This is basically just to I don’t forget if I end up resetting my router for some reason. Do it all on your own risk though, etc etc.
To enter edit mode:
$ configure
You can then continue with the other commands.
To save your work:
$ commit
$ save
And in the end to leave edit mode:
$ exit
By default, the Edge Router X’s web interface is available both from it’s private and public IP. Personally, I only want it available locally. Same with SSH access.
If you wanna play safe, do the GUI first and check that it worked, before doing the SSH part.
[0] To achieve this, SSH to your router, and run the following commands:
set service gui listen-address <your routers local ip>
set service ssh listen-address <your routers local ip>
I use 192.168.1.1 as the router’s address. This seems like the default. After this, it should no longer be accessible from the outside.
set service gui older-ciphers disable
set service ssh protocol-version v2
This is really easy to do with the setup wizard from the web interface, but while we are in the CLI:
set system login user <username>
set system login user <username> authentication plaintext-password <super great password>
set system login user <username> level admin
Log out, and back in as the new user.
delete system login user ubnt
[1] As a bonus, unrelated to hardening, mainly so I remember it myself in the future, enable offloading for hwnat.
set system offload hwnat enable
If you have a fast internet connection, speedtests might be improved now if you previously didn’t get the expected numbers.
I went from about 450Mbps to nearly the 600Mbps I am supposed to get on a good day.
Reference:
[0] https://www.reddit.com/r/Ubiquiti/comments/e9skld/comment/famkt1x/
[1] https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading#4
[2] https://www.manitonetworks.com/ubiquiti/2016/7/26/ubiquiti-hardening