Hello, I’m testing a RUT240 and have some concerns regarding local management of the device. I’m hoping someone can assist in explaining why these might not be issues or providing a workaround.
First, I’d like to change the default web management user account’s username, per best security practices, from “admin” to something else but couldn’t find a simple way to do this. It appears that I can create other administrative accounts, however I can’t assign them the same permissions group (“root”) as the original admin, and I’m not sure whether it’ll allow me to disable the original “admin” account afterwards…
Secondly, I’m confused as to why I cannot access the device via SSH using the same credentials that I use to access the web management portal. Apparently I need to use the username “root” when accessing the device via SSH… While using the username “root” and the same password that I set for the “admin” account does allow SSH access, it’s confusing as there’s no “root” user listed under the list of users in the web management portal and I’ve never encountered a device/system that has multiple usernames for the same account… And again, for best security practices, is it possible to change this username for SSH access to something other than the easily guessed default of “root”?
Believe it or not, many users do not know that in order to access the CLI/SSH the username of ‘root’ is necessary to be useed, which is already a step towards restricting undesired device access.
By design, OpenWRT systems, upon which RutOS is also based on, are designed to be rather simple and resource-efficient, thus it has and can only have one root user with superuser privileges.
As you have mentioned, there is no easy way to change root or admin usernames. Instead, I would suggest focusing on creating a complex password(s) for root/admin access. To increase security further, you can change default ports for SSH, HTTP(S) access options. In addition, when logged in to SSH as root, you can set separate passwords for root, admin, and other users by specifying the user you want to change the password following passwd command:
Regarding SSH login for users other than root, due to OpenWRT’s highly customizable nature, it is possible to set up. There are instructions in the following link, explaining how to create such a user and provide it with privileged access: [OpenWrt Wiki] Secure your router's access
For additional recommendations and suggestions on providing your system with increased security, please check a couple of the links below:
Thank you for the fast and very informative reply - that’s much appreciated.
In terms of simplicity, I would think that it’d be simpler to have a single admin/root-level account (which is the case in almost every other kind of networking equipment that I’ve encountered). Now that there’s two accounts, and even more so because setting the password on one seems to affect the other (something I’ve never run into before), this get’s complicated…
Please confirm that:
-There’s actually two administrative accounts in the system: “admin” and “root”
-The “admin” account is for managing the device via web GUI and the “root” account is for managing device via CLI (SSH and Telnet)?
-Whenever the “admin” account password is updated via the web GUI it also changes/updates the “root” account’s password to the same?
-Setting independent/unique passwords for both “admin” and “root” accounts can only be done from CLI (SSH and Telnet)?