Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Wed Sep 04, 2019 11:34 Post subject:
first start with router model and current build running...
there are few scripts for geo blocking, as well you can block IP's or range of IP's
via IPtables rules, also you can block stuff via DNSmasq rules.
well known practice is, to not expose SSh via WAN...
if you do than change its default port to something else like port 50000 or any port above port 1000..
as well disable SSh password log in and log with key file (password protected)
with max encryption..i think DDWRT SSh key can be SSH-2 RSA 2048 bit max i use puttygen to create my keys
to limit attempts per time you also need SSh iptables rules..
than you can sleep well...
personally i never expose GUI on WAN side, no excuse...no shit.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14223 Location: Texas, USA
Posted: Wed Sep 04, 2019 15:02 Post subject:
Ok, uhm, for some reason, disabling password login doesn't sound right. Either this is a DD-WRT specific anomaly, but setting authorized keys with no password just doesn't sound right to me.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Sep 04, 2019 15:53 Post subject:
kernel-panic69 wrote:
Ok, uhm, for some reason, disabling password login doesn't sound right. Either this is a DD-WRT specific anomaly, but setting authorized keys with no password just doesn't sound right to me.
I have always disabled ssh password login (GUI>Services>Services) and also disabled ssh access from the web (GUI>Administration>Management). I use ssh key login exclusively and have never had problems with it. There is generally a passphrase used also in that process, but it's just an extra check that is very distinct from password login. It's their not having the proper private key that keeps the intruders out. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 08 May 2018 Posts: 14223 Location: Texas, USA
Posted: Wed Sep 04, 2019 16:57 Post subject:
You could possibly do the same with passwords and only allowing certain ciphers, but I guess I forgot about this feature in openssh. But you would have to trust that your client keys are not compromised and cracked. Since I don't allow remote logins on WAN, and since wireless access to webUI, telnet, ssh are all blocked, I really don't worry about it, because only the wired clients would be suspect. FWIW, distributed.net is still trying to crack 72-bit keys, and they haven't even started fooling around with elliptical curve cryptography. Yet.