Remote access#
Default credentials#
Default credentials are:
User:
rootPassword:
Nethesis,1234
Such credentials can be used to log in to the web interface or using SSH:
Web user interface: https://<server_ip>:9090
SSH default port: 22
NethSecurity’s default hostname is: NethSec
If your client has received an IP address from NethSecurity’s DHCP, it will use NethSecurity as both gateway and DNS server. Under these conditions you can contact NethSecurity using its hostname nethsec instead of the server_ip e.g.
This hostname can be modified in the System Settings section.
Note
The default password for the root user is Nethesis,1234. It is recommended to change the password immediately after logging in for the first time.
Reset root password#
The root password can be reset by entering in Failsafe mode.
Once in this mode, you can change the password by executing the following commands.
mount_root
passwd
Restart the firewall with the command
reboot
Web user interface#
NethSecurity UI (User Interface), the NethSecurity official web interface, is available on port 9090 at the following URL: https://<server_ip>:9090.
To ease the access, NethSecurity UI is also available on standard HTTP port 443 at the following URL: https://<server_ip> or http://<server_fqdn>.
Both URLs are accessible from LAN and WAN by default.
Restricting access to NethSecurity UI#
By default, this interface is accessible on port 9090 from both your internal network (LAN) and the wider internet (WAN). While convenient, this can potentially introduce a security risk.
To mitigate this risk, you have two options (remove or restrict access):
remove the
Allow-UI-from-WANrule: go to the Firewall rules page, navigate to theInput rulestab, and locate the “Allow-UI-from-WAN” rule. Click the Delete button to remove itrestrict access from specific IPs or networks: in the Firewall rules page, locate the “Allow-UI-from-WAN” rule and click the Edit button. In the
Source addressfield, enter the IP addresses or network CIDRs from which you want to allow access to the NethSecurity UI.For example, to allow access only from your home network, you could enter the 192.168.1.0/24 network. Only allow access from trusted IP addresses or networks. Leaving this field blank will allow anyone on the internet to access the NethSecurity UI.
Additional security measures:
use a strong password for the admin user
enable two-factor authentication (2FA) for the admin user
keep your firewall up to date with the latest security patches
Change web user interface port#
Users can change the NethSecurity UI port.
To change the NethSecurity UI port from 9090 to 8181, execute:
uci set ns-ui.config.nsui_extra_port=8181
uci commit ns-ui && ns-ui
Warning
The controller uses port 9090 to communicate with the unit. Changing the port will prevent the controller from managing the NethSecurity.
If you still need to forward port 9090 to another machine inside the LAN, you can keep the controller connected by leaving the ns-ui_extra_port
unchanged and forwarding the port to the new machine.
Forwarding the port to another machine will be acceptable because the controller will reach port 9090 over the VPN.
Disable web user interface on port 443#
While exposing port 443 (HTTPS) can be necessary for certain services, directly accessing the NethSecurity UI through this port may introduce a potential security risk. Here’s how to safely maintain port 443 functionality while protecting your NethSecurity UI.
If you don’t require accessing the NethSecurity UI through port 443, disable it to minimize attack opportunities. Execute the following commands on your NethServer system:
uci set ns-ui.config.nsui_enable=0
uci commit ns-ui && ns-ui
This option disables access to the NethSecurity UI through both the server IP address and FQDN on port 443.
If you need port 443 for other services, configure your firewall to redirect traffic destined for port 443 to a separate web server hosting those services. Ensure this separate server has strong security measures in place.
Privacy policy#
In some cases, it is necessary to display the privacy policy of a product before login. NethSecurity does not display any privacy policy by default, but it is possible to add a link to an external website that contains the privacy policy.
To add a link to the privacy policy, access the command line and execute:
URL=https://mysite.org/privacy_policy; sed -i "s|PRIVACY_POLICY_URL\: ''|PRIVACY_POLICY_URL: '$URL'|" /www-ns/branding.js
Substitute https://mysite.org/privacy_policy with the URL of your privacy policy.
The link to the privacy policy will be displayed inside the login page after next page refresh.
Legacy web user interface#
Warning
Changes done via LuCI web interface may break the official NethSecurity UI. Use at your own risk!
NethSecurity offers also LuCI, the original OpenWrt web interface, which provides a wide range of configuration options but is not officially supported. Luci is disabled by default. To enable it, execute:
uci set ns-ui.config.luci_enable=1
uci commit ns-ui
ns-ui
Once enabled, Luci will be available only on port 443 at this URL: https://<server_ip>/cgi-bin/luci
Changes to the following LuCI pages are known to cause unpredictable behavior:
HTTP access tab: it configures uhttpd which is not present inside NethSecurity
Logging tab: it configures logd which is not present inside NethSecurity
Networking: configuration created with this page is not compatible with NethSecurity UI
If previously enabled, the LuCI web interface can be disabled by executing:
uci set ns-ui.config.luci_enable=0
uci commit ns-ui
ns-ui
Hide web server version#
By default, the nginx web server serving the NethSecurity UI includes its version number in HTTP response headers. Many vulnerability assessments rely on software version identification, which can produce false positives when fixes are backported without modifying the reported version. While hiding version information does not improve security by itself, it can help limit the exposure of known version-specific vulnerabilities to automated scanning tools.
To disable the nginx version from being displayed in the NethSecurity UI HTTP headers, execute the following commands:
uci set ns-ui.config.server_tokens='off'
uci commit ns-ui
reload_config
This configuration only affects the NethSecurity UI. The reverse proxy has its own separate configuration.
SSH#
By default, the system accepts SSH connections on the standard port 22 from the internal network (LAN). Root access is enabled using the default password. To allow SSH access from the wider internet (WAN), a firewall input rule must be added for the server’s listening port.
From a Linux machine, use the following command:
ssh root@192.168.1.1
VGA console and keyboard layout#
If the machine has a VGA/DVI/HDMI video port, connect a monitor to it. Then, you will be able to log in to the console using the default credentials above.
Please note that the system is configured with the US keyboard layout.
To temporarily change the current keyboard layout to Italian, log in to the system and then execute the following command:
loadkmap < /usr/share/keymaps/it.map.bin
The keyboard layout configuration can be saved by writing the keymap code inside /etc/keymap. Example for it (Italian) keymap:
echo 'it' > /etc/keymap
grep -q /etc/keymap /etc/sysupgrade.conf || echo /etc/keymap >> /etc/sysupgrade.conf
To obtain the list of available keymaps, execute the following command:
ls -1 /usr/share/keymaps/ | cut -d'.' -f1
Serial console#
If the machine has a serial port (RS-232, tipically available with DE-9 connector or RJ45/8P8C connector) it’s possible to access the firewall directly through it using a null-modem cable and a terminal program.
PuTTY (version 0.60 or higher) is a common choice if you are using Microsoft Windows, while Linux distros offer tools as minicom, picocom, or screen.
Default acces parameters for NethSecurity 8 are:
Baud rate: 115200,
Data bits:8
Parity :None
Stop bits to 1
These last three parameters are often abbreviated as 8N1
USB-to-Serial Adapters#
In case of need, NethSecurity can be used to access another server via the serial console. If the hardware does not have an RS-232 port, USB-to-serial adapters can be used. For this reason, it is possible to download and install drivers for the most common adapters on NethSecurity. These drivers are provided as-is and are not supported by Nethesis (if using an Enterprise or Subscription version).
Two packages are provided for installation, covering the vast majority of adapters available on the market.
kmod-usb-serial-cp210x - 5.15.162-1 - Kernel support for Silicon Labs cp210x USB-to-Serial converters
kmod-usb-serial-pl2303 - 5.15.162-1 - Kernel support for Prolific PL2303 USB-to-Serial converters
To install Prolific PL2303 driver:
opkg install kmod-usb-serial-pl2303
The logs will show an output similar to this:
Aug 6 08:08:17 nsec8 kernel: [ 2346.359247] usb 1-6: new full-speed USB device number 3 using xhci_hcd Aug 6 08:08:17 nsec8 kernel: [ 2346.543052] pl2303 1-6:1.0: pl2303 converter detected Aug 6 08:08:17 nsec8 kernel: [ 2346.550401] usb 1-6: pl2303 converter now attached to ttyUSB0
Note
Starting from version 8.7.2, extra packages are automatically reinstalled after system upgrade. For earlier versions and for additional information, refer to this documentation: Restore extra packages.