Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Fri Jan 13, 2023 21:30 Post subject:
best practice with ddwrt and dropbear...
-create a ssh secure key (ed25519 or 4096 rsa) with complex password protection..
-disable ssh password log in
-limit ssh log in via security page...
-do not expose ssh to WAN ( i do it and i have lots of ssh attempts which fail)
this must be sufficient enough..i hope
o f course you can block those trys but yep those could be comming from a different source so its cat and mouse game.....in general if you have a good internet hygiene it ok _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Fri Jan 13, 2023 21:38; edited 1 time in total
best practice with ddwrt and dropbear...
-create a ssh secure key (ed25519 or 4096 rsa) with complex password protection..
-disable ssh password log in
-limit ssh log in via security page...
-do not expose ssh to WAN ( i do it and i have lots of ssh attempts which fail)
this must be sufficient enough..i hope
This is where I am now. I see some attempted connections that fail. _________________ Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Fri Jan 13, 2023 21:40 Post subject:
MLandi wrote:
Alozaros wrote:
best practice with ddwrt and dropbear...
-create a ssh secure key (ed25519 or 4096 rsa) with complex password protection..
-disable ssh password log in
-limit ssh log in via security page...
-do not expose ssh to WAN ( i do it and i have lots of ssh attempts which fail)
this must be sufficient enough..i hope
This is where I am now. I see some attempted connections that fail.
well as long as those fail its ok...than again if those are a script based attempts and dont have a info page reviled..its not a big problem...as those are not successful... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Ah well, if you don't make ssh publicly available then of course it makes total sense.
to use an ssh key
protect the key with a password
and limit ssh access
don't forget to secure the webif with a 10000 bit key
and even if you make ssh public a ssh key password does not protect the server but only the private key on the client.
only makes sense if you do not trust your own devices in terms of security
if your own PC is compromised you will have bigger problems than an router.
by the way i use an openssh server on a rasberry pi as jumphost.(because it is fully configurable)
and than allow it for specific users by either mac or ip address
iptables -I INPUT -p tcp --dport 22 -m mac --mac-source XX:XX:XX:XX:XX:AA -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -s xxx.xxx.xxx.102 -j ACCEPT
you could be even more specific..and spell an interface and so on..
iptables -I INPUT -i br0 -p tcp --dport 22 -m mac --mac-source XX:XX:XX:XX:XX:AA -j ACCEPT
if SSh is exposed to WAN, than mac rules will not work, but you can specify incoming IP or IP range...in the GUI and that's all.... at the end of the day dropbear is not that bad...
its code is smaller than OpenSSh and it does work as intended...If you are not happy with dropbear you can try using OpenSSh via Entware...as well there are other SSh solutions that..
As far as blocking range of IP's or a single IP, you better use IPset rules as those are hash based and in case of too many IP's to block those do not slow down the router performance...
more on the subject have a look at egc's guide here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
And the problem is not dropbear alone but the configuration options that dd-wrt offers.
For example, you can't permanently disable the ssh banner, because as soon as you press "apply" in the services tab, dropbear will start again with the banner parameter.
Secondly, you can't permanently create additional users in the system ... as the filesystem is ro (read only).
Thirdly, you don't seem to have understood the security concept of a jump host ....
A jump host is a hardened server.
Imagine on a multi user system you can easily create permanent unprivileged users and use them e.g. for ssh.
This has the following advantages, firstly the user is not known to attackers and for this reason alone authentication fails.
In the absolute unlikely case that an attacker can crack the combination of an unknown user and a strong ssh key and get into the Jump host then he still can't do any damage there because the user is unprivileged and the change to a privileged account is only possible by cracking another key.
The attacker can also not connect to other servers in the security zone because for this again the combination of an unknown user and a second strong ssh key is needed and the needed private keys are not on the Jump host.
furthermore a well configured jump host sends emails when e.g. someone logs in via ssh.
Therefore the router is not directly attackable from the outside at all.
And the router cannot be overloaded with DDOS attacks.
So why should I install openssh via entware on the router?
This is not an adequate solution.
phae1the@raspberry4:~$ sudo mc
[sudo] password for phae1the:
phae1the is not in the sudoers file. This incident will be reported.
works great with several different hosts and different ssh keys
and this can be configured via the ProxyJump config so that you only have to enter "ssh host" and everything else is done automatically.
in principle, you can think of it as a matryoshka or onion, a tunnel in the tunnel of a tunnel
That was my first thought, but I've been naive to so many things around here I did not want to respond with a LOL. _________________ Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps