21-04-2010 Content Preview

INSTALLING OPENWRT

The Tutorial is made using a ASUS WL-500G Deluxe (or WL-500GX and WL-500GD as it is sometimes called).
It should however apply to all "OpenWRT Com patible" devices, even though some details like hardware ad\dresses, storage
locations and so on could differ if you use other hardware. Check out the General OpenWRT Tutorial Inform ation page for more
information.

This Tutorial will guide you through the basics in installing and setting up OpenWRT on ASUS WL-500g (Deluxe).
After following this Tutorial you will have:

NAT enabled router, allowing LAN and Wireless LAN (WiFi / WLAN) access to the WAN (Internet).

Wireless Accesspoint / Router with PSK WPA wireless

protection (or WEP if that is preferred.).

SSH access to your router from LAN and WAN.

A very nice and complete web interface provided by X-Wrt

Tutorial Index
1. Prerequisites - What is needed to get started.
2. Installing OpenWRT.

3. Installing needed softw are packages

4. Using w ebif2 to create basic settings

5. Protection against SSH Brute Force attacks.

Prerequisites
All you need is :

One of the above Asus Wireless devices

A computer with a tftp client. (Most linux distros have this and even Windows XP ships with one.)
If you are running Windows, you have to set your computer to a static IP in the 192.168.1.XX range
(help on this can be found here: http://w w w .tutorialized.com /tutorial/Setting-a-Static-IP/9967)

Installing OpenWRT
The build of OpenWRT used here is release codenamed WhiteRussian RC6
Dow nload this imagefile:
http://dow nloads.openw rt.org/w hiterussian/rc6/bin/openw rt-brcm -2.4-squashfs.trx

We w ill upload the imagefile to the router using tftp.

This tutorial provides you w ith one w ay to upload the firmw are using w indow s. For more information about installing OpenWRT, refer to the OpenWRTDocs/Installing

During the upload process, w e w ill start by resetting your router to factory defaults.
Use either the w ebinterface to do so, ow simply hold the reset button on your router for appx 20 secs (or until the PWR led flashes rapidly), then release the button.
Your router w ill now be found on 192.168.1.1.

Be sure the WAN port is not connected, and connect your computer to one of the 4 LAN ports.
Now reboot your router, w hile holding the reset button. A few seconds into bootup, the PWR LED w ill start blinking slow ly. Now issue the follow ing command from a
commandpromt in your Window s XP (from the folder w here you placed the .trx image):
tftp -i 192.168.1.1 PUT openwrt-brcm-2.4-squashfs.trx

The firmw are w ill now load into your router finishing w ith a message stating some figures on bytes transfered and time used etc.

macsat.com/…/contentwindow.p… 1/9
21-04-2010 Content Preview
Do a hard reboot by removing and reapplying pow er (simply pulle the plug). It might take a w hile for the router to boot the first time, you can "keep an eye" on w hen it is
booted by pinging it from a cmd prompt:
ping -t 192.168.1.1
Once you starting getting ping replys, you can login to the router using your favourite telnet client. I like putty a lot.

You w ill be logged in directly w ith no asking for username nor passw ord.
The fist thing to do is to change the root passw ord, you do this by issuing:
passwd < enter >

Follow ed by the new passw ord tw ice.

Try to connect the WAN port to some WAN connection and reboot.
reboot
This time boot w ill take a bit of time as w ell. Telnet w ill now be disabled, and you have to logon using ssh. Username is "root" and passw ord is the passw ord you
defined in the previous step.

The OpenWRT version w e installed uses a combined squasfs and jffs2 filesystem . Meaning that the "/" filesystem is read/w rite, just as a normal linux running from a
hard disc.
You can try to do a:
df -h

Too see how much space is available. On my ASUS WL-500g Deluxe it show s some 3.2 MB total, and 1.4 MB free in /dev/root mounted on /

{mosgoogle bot}

Installing needed software.

In this section some needed and nice-to-have softw are w ill be installed. Specifically w e w ill install an updated version of the DHCP and DNS server (dnsmasq), since
the default installed once contains a bad bug. Also w e w ill install the NAS binary, that provides WPA encryption for the w ireless netw ork. Finally w e w ill install the very
nice Webif^2 by db90h and his x-w rt project.
First w e can install the nas binary by:
ipkg update < enter >
ipkg install nas < enter >
The installation of the updated dnsmasq is just as easy
ipkg install http://downloads.openwrt.org/people/nbd/diagtest/packages/dnsmasq_2.35-1_mipsel.ipk

In order for the new version to work, we need to create a new symlink:
ln -s /bin/ipcalc /bin/ipcalc.sh

Finally lets install the webif, and reboot the router:

ipkg install install webif2 : ipkg install http://ftp.berlios.de/pub/xwrt/webif_latest.ipk
reboot

After this you should be able to setup all the features you want on the router using the excellent web interface at
http://192.168.1.1 (or the ip you have setup your user to use).

Using the web^2 web interface.

I am not going to make a complete manual to using the web^2 web interface, as it is very complete, and also very easy
to use. The interface makes it possible to do complete management of all the core components of openwrt, and even
offer support for a wide range of extensions.

Here I will merely present a few screen shots of some of the pages that allows management of the basic networking,
wireless and dhcp features.

