Joined: 16 Nov 2015 Posts: 3655 Location: UK, London, just across the river..
Posted: Wed Sep 04, 2019 11:34 Post subject:
first start with router model and current build running...
there are few scripts for geo blocking, as well you can block IP's or range of IP's
via IPtables rules, also you can block stuff via DNSmasq rules.
well known practice is, to not expose SSh via WAN...
if you do than change its default port to something else like port 50000 or any port above port 1000..
as well disable SSh password log in and log with key file (password protected)
with max encryption..i think DDWRT SSh key can be SSH-2 RSA 2048 bit max i use puttygen to create my keys
to limit attempts per time you also need SSh iptables rules..
than you can sleep well...
personally i never expose GUI on WAN side, no excuse...no shit.. _________________ Atheros
TP-Link WR740Nv1 ------DD-WRT 43718 BS AP,NAT
TP-Link WR740Nv4 ------DD-WRT 43028 BS WAP/Switch
TP-Link WR1043NDv2 ----DD-WRT 43516 BS AP,NAT,AD Block,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----DD-WRT 43718 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN
TP-Link WR1043NDv2 ----Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Netgear R7800 -------DD-WRT 43718 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Netgear R7000 -------DD-WRT 43718 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 803 Location: Appalachian mountains, USA
Posted: Wed Sep 04, 2019 15:53 Post subject:
Ok, uhm, for some reason, disabling password login doesn't sound right. Either this is a DD-WRT specific anomaly, but setting authorized keys with no password just doesn't sound right to me.
I have always disabled ssh password login (GUI>Services>Services) and also disabled ssh access from the web (GUI>Administration>Management). I use ssh key login exclusively and have never had problems with it. There is generally a passphrase used also in that process, but it's just an extra check that is very distinct from password login. It's their not having the proper private key that keeps the intruders out. _________________ Five Linksys WRT1900ACSv2 routers on BS 42926:
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
Joined: 08 May 2018 Posts: 6545 Location: Texas, USA
Posted: Wed Sep 04, 2019 16:57 Post subject:
You could possibly do the same with passwords and only allowing certain ciphers, but I guess I forgot about this feature in openssh. But you would have to trust that your client keys are not compromised and cracked. Since I don't allow remote logins on WAN, and since wireless access to webUI, telnet, ssh are all blocked, I really don't worry about it, because only the wired clients would be suspect. FWIW, distributed.net is still trying to crack 72-bit keys, and they haven't even started fooling around with elliptical curve cryptography. Yet.