egc DD-WRT Guru
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
|
Posted: Sat Dec 30, 2023 7:23 Post subject: |
|
ho1Aetoo wrote: | egc wrote: | WireGuard not so much and the ones on OpenVPN are not critical but at least using a VPN and SSH will get you double the "protection" |
Well, ssh has been around for 30 years and has been a reliable and secure remote administration protocol for servers ever since
At least if you configure it carefully and update it regularly.
All software has security holes, holes we just don't know about.
Security researchers are always finding some critical theoretical vulnerability and think they have found the holy grail.
For many, the security holes are not even relevant because you need full access to exploit them anyway, sometimes even physically
You're right, you can also add additional layers of security, like wireguard or openvpn - but they also have their unknown security holes
There is even the possibility to harden ssh further, very popular is for example if you don't run the SSH server on an important system but run the SSH server on an unimportant system that acts as a jump host.
If someone manages to break in on the jump host, they can't do anything there.
SSH also offers 2 factor authentication and support for hardware keys.
So to say SSH is insecure is a bit questionable.
Have you read Matt Johnston's commit? he is of the opinion that Terrapin is currently not a security risk for Dropbear.
So once again, everything is not as bad as portrayed |
Already in my first post I quoted you and fully agreed:
Quote: | ho1Aetoo wrote: | This is a theoretical attack in which the attacker must have access to and control over critical network infrastructure - i.e. man-in-the-middle
So go back to sleep |
That is exactly as it is. |
I learned from the terrapin vulnerability on the day it became out, I assessed that DDWRT was vulnerable (like all other third party firmwares and stock) but after reading up on it I did not even bother to make a thread for it as
a. it required a MITM
and
b. most users are following the common advice to use a double protection by using a VPN
So I am not in a hurry to update _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|