DD-WRT Post-Install Checklist

DD-WRT comes out of the box with some questionable default settings. For example: a totally open default wifi network 'dd-wrt', default shell access via telnet when SSH is ready to go, no logging whatsoever which - despite demands on RAM - one might find useful during initial configuration at least...

After passing out during a router conversion and waking up to find an unexpected guest logged in I decided it wouldn't kill me to write and adhere to a post-installation checklist to make sure I don't miss anything in the future. I'll update this page as ideas come to me. Hit Apply Changes after each step.

  1. Disable WiFi until you have had time to implement a thoughtful configuration. Wireless > Basic Settings > Each Physical Interface change Wireless Network Mode to Disabled.
  2. Enable syslogd under Services > System Log. Bear in mind that logs will be collected in RAM unless you specify a remote syslogd server (ideal) or configure writable local storage. If neither of these suits you disable syslogd when you are finished dicking around but I will caution you that you may regret this decision one day.
  3. Configure the NTP Client under Setup > Basic Setup > Time Settings. Find your local pool at https://www.ntppool.org/en/. My settings are Canada/Eastern and ca.pool.ntp.org, although the NTP Pool Project advises:

    In most cases it's best to use pool.ntp.org to find an NTP server (or 0.pool.ntp.org, 1.pool.ntp.org, etc if you need multiple server names). The system will try finding the closest available servers for you.

    although I don't see how that could have less latency. Your call. Either way your syslogd entries will henceforth be a lot more meaningful.

  4. Disable Telnet and enable Secure Shell under services. It is strongly advisable to configure Authorized Keys and disable Password Login. It seems necessary to reboot the router after hitting apply to effect these changes.
  5. Under Administration > Web Access change Protocol to HTTPS and disable HTTP. Also disable Enable Info Site unless you are into that sort of masturbation. Note that you will have to update the URL in your browser once you apply changes.
  6. I like to enable Turning off radio under Services > SES / AOSS / EZ-SETUP / WPS Button so WiFi can be quickly disabled/enabled by pressing the WPS button. WPS should be disabled period which makes this button useless otherwise and this option provides a quick way to kill the radios in case of an accidental misconfiguration. Additionally I have deployed numerous solutions where having a wireless network on 24/7 provides no utility other than an increased attack surface - except on rare occasions where administration etc. is more conveniently accomplished over the air (as opposed to hanging off the device with the only 6 foot cat5 in eyeshot) and this is a great feature to have in those situations.
  7. Take a snapshot of your NVRAM settings. Before you go screwing with things like VLAN configuration and lose the default configuration forever, log in to the shell and dump the key=value pairs into a text file then store it somewhere persistent - ideally off-host - for safekeeping.
    nvram show > ~/nvram.bak


There are no comments for this item.