macsat.com - OpenWrt | Olegs Firmware - Installing OpenWRT

www.mamboteam.com

macsat.com - OpenWrt | Olegs Firmware

Tutorials - OpenWrt (White Russian)

Installing OpenWRT

Tuesday, 14 October 2008

Main Menu

Tutorials - OpenWrt (WR)

Tutorials - Oleg

Wiki (RDC Based Routers)

Free Linux eBooks

2717228 Visitors

Login

Welcome Guest.

No account yet? Register

Old macsat.com

Nokia Unlock (Dansk)

Nokia Unlock (English)

Installing OpenWRT

PDF

Print

E-mail

1
2
3
4
5

(5 votes)

Written by macsat
Thursday, 24 November 2005
The Tutorial is made using a ASUS WL-500G Deluxe (or WL-500GX and WL-500GD as it is sometimes called). It should however apply to all "OpenWRT Compatible" devices, even though some details like hardware ad\dresses, storage locations and so on could differ if you use other hardware. Check out the General OpenWRT Tutorial Information page for more information. This Tutorial will guide you through the basics in installing and setting up OpenWRT on ASUS WL-500g (Deluxe). After following this Tutorial you will have: NAT enabled router, allowing LAN and Wireless LAN (WiFi / WLAN) access to the WAN (Internet). Wireless Accesspoint / Router with PSK WPA wireless protection (or WEP if that is preferred.). SSH access to your router from LAN and WAN. A very nice and complete web interface provided by X-Wrt Tutorial Index 1. Prerequisites - What is needed to get started. 2. Installing OpenWRT. 3. Installing needed software packages 4. Using webif2 to create basic settings 5. Protection against SSH Brute Force attacks. Prerequisites All you need is : One of the above Asus Wireless devices A computer with a tftp client. (Most linux distros have this and even Windows XP ships with one.) If you are running Windows, you have to set your computer to a static IP in the 192.168.1.XX range (help on this can be found here: http://www.tutorialized.com/tutorial/Setting-a-Static-IP/9967) Installing OpenWRT The build of OpenWRT used here is release codenamed WhiteRussian RC6 Download this imagefile: http://downloads.openwrt.org/whiterussian/rc6/bin/openwrt-brcm-2.4-squashfs.trx We will upload the imagefile to the router using tftp. This tutorial provides you with one way to upload the firmware using windows. For more information about installing OpenWRT, refer to the OpenWRTDocs/Installing During the upload process, we will start by resetting your router to factory defaults. Use either the webinterface to do so, ow simply hold the reset button on your router for appx 20 secs (or until the PWR led flashes rapidly), then release the button. Your router will now be found on 192.168.1.1. Be sure the WAN port is not connected, and connect your computer to one of the 4 LAN ports. Now reboot your router, while holding the reset button. A few seconds into bootup, the PWR LED will start blinking slowly. Now issue the following command from a commandpromt in your Windows XP (from the folder where you placed the .trx image): tftp -i 192.168.1.1 PUT openwrt-brcm-2.4-squashfs.trx The firmware will now load into your router finishing with a message stating some figures on bytes transfered and time used etc. Do a hard reboot by removing and reapplying power (simply pulle the plug). It might take a while for the router to boot the first time, you can "keep an eye" on when it is booted by pinging it from a cmd prompt: ping -t 192.168.1.1 Once you starting getting ping replys, you can login to the router using your favourite telnet client. I like putty a lot. You will be logged in directly with no asking for username nor password. The fist thing to do is to change the root password, you do this by issuing: passwd < enter > Followed by the new password twice. Try to connect the WAN port to some WAN connection and reboot. reboot This time boot will take a bit of time as well. Telnet will now be disabled, and you have to logon using ssh. Username is "root" and password is the password you defined in the previous step. The OpenWRT version we installed uses a combined squasfs and jffs2 filesystem. Meaning that the "/" filesystem is read/write, just as a normal linux running from a hard disc. You can try to do a: df -h Too see how much space is available. On my ASUS WL-500g Deluxe it shows some 3.2 MB total, and 1.4 MB free in /dev/root mounted on / Installing needed software. In this section some needed and nice-to-have software will be installed. Specifically we will install an updated version of the DHCP and DNS server (dnsmasq), since the default installed once contains a bad bug. Also we will install the NAS binary, that provides WPA encryption for the wireless network. Finally we will install the very nice Webif^2 by db90h and his x-wrt project. First we can install the nas binary by: ipkg update < enter > ipkg install nas < enter > The installation of the updated dnsmasq is just as easy ipkg install http://downloads.openwrt.org/people/nbd/diagtest/packages/dnsmasq_2.35-1_mipsel.ipk In order for the new version to work, we need to create a new symlink: ln -s /bin/ipcalc /bin/ipcalc.sh Finally lets install the webif, and reboot the router: ipkg install install webif2 : ipkg install http://ftp.berlios.de/pub/xwrt/webif_latest.ipk reboot After this you should be able to setup all the features you want on the router using the excellent web interface at http://192.168.1.1 (or the ip you have setup your user to use). Using the web^2 web interface. I am not going to make a complete manual to using the web^2 web interface, as it is very complete, and also very easy to use. The interface makes it possible to do complete management of all the core components of openwrt, and even offer support for a wide range of extensions. Here I will merely present a few screen shots of some of the pages that allows management of the basic networking, wireless and dhcp features. The webif greets you with a page looking like this, that gives you a bit