lenovomen DD-WRT Novice
Joined: 29 Jul 2022 Posts: 30
|
Posted: Fri Jul 29, 2022 12:25 Post subject: Disable or Block SSH and Telnet Access |
|
Hello,
I want to disable the SSH and Telnet access on both the wired (all connected LAN devices) and wireless (all wireless AP) side using the firewall.
I found "Limit SSH Access" and "Limit Telnet Access" configuration option in the SECURITY-->FIREWALL settings, but it only restricts attacks against hackers, it does not disable the ports.
FIREWALL:
---------
Limit SSH Access
Limit Telnet Access
Limit PPTP Server Access
Limit FTP Server Access
iptables -N bruteprotect
iptables -A bruteprotect -m recent --set --name BRUTEFORCE --rsource
iptables -A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
iptables -A bruteprotect -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options
iptables -A bruteprotect -j DROP
How Can I disable or block these points so that they are not accessible from any device on the network at all? |
|
Alozaros DD-WRT Guru
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
|
Posted: Fri Jul 29, 2022 15:23 Post subject: |
|
for local access you have to, just disable those(SSh/Tlenet) form GUI Services... and those will not exist as a service and not load....
in general Telnet is not a good/safe service...
The other way is to reject/drop those used ports (the default ssh is tcp 22, telnet 23) via iptables rules...
iptables -I INPUT -p tcp --dport 22 -j REJECT
iptables -I INPUT -p tcp --dport 23 -j REJECT
If you just want to make SSh usable for only particular client via mac or ip's, you can make specific iptables rules for those...
for example i want to deny the use of SSh (default port is 22)
iptables -I INPUT -p tcp --dport 22 -j DROP
iptables -I INPUT -p tcp --dport 22 -m mac --mac-source XX:XX:XX:XX:XX -j ACCEPT
-replace XX:XX:XX:XX:XX with the mac you want to exclusively to give an local(LAN) SSh access
if you have SSh for wan turned on, turn it off(disable) form GUI Management>Web Access
to have a secure SSh form wan side if you decide to enable it...than use it with secure key only...no password log in for SSh...
also if you turn those rules "limit SSh Access", SSh is brute force protected, so in case if someone tries it with brute force it will report and prevent form its use for period of time... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913 |
|
egc DD-WRT Guru
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
|
Posted: Fri Jul 29, 2022 16:16 Post subject: |
|
By default only Telnet is enabled from the LAN side everything else is blocked:
Services/Services/Telnet Enable server
If you disable this there is no Telnet and only the GUI to access the router.
Disabling console access is not something I would recommend, of course telnet is not the safest option but SSH with keys is.
For maximum security I would disable GUI access and telnet and keep SSH access with keys.
But hey if your LAN network is compromised you have bigger problems
(all IoT and other unsafe clients are of course on their own network with no access at all to router or safe network)
P.S we can give better support if you state router model and build number _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|