Hardening EdgeRouter Lite – Part 1

This blog post is part of a series on EdgeRouter Lite. You may want to check them all out!

Introduction

It has been a while since I talked about my EdgeRouter Lite. Since then, my configuration has changed. I will be discussing some of the configuration changes in this series of blog posts.

As the title implies, I will cover the process of hardening EdgeRouter Lite to address the security concerns one might have with my two-part blog post. This, by no means, is complete or the most secure configuration so feel free to drop me a line with your suggestions.

Note: This post is based on firmware version 1.9.

Web UI

The HTTPS service listens, by default, to all addresses assigned to router’s interfaces. We can improve security by restricting web management traffic to a single address.

set service gui listen-address 192.168.200.1

Alternatively, I could disable the service if I have no use for it.

delete service gui

One of the things I noticed in EdgeOS is that it listens to port 80 and 443. However, users that try to hit the router via HTTP will be redirected to HTTPS. The show service gui command won’t list it but when you issue show configuration commands | match “service gui” then it will show up. This behavior is OK in my opinion since it switches to secure HTTP. Though, there might be some people who will find this unacceptable. If you are one of them, the delete service gui http-port 80 command will disable this. Alternatively, one can just use the firewall to block it. I will cover the firewall configuration in future blog posts.

SSH Service

In my how to configure EdgeRouter Lite part one guide, my SSH service section has two config lines. While it touches a bit about security, I didn’t really touch on securing the service further. By default, the router’s SSH server will listen to any addresses assigned to an interface, just like the Web UI. In this section, we will instruct EdgeOS to only listen to a specific IP address.

set service ssh listen-address 192.168.200.1

Public-Key Authentication

One of the mitigation techniques for SSH brute force attack is by using SSH key authentication method. In order to do this, we will need to generate SSH keys on the client(s), load the public key on EdgeRouter, and disable password authentication.

Generating SSH keys

In this post, the host that I used to generate keys runs on Ubuntu Server 16.04.1. Generating keys on macOS and other Linux distro might be the same command. If you’re a Windows user, please research on how to generate keys using PuTTY Generator.

username@ubuntu01:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa): <just hit enter>
Enter passphrase (empty for no passphrase): <enter passphrase here>
Enter same passphrase again: <enter passphrase here>
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:a-bunch-of-characters-are-displayed-here username@ubuntu01
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|     random      |
|   characters    |
|      are        |
|    displayed    |
|      here       |
|                 |
|                 |
+----[SHA256]-----+

Copying SSH key

There are two methods, that I know of, on how to copy the public key that we generated to the EdgeRouter. I will only cover two of them.

Method 1

This method is the easiest out of the two. This method will only work if password authentication is still enabled. If not, then you will have to use the second method.

username@ubuntu01:~$ ssh-copy-id username@ubnt.domain.local
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
username@ubnt.domain.local's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'username@ubnt.domain.local'" and check to make sure that only the key(s) you wanted were added.

The public key is now copied and we are now ready to load the key. Skip the method 2 section and go to the next.

Method 2

This method is a bit more involved than the first one. The second part of this method is applicable to Windows users. It’s just a matter of copying the public key to clipboard and saving it to a file in EdgeRouter. This will be the method you’ll use going forward when you disable password authentication and need to add more public keys. Alternatively, you can enable password authentication temporarily and use the first method to add more public keys. Don’t forget to disable password authentication.

The first step is to view the public key from the host.

username@ubuntu01:~$ more ~/.ssh/id_rsa.pub
ssh-rsa a-bunch-of-characters-are-displayed-here-and-is-very-long username@ubuntu01

The next step is to copy everything. Note: It may show up as multiple lines on your screen. Make sure to paste it as a single line to a file in EdgeRouter.

sudo vi ~/.ssh/authorized_keys
ssh-rsa a-bunch-of-characters-are-displayed-here-and-is-very-long username@ubuntu01

If you are not familiar with VI/VIM editor, then use this.

bash
echo ssh-rsa a-bunch-of-characters-are-displayed-here-and-is-very-long username@ubuntu01 >> ~/.ssh/authorized_keys
exit

