Hardening OpenWrt Security: Truestealth on GRC ShieldsUP! Test

ShieldsUP is an online port scanning service to test router security against hacker and denial of service (DOS) attacks. The purpose of this utility is to report the users of any ports that have been opened through their firewalls or through their NAT routers.

ShieldsUP can scan the most common file sharing ports and vulnerable port, as well as over (1-1056) service ports, and user defined ports to test and report router's visibility on the internet including open port, ping reply, and unsolicited packets.

The default OpenWrt firewall configuration is less restrictive, as a result, user with default configuration will likely failed to pass the test. I recommend testing ShieldsUP! Test first, before following the instructions to compare the results.

The Steps

Step 1: Open router web interface
  1. Select tabs Network - Firewall
  2. Select General Settings
  3. In wan:wan ?  DROP
  4. Change input to drop, forward to drop
  5. Press save & apply
Your router now passed from Solicited TCP Packets and Unsolicited TCP Packets test

Step 2: Drop all WAN ping reply
  1. In Firewall tab
  2. Select Traffic Rules
  3. In Allow ping select edit
  4. Select action to drop
  5. Press save & apply
Your router now passed from Ping Echo test.

Step 3: To avoid random disconnect from your ISP (Optional) If your ISP check client uptime by ping reply, you may whitelist your ISP source mac address.
  1. In Firewall tab
  2. Select Traffic Rules
  3. Select source mac address from any to your ISP mac address
  4. Select your ISP source address (Only use if you cannot determine your ISP mac address)
  5. Select action to accept
  6. Press save & apply


To test if you're do the steps properly
  1. Go to GRC | ShieldsUP!
  2. Select Proceed then Select All Service Ports
Then the results will be passed. It turns the router to stealth state on the internet, so when hacker probes your IP, it appears to be same as the offline user. Thus prevent the hacker to discover your network.



Post a Comment