Menu
What's new
By:
Filters Better Search

EdgeMax EdgeRouter & SSH

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

O

OP06D

Occasional Visitor
Came across this while configuring my EdgeRouters and thought it may be of use to someone getting started with their configuration. Ubiquiti has a great step by step guide on their website and Tim H. has gone over their config here too. What I haven't seen in particular was any reference to the default state of SSH on the router. Ubiquiti mentions that SSH is enabled by default whis is a great help with configuration. However without investigating further, and what I almost overlooked is, that "SSH is enabled by default and the router is listening for ssh on ALL interfaces", which includes the WAN. :eek: The Ubnt knowledge base goes over this and provides easy cli commands to secure/disable SSH on the WAN interface so not expose your router to attack.

http://community.ubnt.com/t5/EdgeMAX-CLI-Basics-Knowledge/EdgeMAX-Connect-to-CLI-via-SSH/ta-p/472425

Thought this may help someone who is just getting started with their configuration.
 
In the later versions of the firmware, you can change the SSH port from the WebGUI by going to System -> Management -> SSH Server -> Port.

To block SSH on "WAN" (the assigned interface), simply add a firewall rule, local on the interface (equivalent to "IN" on "Interface"), set to Deny/ Block with destination port as the SSH port.

If you're using an older firmware where these options are not exposed, do upgrade. Using the CLI on Edge OS can be quite a PitA to deal with (VPN and disabling the VOIP ALG still needs to be done via CLI though).
 
OP06D said:
However without investigating further, and what I almost overlooked is, that "SSH is enabled by default and the router is listening for ssh on ALL interfaces", which includes the WAN. :eek:
Click to expand...

I am using ER-e100.v1.5.0.4677648.tar which to my best knowledge does not have any security issues like ports being open on the wan. SSH is not accessible from the outside:

Code: 
nmap -Pn -sS xxx.xxx.xxx.xxx -p22

Starting Nmap 6.25 ( http://nmap.org ) at 2014-11-02 00:10 CET
Nmap scan report for xxx.xxx (xxx.xxx.xxx.xxx)
Host is up.
PORT   STATE    SERVICE
22/tcp filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 2.22 seconds

That said it should be noted that i used the WAN+2LAN wizard which will create a statefull firewall not allowing any direct inbound connections on the wan port.
 
You must log in or register to reply here.

Similar threads

PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
349
PaulA
PaulA
U
Scribe syslog-ng not starting on boot if IPv6 enabled.
2
Replies
31
Views
2K
cmkelley
cmkelley
T
WireGuard and Traditional QOS
2
Replies
24
Views
1K
Tomo123
T
Q
Weird issue with an GT-AX6000 when maxing out ISP provided speeds.
Replies
9
Views
442
Quetz
Q
Ripshod
(Not specifically) VPNMON-R3 1.11 failure domino effect
2
Replies
20
Views
1K
Viktor Jaep
Viktor Jaep
Similar threads
Thread starter Title Forum Replies Date
B Logging inbound connections on Edgerouter X Routers 1
C OpenWRT on EdgeRouter Lite 3 Routers 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 648 (members: 12, guests: 636)
Top