Introduction
This blog entry documents some unsorted instructions how to setup the popular Turris Omnia appliance.
Prerequsites
- Turris Omnia with OS version 3.7 or higher
- At least completion of the initial setup (first run)
Preparation
zsh
- Install some pre-requisites:
1
| opkg update && opkg install zsh |
- Change the desired user’s shell: vi /etc/passwd
1
| root:x:0:0:root:/root:/bin/ash to root:x:0:0:root:/root:/bin/zsh |
- Reboot and SSH into the box again
Sudo user
- SSH into the box (as root)
- Install some pre-requisites:
1
| opkg update && opkg install sudo shadow-useradd |
- Add a new user, lets say zak (and configure as needed):
1
2
3
4
5
| useradd zak
passwd supersecret
mkdir -p /home/zak
chown zak:zak /home/zak
chmod 750 /home/zak |
- Modify the sudoers config as needed: visudo
1
2
| # Allow all users in the wheel group to execute any cmd as root
%wheel ALL=(ALL) ALL |
- Add the newly created user to the wheel group:
1
2
3
| # may be the wheel group does not exist
groupadd wheel
usermod -G wheel zak |
- Logout and SSH into box with the new user
- Test if sudo works as expected:
Secure Web Interface
- The following web server config assumes self-signed certificates, which is not recommended for production!
- Install some pre-requisites:
1
| opkg update && opkg install lighttpd-mod-redirect |
- Modify the following ssl config: sudo vi /etc/lighttpd/conf.d/ssl-enable.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| $SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd-self-signed.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
ssl.honor-cipher-order = "enable"
}
$SERVER["socket"] == "[::]:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd-self-signed.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
ssl.honor-cipher-order = "enable"
}
$HTTP["scheme"] == "https" {
# Add 'HTTP Strict Transport Security' header (HSTS) to sites
setenv.add-response-header += ( "Strict-Transport-Security" => "max-age=31536000; includeSubDomains" )
} |
- Add the following fragment to the web server config (just after the IPv6 listener line): vi /etc/lighttpd/lighttpd.conf
1
2
3
4
5
6
7
8
9
| # Redirect http to https
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
setenv.add-environment = (
"HTTPS" => "on"
)
} |
- Restart the web server and check if lighttpd is listening on port 80 and 443:
1
2
| /etc/init.d/lighttpd restart
netstat -tulpen |
- On a separate client, test the configured ciphers and protocols:
1
| nmap --script ssl-enum-ciphers -n -p 443 192.168.1.1 |
- Open a web browser and enter the router IP or host name without https in order to see if being redirected