Edgerouter – Nice but scary!!!
I just bought the Ubiquiti Edgerouter PoE and have been playing with it for some time. It’s a fantastic product with endless possibilities.
But after playing around with the product, I realized that it must be a hackers heaven. The ultimate box to conquer in your network. It’s a perfect hiding place with all the tools they would need to manipulate, sniff and redirect traffic. It’s basically a full blown Debian Linux, the preferred OS of most bad guys! This is APT (Advanced persistent threat) taken to the next level!
Why is this router worse than others? Because normal routers come with their own OS specifically made for routing and firewalling. Everything you see in the configuration is what is active. But on a linuxbox like the Edgerouter, there are a lot of easy ways of hiding for a bad guy.
I realized that I needed to protect this peace of critical infrastructure in my home network. So with security in mind I scrapped my configuration and started all over. Here are my steps to get a reasonably secure router. This multi part guide requires some ubiquity command line skills and some basic Linux skills in order to follow. You should be able to use most of my commands without much change.
Everething here is done on version 1.9.0 of the firmware.
Here are my articles about my way to a more secure Edgerouter.
- Part 2: Basic setup of the router making it unreachable from the internet
- Part 3: Setting up Google Authenticator for accessing the router with SSH
- part 4: Setting up firewall rules to protect networks
- part 5: Setting up OpenVPN with google authenticator
Here are some important resources I used for my setup: