Edgerouter – Nice but scary!!!
I just bought the Ubiquiti Edgerouter PoE and have been playing with it for some time. It’s a fantastic product with endless possibilities.
But after playing around with the product, I realized that it must be a hackers heaven. The ultimate box to conquer in your network. It’s a perfect hiding place with all the tools they would need to manipulate, sniff and redirect traffic. It’s basically a full blown Debian Linux, the preferred OS of most bad guys! This is APT (Advanced persistent threat) taken to the next level!
Why is this router worse than others? Because normal routers come with their own OS specifically made for routing and firewalling. Everything you see in the configuration is what is active. But on a linuxbox like the Edgerouter, there are a lot of easy ways of hiding for a bad guy.
I realized that I needed to protect this peace of critical infrastructure in my home network. So with security in mind I scrapped my configuration and started all over. Here are my steps to get a reasonably secure router. This multi part guide requires some ubiquity command line skills and some basic Linux skills in order to follow. You should be able to use most of my commands without much change.
Everething here is done on version 1.9.0 of the firmware.
Here are my articles about my way to a more secure Edgerouter.
- Part 2: Basic setup of the router making it unreachable from the internet
- Part 3: Setting up Google Authenticator for accessing the router with SSH
- part 4: Setting up firewall rules to protect networks
- part 5: Setting up OpenVPN with google authenticator
Here are some important resources I used for my setup:
- https://networkjutsu.com/how-to-configure-edgerouter-lite-part-one/
- http://www.dahl-jacobsen.dk/tips//2015/04/29/Edgeos-configuration.html
- http://help.ubnt.com/hc/en-us/articles/218889067-EdgeMAX-How-to-Protect-a-Guest-Network-on-EdgeRouter
- http://help.ubnt.com/hc/en-us/articles/205202560-EdgeMAX-Add-other-Debian-packages-to-EdgeOS
- https://loganmarchione.com/2016/05/edgerouter-lite-openvpn-setup/
- https://community.ubnt.com/t5/EdgeMAX/Secure-OpenVPN-server-setup-with-multi-factor-authentication/m-p/1240405#M63934
- http://help.ubnt.com/hc/en-us/articles/217569187-EdgeMAX-OpenVPN-Server-with-TLS-and-Multiple-WAN
Hi Alex,
thanks for so many tutorials, I`ve barely started to scratch the surface of my ER-X.
Any simple instructions on how to schedule a daily reboot? (my ISP allocates a fix IP address that changes only with reboot)
I`ve tried by GUI with task scheduler accepting command of
“set system task-scheduler task reboot executable path /sbin/reboot/
set system task-scheduler task reboot interval 1d” with no effect.
Hi Alex,
I stumbled upon this blog, and I have to say, I am quite shocked! Ubiquiti advertises itself to democratize enterprise features… a router being accessible from the internet is quite unsafe…
Thanks for this really helpful blogpost, in particular, showing how to secure with Google Authenticator!!!!
Regards