Blocking incoming, unwanted IP connections

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Jan 13, 2023 21:30    Post subject: Reply with quote
best practice with ddwrt and dropbear...
-create a ssh secure key (ed25519 or 4096 rsa) with complex password protection..
-disable ssh password log in
-limit ssh log in via security page...
-do not expose ssh to WAN ( i do it and i have lots of ssh attempts which fail)
this must be sufficient enough..i hope Razz
o f course you can block those trys but yep those could be comming from a different source so its cat and mouse game.....in general if you have a good internet hygiene it ok Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Fri Jan 13, 2023 21:38; edited 1 time in total
Sponsor
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Fri Jan 13, 2023 21:37    Post subject: Reply with quote
Alozaros wrote:
best practice with ddwrt and dropbear...
-create a ssh secure key (ed25519 or 4096 rsa) with complex password protection..
-disable ssh password log in
-limit ssh log in via security page...
-do not expose ssh to WAN ( i do it and i have lots of ssh attempts which fail)
this must be sufficient enough..i hope Razz


This is where I am now. I see some attempted connections that fail.

_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Jan 13, 2023 21:40    Post subject: Reply with quote
MLandi wrote:
Alozaros wrote:
best practice with ddwrt and dropbear...
-create a ssh secure key (ed25519 or 4096 rsa) with complex password protection..
-disable ssh password log in
-limit ssh log in via security page...
-do not expose ssh to WAN ( i do it and i have lots of ssh attempts which fail)
this must be sufficient enough..i hope Razz


This is where I am now. I see some attempted connections that fail.


well as long as those fail its ok...than again if those are a script based attempts and dont have a info page reviled..its not a big problem...as those are not successful... Embarassed

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Jan 14, 2023 7:52    Post subject: Reply with quote
Ah well, if you don't make ssh publicly available then of course it makes total sense.
to use an ssh key
protect the key with a password
and limit ssh access
don't forget to secure the webif with a 10000 bit key

Rolling Eyes

and even if you make ssh public a ssh key password does not protect the server but only the private key on the client.
only makes sense if you do not trust your own devices in terms of security
if your own PC is compromised you will have bigger problems than an router.
Laughing

by the way i use an openssh server on a rasberry pi as jumphost.(because it is fully configurable)

https://wiki.gentoo.org/wiki/SSH_jump_host
https://en.wikipedia.org/wiki/Jump_server

so at least 2 strong keys have to be cracked to get access to the router.

i also don't see any unwanted ssh accesses because the service is well hidden
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat Jan 14, 2023 16:40    Post subject: Reply with quote
locally you can limit the ssh access with iptables rules

iptables -I INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

and than allow it for specific users by either mac or ip address
iptables -I INPUT -p tcp --dport 22 -m mac --mac-source XX:XX:XX:XX:XX:AA -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -s xxx.xxx.xxx.102 -j ACCEPT

you could be even more specific..and spell an interface and so on..
iptables -I INPUT -i br0 -p tcp --dport 22 -m mac --mac-source XX:XX:XX:XX:XX:AA -j ACCEPT

if SSh is exposed to WAN, than mac rules will not work, but you can specify incoming IP or IP range...in the GUI and that's all.... at the end of the day dropbear is not that bad...
its code is smaller than OpenSSh and it does work as intended...If you are not happy with dropbear you can try using OpenSSh via Entware...as well there are other SSh solutions that..

As far as blocking range of IP's or a single IP, you better use IPset rules as those are hash based and in case of too many IP's to block those do not slow down the router performance...
more on the subject have a look at egc's guide here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Jan 14, 2023 17:30    Post subject: Reply with quote
No one asked for it, but it's good.

And the problem is not dropbear alone but the configuration options that dd-wrt offers.
For example, you can't permanently disable the ssh banner, because as soon as you press "apply" in the services tab, dropbear will start again with the banner parameter.
Secondly, you can't permanently create additional users in the system ... as the filesystem is ro (read only).

Thirdly, you don't seem to have understood the security concept of a jump host ....

A jump host is a hardened server.
Imagine on a multi user system you can easily create permanent unprivileged users and use them e.g. for ssh.

