- Set a strong root password immediately after flashing.
- Disable password-based SSH and use key-based authentication.
- Restrict LuCI and SSH to LAN management subnet only.
¶ Package and Service Hygiene
- Remove unused packages and disable services not required in runtime.
- Keep
opkg package indexes and installed packages updated.
- Avoid installing packages from untrusted feeds.
¶ Firewall and Segmentation
- Keep zone-based firewall defaults (
input REJECT, forward REJECT) for WAN-facing zones.
- Separate trusted LAN, guest Wi-Fi, and IoT into different VLANs/interfaces.
- Allow only explicit forwarding rules and avoid broad
ACCEPT rules.
- Use WPA2-AES minimum, prefer WPA3-SAE where client support exists.
- Disable WPS entirely.
- Use separate SSIDs for guest and internal networks with isolation enabled.
- Prefer VPN access (WireGuard/OpenVPN) over exposed admin ports.
- If remote management is unavoidable, enforce source allowlists and rate limiting.
- Rotate VPN keys and client configs on schedule.
¶ Integrity and Observability
- Store config backups (
/etc/config) and package list snapshots before upgrades.
- Forward logs to remote syslog for retention and incident response.
- Run periodic checks on startup scripts and custom firewall includes.