of info on the interface version, and allows you to upgrade to a new version if one is available: Basic WAN and LAN settings can be handled from this page: A Simulary and very self explanatory page exists for setting up WLAN (WiFi) including security. I highly suggest that users use at least WPA if not WPA2 for their network. WEP really is outdated. Finally, a lot of users are using "static DHCP" entries, that ensures that certain computers always gets the same IP on the network. This is very handy when running services like web servers, shared folders and P2P software like emule, frostwire and bittorrent that all needs port forwarding. As mentioned - I have no intentions of making a complete manual for the web interface, as I consider it to be largely self explanatory. Users that needs more info should consult their manuals, as the official firmwares will often use names for the different settings that are very simular to those used here. Protection from SSH bruteforce attacks. A lot of users will experience that their router/server is receiving a lot of entries in their syslog (can be read by the logread command), showing that they are under ssh bruteforce attacks. This is especiately true for thoose users running web servers and so on, and having domain names pointing at their router IP address. Log entries will often look something like: Feb 22 08:40:51 (none) kern.info dropbear[3322]: Child connection from 222.235.28.7:36991 Feb 22 08:40:54 (none) kern.warn dropbear[3322]: login attempt for nonexistent user from 222.235.28.7:36991 Feb 22 08:40:55 (none) kern.info dropbear[3322]: exit before auth: Disconnect received Feb 22 08:40:55 (none) kern.info dropbear[3323]: Child connection from 222.235.28.7:38560 Feb 22 08:41:01 (none) kern.warn dropbear[3323]: login attempt for nonexistent user from 222.235.28.7:38560 Feb 22 08:41:02 (none) kern.info dropbear[3323]: exit before auth: Disconnect received Feb 22 08:41:02 (none) kern.info dropbear[3324]: Child connection from 222.235.28.7:41680 Feb 22 08:41:07 (none) kern.warn dropbear[3324]: login attempt for nonexistent user from 222.235.28.7:41680 Feb 22 08:41:08 (none) kern.info dropbear[3324]: exit before auth: Disconnect received Feb 22 08:41:08 (none) kern.info dropbear[3325]: Child connection from 222.235.28.7:43568 Feb 22 08:41:11 (none) kern.warn dropbear[3325]: login attempt for nonexistent user from 222.235.28.7:43568 Feb 22 08:41:12 (none) kern.info dropbear[3325]: exit before auth: Disconnect received Feb 22 08:41:12 (none) kern.info dropbear[3326]: Child connection from 222.235.28.7:45297 Feb 22 08:41:15 (none) kern.warn dropbear[3326]: login attempt for nonexistent user from 222.235.28.7:45297 Feb 22 08:41:16 (none) kern.info dropbear[3326]: exit before auth: Disconnect received Feb 22 08:41:17 (none) kern.info dropbear[3327]: Child connection from 222.235.28.7:46851 Feb 22 08:41:21 (none) kern.warn dropbear[3327]: login attempt for nonexistent user from 222.235.28.7:46851 Feb 22 08:41:22 (none) kern.info dropbear[3327]: exit before auth: Disconnect received Feb 22 08:41:22 (none) kern.info dropbear[3328]: Child connection from 222.235.28.7:48749 Feb 22 08:41:25 (none) kern.warn dropbear[3328]: login attempt for nonexistent user from 222.235.28.7:48749 Feb 22 08:41:26 (none) kern.info dropbear[3328]: exit before auth: Disconnect received This can be avioded by installing the ipt_recent module for iptables, and changing the firewall rules accordingly. The method includes allowing only X number of connections to port 22 from the same IP in a period of YY seconds. The ipt_recent module is in the iptables-mod-extra package, install this by: ipkg install iptables-mod-extra In this example of the setup, we will allow a maximum of 3 connections to port 22 from each IP within a 120 seconds timeframe. Also we will make a log-entry in the syslog for each blocked request to port 22. This means that we need to load both the ipt_recent and the ipt_LOG modules, and use them in our firewall.user script. To load the modules at starup do this: echo "ipt_recent" >> /etc/modules echo "ipt_LOG" >> /etc/modules Now you can either reboot your router, or issue the following commands to load the modules now : insmod ipt_recent insmod ipt_LOG To create the firewall rules, you need to replace this like in your firewall.user script : iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT With the following three lines: iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 -j LOG --log-prefix "SSH_BRUTE " iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 -j DROP iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT Now after reloading the /etc/firewall.user script - or rebooting the router, it is only possible to make 3 requests every 120 seconds from the same ip to port 22 of the WAN device of your router. You will still see log entries like the above, but only in blocks of three requests every two minutes. This will render brute force attacks non-useable for thoose petty hackers. Blocked attempts will show in the syslog with the prefix : "SSH_BRUTE" and you can see thoose by issuing: logread \|grep "SSH_BRUTE" I hope you found this tutorial useful. Comments and questions are welcome at the Support Forum
Last Updated ( Monday, 19 March 2007 )

< Prev		Next >

Buy Router
Linksys WRT54GL

Recent Forum Topics

Firmware : CHD2WLANU Help plz. (1) by schufti - October 09, 2008, 12:21:05 PM
Firmware : MGB100_v4c3sq_080926 (11) by balans - October 08, 2008, 19:58:08 PM
Firmware : Airlive WMU-6500FS (28) by Snoopy11 - October 05, 2008, 15:05:02 PM
Firmware : SMCWAPS-G JTAG? (1) by schufti - October 03, 2008, 16:28:59 PM
Firmware : Loading 2.6 kernel w... (6) by schufti - September 30, 2008, 17:16:29 PM

Donations

If you appriciate this site, please consider making a small donation.

All donations will be used to cover expenses from running macsat.com.

Sponsored Ads

Top!

Top!