The webif greets you with a page looking like this, that gives you a bit of info on the interface version, and allows you to
upgrade to a new version if one is available:

macsat.com/…/contentwindow.p… 2/9
21-04-2010 Content Preview

macsat.com/…/contentwindow.p… 3/9
21-04-2010 Content Preview

Basic WAN and LAN settings can be handled from this page:

macsat.com/…/contentwindow.p… 4/9
21-04-2010 Content Preview

A Simulary and very self explanatory page exists for setting up WLAN (WiFi) including security. I highly suggest that
users use at least WPA if not WPA2 for their network. WEP really is outdated.

macsat.com/…/contentwindow.p… 5/9
21-04-2010 Content Preview

macsat.com/…/contentwindow.p… 6/9
21-04-2010 Content Preview
Finally, a lot of users are using "static DHCP" entries, that ensures that certain computers always gets the same IP on
the network. This is very handy when running services like web servers, shared folders and P2P software like emule,
frostwire and bittorrent that all needs port forwarding.

macsat.com/…/contentwindow.p… 7/9
21-04-2010 Content Preview

As mentioned - I have no intentions of making a complete manual for the web interface, as I consider it to be largely
self explanatory. Users that needs more info should consult their manuals, as the official firmwares will often use names
for the different settings that are very simular to those used here.

Protection from SSH bruteforce attacks.

A lot of users w ill experience that their router/server is receiving a lot of entries in their syslog (can be read by the logread command), show ing that they are under ssh
bruteforce attacks.
This is especiately true for thoose users running w eb servers and so on, and having domain names pointing at their router IP address.
Log entries w ill often look something like:
Feb 22 08:40:51 (none) kern.info dropbear[3322]: Child connection from 222.235.28.7:36991
Feb 22 08:40:54 (none) kern.warn dropbear[3322]: login attempt for nonexistent user from 222.235.28.7:36991
Feb 22 08:40:55 (none) kern.info dropbear[3322]: exit before auth: Disconnect received
Feb 22 08:40:55 (none) kern.info dropbear[3323]: Child connection from 222.235.28.7:38560
Feb 22 08:41:01 (none) kern.warn dropbear[3323]: login attempt for nonexistent user from 222.235.28.7:38560
Feb 22 08:41:02 (none) kern.info dropbear[3323]: exit before auth: Disconnect received
Feb 22 08:41:02 (none) kern.info dropbear[3324]: Child connection from 222.235.28.7:41680
Feb 22 08:41:07 (none) kern.warn dropbear[3324]: login attempt for nonexistent user from 222.235.28.7:41680
Feb 22 08:41:08 (none) kern.info dropbear[3324]: exit before auth: Disconnect received
Feb 22 08:41:08 (none) kern.info dropbear[3325]: Child connection from 222.235.28.7:43568
Feb 22 08:41:11 (none) kern.warn dropbear[3325]: login attempt for nonexistent user from 222.235.28.7:43568
Feb 22 08:41:12 (none) kern.info dropbear[3325]: exit before auth: Disconnect received
Feb 22 08:41:12 (none) kern.info dropbear[3326]: Child connection from 222.235.28.7:45297
Feb 22 08:41:15 (none) kern.warn dropbear[3326]: login attempt for nonexistent user from 222.235.28.7:45297
Feb 22 08:41:16 (none) kern.info dropbear[3326]: exit before auth: Disconnect received
Feb 22 08:41:17 (none) kern.info dropbear[3327]: Child connection from 222.235.28.7:46851
Feb 22 08:41:21 (none) kern.warn dropbear[3327]: login attempt for nonexistent user from 222.235.28.7:46851
Feb 22 08:41:22 (none) kern.info dropbear[3327]: exit before auth: Disconnect received
Feb 22 08:41:22 (none) kern.info dropbear[3328]: Child connection from 222.235.28.7:48749
Feb 22 08:41:25 (none) kern.warn dropbear[3328]: login attempt for nonexistent user from 222.235.28.7:48749
Feb 22 08:41:26 (none) kern.info dropbear[3328]: exit before auth: Disconnect received

This can be avioded by installing the ipt_recent module for iptables, and changing the firew all rules accordingly.
The method includes allow ing only X number of connections to port 22 from the same IP in a period of YY seconds.
The ipt_recent module is in the iptables-mod-extra package, install this by:
ipkg install iptables-mod-extra
In this example of the setup, w e w ill allow a maximum of 3 connections to port 22 from each IP w ithin a 120 seconds timeframe. Also w e w ill make a log-entry in the
syslog for each blocked request to port 22. This means that w e need to load both the ipt_recent and the ipt_LOG modules, and use them in our firew all.user script.
To load the modules at starup do this:
echo "ipt_recent" >> /etc/modules
echo "ipt_LOG" >> /etc/modules
Now you can either reboot your router, or issue the follow ing commands to load the modules now :
insmod ipt_recent
insmod ipt_LOG
To create the firew all rules, you need to replace this like in your firew all.user script :

macsat.com/…/contentwindow.p… 8/9
21-04-2010 Content Preview
iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT

With the follow ing three lines:

iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 -j LOG --log-
prefix "SSH_BRUTE "
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 -j DROP
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT
Now after reloading the /etc/firew all.user script - or rebooting the router, it is only possible to make 3 requests every 120 seconds from the same ip to port 22 of the
WAN device of your router.
You will still see log entries like the above, but only in blocks of three requests every two minutes. This will render brute
force attacks non-useable for thoose petty hackers.
Blocked attempts w ill show in the syslog w ith the prefix : "SSH_BRUTE" and you can see thoose by issuing:
logread |grep "SSH_BRUTE"

I hope you found this tutorial useful.

Comments and questions are w elcome at the Support Forum
Close Print

macsat.com/…/contentwindow.p… 9/9