Posted: Wed Feb 16, 2022 19:58 Post subject: Disabling SSH, Telnet, SCP, FTP
Device: Archer C7 v5
My ultimate goal is to make my internet experience more secure (from criminals). As part of that, I think that I should have SSH, Telnet, SCP, FTP, and VPN server turned off on the router. As I understand, I can always access the device from a device wired to the router using HTTPS (I have that enabled instead of HTTP). I also plan to keep wireless radio turned off as I can do without that for now.
Is my logic reasonable sound?
I only recently installed DD-WRT so most of my setting are the default ones.
VPN server: seems to be off by default
SSH, Telnet, SCP, FTP: I can't find how to turn these off.
The closest that I could find was
Security -> Firewall: "Impede WAN DoS/Bruteforce" section: check off "Limit SSH Access," "Limit Telnet Access," "Limit PPTP Server Access," "Limit FTP Server Access."
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Mar 25, 2022 15:07 Post subject:
adFFhd1 wrote:
Is my logic reasonable sound?
Not really, good luck on this endeavor though.
Basically while DD-WRT is indeed more secure than any of the official firmware's, there is no way in hell, no matter what you do to protect against such bad actors.
Its not just the router, its everything you have connected, all software installed, most of the hardware on your PC, BIOS/UEFI, Intel ME and all the other bits left out of this not list.
https://thehackernews.com And go read for the last month alone, disclosed issues The tip of the iceberg), now realize the undisclosed is the rest of the iceberg around 90% of it.
So, you want to feel secure, ditch all electronics and go live under a rock and stop pretending your pseudo security changes make any real difference.
Basically while DD-WRT is indeed more secure than any of the official firmware's, there is no way in hell, no matter what you do to protect against such bad actors.
Its not just the router, its everything you have connected, all software installed, most of the hardware on your PC, BIOS/UEFI, Intel ME and all the other bits left out of this not list.
https://thehackernews.com And go read for the last month alone, disclosed issues The tip of the iceberg), now realize the undisclosed is the rest of the iceberg around 90% of it.
So, you want to feel secure, ditch all electronics and go live under a rock and stop pretending your pseudo security changes make any real difference.
But whatever makes you sleep better at night. By all means, if the illusion is comfortable
Why so serious? C-mon and turn that frown upside down.
I think the object of the game is to not be an easy target. Let the baddies go after the lower hanging fruit. _________________ Netgear XR500 - Gateway
R6700 v3 - Station Bridge
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Mar 31, 2022 7:46 Post subject:
So OK, its a little unfair that closing services and associated ports is not going to help. Yes it is obviously, even if its just basic like OP suggested, the less open doors to your house with unknown security features (possibly exploitable/broken into) the better.
Also there are other checkbox security on DD-WRT I personally use.
See screenshot attached.
Other basic security is to create separate networks that are blocked from communicating between each other but can get internet, for your IOT devices, Smart TV's, Smart Bulbs, Smart <insert the not so smart gadget here>, gaming consoles, and such.
Another Network for your Wifi devices, Androids, iPhones, Tablets, etc. using VAP and AP/net isolated with nat redirection for WAN access.
Another network for your most sensitive information, where you store your family photos and sensitive documents, or where you do online banking.
Use Access restrictions and either make white lists or blacklists of which devices or services you allow to connect/not connect to wan and when.
Also use Radio Time Restrictions to turn off wifi radios on router when you are sleeping.
Disable uPnP and any uPnP sharing, Never use any DMZ unless you know what you're doing.
Never open ports to passive external services you don't trust or don't secure yourself. Also use non standard ports that dont conflict with other in use services/ports, like port 22 or port 21 or port 443.
Disable remote Access/Administration both PC (e.g. RDP) side and router side, unless you need it for a specific machine and lock it down when in use.
Use nmap to scan your public IP for open ports after doing all the above and close them, unless you are running a service that is secured and isolated.
Use secure browsers, operative systems, Windows, macOS and most Linux distros aren't it. QubeOS (QubeOS - ALA Snowden) is a better alternative Linux Side. Windows is by default not secure at all and there is no secure alternative compatible with Win32/64, can be hardened and components removed via tools like Ntlite, or plain using the Windows 10 Chinese edition (if you can get it) it already has insecure features like cortana/others and telemetry (Asimov) removed.
Disable all telemetry, from not only applications but OS's also.
IF you're really paranoid and use smart phones remove camera and microphone, use external microphones when needed (ALA Snowden)
Keep DD-WRT updated to very latest available releases, also with your phones, software/firmwares etc, this is like a religion.
And thats basically my 101 checklist for ground level security.
Advanced stuff could include dedicated firewalls, or more advanced access lists that route only expected traffic to certain devices and drop anything else running on separate box, i.e. not your router.
Not Using PC's or Laptops with Intel ME (Note Windows 11 ready motherboards which enable STPM on the ME chip), TPM/STPM or UEFI.
Don't use windows 11 On PC's with secure core/TPM/sTPM and never use Operative systems with Microsoft/other logins only local accounts.
Don't use online cloud storage for sensitive data from 3rd party providers.