This has the following advantages, firstly the user is not known to attackers and for this reason alone authentication fails.
In the absolute unlikely case that an attacker can crack the combination of an unknown user and a strong ssh key and get into the Jump host then he still can't do any damage there because the user is unprivileged and the change to a privileged account is only possible by cracking another key.
The attacker can also not connect to other servers in the security zone because for this again the combination of an unknown user and a second strong ssh key is needed and the needed private keys are not on the Jump host.
furthermore a well configured jump host sends emails when e.g. someone logs in via ssh.
Therefore the router is not directly attackable from the outside at all.
And the router cannot be overloaded with DDOS attacks.

So why should I install openssh via entware on the router?
This is not an adequate solution.

Cool
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Sat Jan 14, 2023 23:24    Post subject: Reply with quote
ho1Aetoo wrote:
don't forget to secure the webif with a 10000 bit key


I think I missed something. What is that?

_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jan 15, 2023 7:52    Post subject: Reply with quote
It is a joke Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sun Jan 15, 2023 12:50    Post subject: Reply with quote
in case anyone is wondering how the jump host stuff works

Code:
ssh -vJ phae1the@192.168.1.110:22 root@192.168.1.1 -p 22

debug1: Connecting to 192.168.1.110 [192.168.1.110] port 22.
debug1: Connection established.

debug1: Authenticating to 192.168.1.110:22 as 'phae1the'
debug1: kex: host key algorithm: ssh-ed25519

debug1: Offering public key: /home/...../.ssh/id_ed25519_.... ED25519 SHA256:.........................................4 agent
debug1: Server accepts key: /home/...../.ssh/id_ed25519_.... ED25519 SHA256:..........................................4 agent
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.110 ([192.168.1.110]:22)
debug1: channel_connect_stdio_fwd 192.168.1.1:22

debug1: Authenticating to 192.168.1.1:22 as 'root'
debug1: kex: host key algorithm: ssh-ed25519

debug1: Offering public key: ED25519 SHA256:..........................................Y agent
debug1: Server accepts key: ED25519 SHA256:..........................................Y agent
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.1 (via proxy)

==========================================================
 
     ___  ___     _      _____  ______       ____  ___
    / _ \/ _ \___| | /| / / _ \/_  __/ _  __|_  / / _ \
   / // / // /___/ |/ |/ / , _/ / /   | |/ //_ <_/ // /
  /____/____/    |__/|__/_/|_| /_/    |___/____(_)___/
                                                     
                       DD-WRT v3.0
                   https://www.dd-wrt.com


==========================================================


BusyBox v1.35.0 (2022-11-16 16:55:11 +07) built-in shell (ash)

root@DD-WRT:~#




Code:
ssh phae1the@192.168.1.110
phae1the@raspberry4:~$ ls -al .ssh
total 16
drwx------ 2 phae1the phae1the 4096 Dec 27  2020 .
drwxr-xr-x 6 phae1the phae1the 4096 Jan 15 10:18 ..
-rw------- 1 phae1the phae1the   95 Dec 25  2020 authorized_keys
-rw-r--r-- 1 phae1the phae1the  586 Jan 14 19:33 known_hosts
phae1the@raspberry4:~$ ssh root@192.168.1.1
DD-WRT v3.0-r50906 std (c) 2022 NewMedia-NET GmbH
Release: 11/16/22
Board: Netgear R7800
root@192.168.1.1: Permission denied (publickey).

phae1the@raspberry4:~$ sudo mc
[sudo] password for phae1the:
phae1the is not in the sudoers file.  This incident will be reported.


works great with several different hosts and different ssh keys
and this can be configured via the ProxyJump config so that you only have to enter "ssh host" and everything else is done automatically.

in principle, you can think of it as a matryoshka or onion, a tunnel in the tunnel of a tunnel
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Sun Jan 15, 2023 19:28    Post subject: Reply with quote
egc wrote:
It is a joke Smile


That was my first thought, but I've been naive to so many things around here I did not want to respond with a LOL.

_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jan 15, 2023 19:47    Post subject: Reply with quote
Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum