DD-WRT Post-Install Checklist

DD-WRT comes out of the box with some questionable default settings. For example: a totally open default wifi network 'dd-wrt', default shell access via telnet when SSH is ready to go, no logging whatsoever which - despite demands on RAM - one might find useful during initial configuration at least...

After passing out during a router conversion and waking up to find an unexpected guest logged in I decided it wouldn't kill me to write and adhere to a post-installation checklist to make sure I don't miss anything in the future. I'll update this page as ideas come to me. Hit Apply Changes after each step.

  1. Disable WiFi until you have had time to implement a thoughtful configuration. Wireless > Basic Settings > Each Physical Interface change Wireless Network Mode to Disabled.
  2. Enable syslogd under Services > System Log. Bear in mind that logs will be collected in RAM unless you specify a remote syslogd server (ideal) or configure writable local storage. If neither of these suits you disable syslogd when you are finished dicking around but I will caution you that you may regret this decision one day.
  3. Configure the NTP Client under Setup > Basic Setup > Time Settings. Find your local pool at https://www.ntppool.org/en/. My settings are Canada/Eastern and ca.pool.ntp.org, although the NTP Pool Project advises:

    In most cases it's best to use pool.ntp.org to find an NTP server (or 0.pool.ntp.org, 1.pool.ntp.org, etc if you need multiple server names). The system will try finding the closest available servers for you.

    although I don't see how that could have less latency. Your call. Either way your syslogd entries will henceforth be a lot more meaningful.

  4. Disable Telnet and enable Secure Shell under services. It is strongly advisable to configure Authorized Keys and disable Password Login. It seems necessary to reboot the router after hitting apply to effect these changes.
  5. Under Administration > Web Access change Protocol to HTTPS and disable HTTP. Also disable Enable Info Site unless you are into that sort of masturbation. Note that you will have to update the URL in your browser once you apply changes.
  6. I like to enable Turning off radio under Services > SES / AOSS / EZ-SETUP / WPS Button so WiFi can be quickly disabled/enabled by pressing the WPS button. WPS should be disabled period which makes this button useless otherwise and this option provides a quick way to kill the radios in case of an accidental misconfiguration. Additionally I have deployed numerous solutions where having a wireless network on 24/7 provides no utility other than an increased attack surface - except on rare occasions where administration etc. is more conveniently accomplished over the air (as opposed to hanging off the device with the only 6 foot cat5 in eyeshot) and this is a great feature to have in those situations.
  7. Take a snapshot of your NVRAM settings. Before you go screwing with things like VLAN configuration and lose the default configuration forever, log in to the shell and dump the key=value pairs into a text file then store it somewhere persistent - ideally off-host - for safekeeping.
    nvram show > ~/nvram.bak

Failed to mount /sysroot on CentOS/RHEL

Power outage, VM tanked, whatever the reason you may need to run xfs_repair from the recovery console.
Mounting /sysroot... [ ***] A start job is running for /sysroot (3min 59s / 4min 31s)[240.527013] INFO: task mount:406 blocked for more than 120 seconds. [ 240.527056] "echo 0 > /proc/sys/kernel/hung_task_timeout+secs" disables this message." [FAILED] Failed to mount /sysroot. See 'systemctl status sysroot.mount' for more details. [DEPEND] Dependency failed for Initrd Root File System. [DEPEND] Dependency failed for Reload Configration from the Real Root. [ OK ] Stopped dracut pre-pivot and cleanup hook. [ OK ] Stopped target Initrd Default Target. [ OK ] Reached target Initrd File System. [ OK ] Stopped dracut mount hook. [ OK ] Stopped target Basic System. [ OK ] Stopped System Initialization. Starting Emergency Shell... Genrating "/run/initramfs/rdsosreport.txt" Entering emergancy mode. Exit the shell to continue. Type "journalctl" to view system logs. You might want to save "/run/initramfs/rdsosreport.txt" to usb stick or /boot after mounting them and attach it to a bug report. :/#

xfs_repair -v /dev/dm-0
Be sure to include any other volumes before rebooting, i.e.: /dev/dm-1.

Credit to https://unix.stackexchange.com/questions/337289/how-to-repair-centos-failed-to-mount-sysroot for full error message copypasta. Mine was in a GUI in an RDP in a bump in a hole in the log down by the river~

The BIOS has Corrupted hw-PMU Resources

Modern HP servers, among others, may display the following warning when booting RHEL7+ and associated flavours:

The BIOS has corrupted hw-PMU resources (MSR 30d is 330)

This can be safely ignored. However, if it bothers you, you can disable it thus:

  1. Boot machine to RBSU (F9).
  2. Press CTRL+A.
  3. Select "Service Options."
  4. Select "Processor Power and Utilization Monitoring."
  5. Select "Disable."
  6. Press F10 to save and exit.
  7. Reboot.

Per HPE advisory https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c03265132

Discover All Tenda Devices in ARP Database

Tenda makes embedded devices that are frequently compromised and/or used in DoS attacks. You can actively scan or sniff for the following list of vendor IDs live but I wrote an SQL backed multi-router ARP table reporting system for an ISP years back. This query will locate all clients operating such a device.

select distinct `ip` from `arp` where ( `mac` like 'E8:65:D4%' or `mac` like 'D8:32:14%' or `mac` like 'CC:2D:21%' or `mac` like 'C8:3A:35%' or `mac` like 'B8:3A:08%' or `mac` like 'B4:0F:3B%' or `mac` like 'B0:DF:C1%' or `mac` like '58:D9:D5%' or `mac` like '50:2B:73%' or `mac` like '50:0F:F5%' or `mac` like '08:40:F3%' or `mac` like '04:95:E6%' )

I have had enough problems with these devices that I suggest preemptively locating them, blocking typical remote management/access ports upstream and have all affected users return or upgrade their router. Follow up and remove corresponding upstream rules once the devices have been removed (use arping to verify) to recover netfilter resources.