Joined: 16 Nov 2015 Posts: 2912 Location: UK, London, just across the river..
Posted: Wed Sep 04, 2019 11:34 Post subject:
first start with router model and current build running...
there are few scripts for geo blocking, as well you can block IP's or range of IP's
via IPtables rules, also you can block stuff via DNSmasq rules.
well known practice is, to not expose SSh via WAN...
if you do than change its default port to something else like port 50000 or any port above port 1000..
as well disable SSh password log in and log with key file (password protected)
with max encryption..i think DDWRT SSh key can be SSH-2 RSA 2048 bit max i use puttygen to create my keys
to limit attempts per time you also need SSh iptables rules..
than you can sleep well...
personally i never expose GUI on WAN side, no excuse...no shit.. _________________ Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ----DD-WRT 41369 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
2x Netgear R7800 -------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,VLAN's,Firewall,Local DNS,DNSCrypt-proxy v2 x2)
Netgear R7000 -------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
Joined: 04 Aug 2018 Posts: 422 Location: Appalachian mountains, USA
Posted: Wed Sep 04, 2019 15:53 Post subject:
Ok, uhm, for some reason, disabling password login doesn't sound right. Either this is a DD-WRT specific anomaly, but setting authorized keys with no password just doesn't sound right to me.
I have always disabled ssh password login (GUI>Services>Services) and also disabled ssh access from the web (GUI>Administration>Management). I use ssh key login exclusively and have never had problems with it. There is generally a passphrase used also in that process, but it's just an extra check that is very distinct from password login. It's their not having the proper private key that keeps the intruders out. _________________ Six of the Linksys WRT1900ACSv2 on r38159 (solid), r39144 (very solid), r40009 (solid), and r40784 (trying out). On various:
VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, QoS, OpenVPN client/PBR (random NordVPN server).
Joined: 08 May 2018 Posts: 2025 Location: Texas, USA
Posted: Wed Sep 04, 2019 16:57 Post subject:
You could possibly do the same with passwords and only allowing certain ciphers, but I guess I forgot about this feature in openssh. But you would have to trust that your client keys are not compromised and cracked. Since I don't allow remote logins on WAN, and since wireless access to webUI, telnet, ssh are all blocked, I really don't worry about it, because only the wired clients would be suspect. FWIW, distributed.net is still trying to crack 72-bit keys, and they haven't even started fooling around with elliptical curve cryptography. Yet.