04-21-2012 07:26 AM - edited 04-21-2012 07:27 AM
Firmware: DD-WRT v24 SP2-Multi Build 17798
ISP: Time Warner Cable
Machine: Toshiba Satellite A665 laptop
OS: Windows 7
My goal was to force "wired-only" (no wireless) access to the administration interface, but I've managed to lock myself out of the administration interface entirely. I disabled http and https access to the router. I'm pretty sure the only thing I can do now is to reset the router and start over again.
My question is, how do I properly configure the router to only allow a "wired" connection to the router's administration interface? Is this possible? I'm hesitant to allow http access to the router admin because I just don't feel safe that I have the router locked down sufficiently. So my thought was to force a wired-only connection to the router for admin purposes.
Also, during my initial router configuration I installed the "Professional" version, but I'm wondering if I should install the "User Friendly" version.
Thanks for any help.
Solved! Go to Solution.
04-21-2012 07:56 AM
To use wired only, just turn off the wireless radio. In dd-wrt its in the webgui under Wireless > Basic settings > Wireless Network Mode > disabled
That will turn your radio off and not allow wireless connections to the router.
04-22-2012 01:21 PM
Maybe I'm misunderstanding your reply, or maybe you're misunderstanding my question - not sure which.
My goal is to force "wired"-only router *administration* - not wired-only operation. I'd like wireless operation in general, but when I administer and configure the router, I'd like that to be in wired-only mode. I want to be sure no-one can connect to the router for configuration/admin tasks accept using a wired connection. Thanks for any help or additional info.
04-22-2012 09:25 PM - edited 04-22-2012 09:33 PM
Misunderstaning is on me, my apologies.
As far as being able to administrate only on a wired connection or wireless connection for that matter, simply don't give out the login/password credentials to the router.
Also to clarify on your first post, there are several other ways, as you discovered when you turned off http or https access to the router, and no that doesn't mean you have to start over, when you turn both of them off, just make sure to have telnet or ssh enabled, and then use a telnet/ssh client to log into the shell, then type 'httpd' with no quotes at the shell and it will start the httpd daemon, make the changes you want then you can issue 'killall httpd' and it will turn it back off.
Another way is much more complex using iptables and only allowing some access to the router's local sockets. But still, the safest way i believe is just do not give out the user/password credentials of the router.
04-23-2012 06:47 PM
Thank you for answering - great info.
With http and/or httpd enabled (or telnet or ssh for that matter), my impression is that cracking a user/pw combo is just a matter of time by brute force. So my thought was to just force wired-only administration - so I wouldn't have to worry about a brute-force crack attack at all. Am I being overly concerned about security? Do most people just use http/https for administration? Meaning anyone with a browser in range of the router can sit there and try to get access by trying user/pw combinations?
04-23-2012 07:07 PM
Not overly concerned at all, most admins want to know this kind of info, so it is useful, infact they put bruteforce protection in dd-wrt for just such cases, the option to activate it should be in the webgui under Security.
Where the concern should be exercised though, is knowing what kind of users you are going to have on your network and if they have the know-how to do such an attack, most do not.
Most people do use the http(s) access for administration, its just easier and what i've come to learn with dd-wrt is that sometimes its better, because you can activate an option in the webgui and it works, you can try that same option under the shell and it not work. So the webgui options are sometimes better to use because they work 99% of the time as opposed to shell configurations.
Also trying to brute it from telnet/ssh is extremely hard to do, there is a failsafe where if the user has more than 3 fails, it closes the shell in which they are trying from.