Protect password site

You should not leave that open.
Does the router support VPN connections?
This is the way you can secure it.  I.e. you have to first establish the VPN connection.

The best way is to control who can access that page by using an access list. If you can't lock it down to a few IP's because they are changing, and your firewall doesn't support DNS access list's, it may be best to use another protocol if possible and turn off the web page. Use SSH if possible, you can typically lock ssh down very well to by using public and private keys to authenticate, or again using an IP address ACL to only allow connections from certain IP's.
Who makes the router and what version of the operating system is it running? There may be flaws that bypass the login entirely or there could be well know "backdoor" account's that would let someone in no matter what you have the password set to.
http://www.phenoelit-us.org/dpl/dpl.html
-rich

Also good to pentest the website to surface any security bugs esp in the web application. OWASP has good resources on the cheatsheet on the prevention - mostly in the coding. Also can consider the use of Web application firewall (WAF) which will help to form the first layer of defence especially when attack is launched and required time to remediate and not wanting to pull down the site. ModSecurity is one WAF resource to check out. There is also website monitoring services like Armorise's HackAlert and Host integrity prevention software like OSSEC  (something towards tripwire to detect website defacement etc).

http://www.greebo.net/2010/02/09/owasp-top-10-2010-cheat-sheet/
http://www.modsecurity.org/
https://hackalert.armorize.com/
http://www.ossec.net/

But hardening on the specific web server should be considered as well - if it is MS IIS, do check out their Lockdown and Urlscan
http://www.symantec.com/connect/articles/iis-lockdown-and-urlscan

For apache, can see tips
@ http://httpd.apache.org/docs/2.0/misc/security_tips.html
@ http://xianshield.org/guides/apache2.0guide.html

Also best to have some log correlation to keep track if possible to detect early sign of intrusion attempts like brute forcing etc. Splunk or OSSIM are some open efforts but can be overkill if you are only looking at one web server.

Another - MyPHPIPS (MyPHP Intrusion Prevention System) is an open source PHP Web Application Intrusion Prevention System.

@ http://www.pentestit.com/2011/08/31/myphpips-phpintrusion-prevention-system-tool/

@breadtan You can't add this kind of software, or change much on a router typically, sometimes you can get something like DD-WRT or other 3rd party OS and then add them, but if the user is using the vanilla router resources, these tips won't apply.
-rich

@rich. Thanks for getting me back to track of discussion. Pardon me for not being clear in my previous reply.
Agree that these will not be able to "add" into the router.
I see them more of layered defence but outside of the router.

Probably hardening the router (to its best where possible) will be minimal defence to put up for risk mitigation approach - kill off the low hanging fruits @ http://searchnetworking.techtarget.com/tip/Hardening-your-router-in-9-easy-steps

Thanks, however, I have ddwrt and a nas with php. An ids looks great to me. What would be interesting is to block for example ip s from US or Russia or get notice (as gmail does) if logon occurs from suspicious ip.

DD-WRT has some decent security, and allows SSH. I prefer to use the "local only" login option, so that only wired host's can use the web interface. Here are some recommended option for securing the console itself using encryption first: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=29181
It may be best to leave SSH open only, then like I said before, open the web interface up from the remote ip... SSH into the WAP, then issue this command
iptables -I INPUT -p tcp -s <remote_location_ip> --dport 80 -j ACCEPT
You can also enable https like in the link I provided above. This way only <remote_Ip> will be able to access the web interface, and will need to provide the user/pass to get in.
-rich

this may also be useful reference for iptable for dd-wrt

http://www.dd-wrt.com/wiki/index.php/Iptables_command

It looks like ddwrt has no stable release. I have some issues so I might get back to my Linksys E3000 firmware. Then again my question arises how to securely access the webinterface ... and the data on my network.