Loading SSH key

The next step is to load the public key to the configuration. The command covered here instructs the router to load the public key from the Linux environment to EdgeOS. This ensures that the keys will survive a reboot and/or firmware upgrade since configurations will be saved in /config directory.

loadkey username ~/.ssh/authorized_keys

We’ll delete the authorized_keys file since it is no longer needed.

sudo rm ~/.ssh/authorized_keys

Disable Password Authentication

The last step in enabling public key authentication is to disable password authentication. Right now, users are still able to log into the EdgeRouter using password. To disable this behavior, we’ll need to configure SSH daemon to only allow public key authentication.

set service ssh disable-password-authentication

For this to take effect, we’ll need to commit the changes and save the config to the config.boot file. The command below will cause SSH daemon (sshd) to restart.

commit; save

Verification

Now, we’re ready to test our EdgeRouter configuration.

Host with public key

Here’s my Ubuntu host with public key connecting to EdgeRouter Lite.

username@ubuntu01:~$ ssh username@ubnt.domain.local
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
Enter passphrase for key '/home/username/.ssh/id_rsa': <enter passphrase>
Linux ubnt 3.10.20-UBNT #1 SMP Fri Jul 29 16:51:50 PDT 2016 mips64
Welcome to EdgeOS
Last login: Fri Nov 25 10:09:27 2016 from 192.168.254.100

Depending on your host’s OS, the behavior may be different. My host likes to ask for the private key passphrase every time I try to connect to EdgeRouter Lite. This requirement of passphrase could serve as an additional layer of security. Though, this depends if the user is using a unique and secure passphrase. To modify this behavior, I had to add the identity to the key manager so I don’t have to keep typing every single time. I will leave it to your discretion if you want to do the same thing.

Installing key manager

Install keychain package as the key manager.

username@ubuntu01:~$ sudo apt-get install keychain -y

Edit the .bashrc file and add the following.

username@ubuntu01:~$ vi .bashrc
keychain id_rsa id_dsa
. ~/.keychain/`uname -n`-sh

If you are not familiar with VI/VIM, follow the commands below.

username@ubuntu01:~$ sed -i '$ a keychain id_rsa id_dsa' .bashrc
username@ubuntu01:~$ sed -i '$ a . ~/.keychain/`uname -n`-sh' .bashrc

For the change to take effect, enter the command below.

username@ubuntu01:~$ . .bashrc
 * keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 2888
 * Warning: can't find id_dsa; skipping
 * Adding 1 ssh key(s): /home/username/.ssh/id_rsa
Enter passphrase for /home/username/.ssh/id_rsa: <enter passphrase>
 * ssh-add: Identities added: /home/username/.ssh/id_rsa

Now, my host is no longer asking for passphrase every time I try to connect to my EdgeRouter. Though, this will not survive a reboot. It will prompt me again to enter the passphrase when the host reboots. This is better than entering the passphrase every time, though!

username@ubuntu01:~$ ssh username@ubnt.domain.local
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
Linux ubnt 3.10.20-UBNT #1 SMP Fri Jul 29 16:51:50 PDT 2016 mips64
Welcome to EdgeOS
Last login: Fri Nov 25 12:35:33 2016 from 192.168.254.100

Host with no public key

Clients that do not have public keys saved in the EdgeRouter will no longer be able to connect.

username@ubuntu02:~$ ssh username@ubnt.domain.local
********************************************************************
*************       THIS IS MY UBIQUITI EDGEROUTER     *************
*************           YOU SHALL NOT PASS!!!          *************
********************************************************************
Permission denied (publickey).

Final Words

This post addresses some of the security concerns with my two-part blog post on how to configure EdgeRouter Lite. While there were few security bits here and there in the series, this post increases security by hardening the management plane. There will be more things we can do to enhance management security but will be covered in the future. The next post will give users an alternative to SSH public-key authentication.

References

Ubuntu Community QuickTips
Ubiquiti Community – SSH authorized_keys

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.