuCI → System → Schduled tasks. Add for example following lines:
30 0 * * * rainbow intensity 0 # LEDs off each day at 0:30
0 7 * * * rainbow intensity 1 # LEDs on each day at 7:00 with lowest intensity
and remember to save changes.
Note: you need to manually restart the cron service if the crontab file was empty before editing (by command /etc/init.d/cron restart)
Crontab file (lines) have format m h dom mon dow command where: m - min 0-59, h - hour 0-23, dom - day/month 1-31, mon - month 1-12, dow - day/week 0-6 (0 for Sunday).
In the same way you could switch WiFi on/off, for example:
Thanks. Though apparently 0 is the maximum intensity and 7 is off (so rainbow all 7 I guess).
What are the users for ssh ?
I tried “turris” but then the password set on initial configuration only gets “permission denied, please try again”.
Since I don’t need it never tried it. I think needs to create a new subnet for wifis and then allow ssh only from lan. Additionally any lan port also can be assigned to the guest network, so you should consider that also.
