1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Question about SSHD

Discussion in 'Asuswrt-Merlin' started by Christian_Haitian, Apr 15, 2019.

  1. Christian_Haitian

    Christian_Haitian New Around Here

    Joined:
    Dec 1, 2018
    Messages:
    9
    Greetings,

    Is it possible to setup SSHD to require private key authentication via the WAN and only username/password via LAN? If not, is it possible to run 2 instances of SSHD so that one is LAN facing and the other is WAN facing?

    Thank you
     
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    8,488
    Are you asking about SSH (not sure what SSHD is)?

    If you set the setting to 'both WAN & LAN' you can get both. No restrictions as far as I know of how many logins are allowed.

    BUT, opening up SSH on the WAN is about the worst security mistake you can make. Even with private key authentication enabled.

    You are much better off to use SSH on the LAN only. And use OpenVPN to connect to your network and also your router too. :)
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,807
    Location:
    Canada
    Not through the webui, you would have to manually configure everything if you want two separate dropbear instances.
     
  4. Christian_Haitian

    Christian_Haitian New Around Here

    Joined:
    Dec 1, 2018
    Messages:
    9
    Thank you both for your reply. I thought SSH authentication via WAN with private key with required passphrase was considered decent security. I use both SSH snd OpenVpn as I like to have a backup just in case one solution fails when remotely connecting. I also use non standard ports for both services. Is that not a good idea?
     
    martinr likes this.
  5. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,692
    Location:
    United Kingdom

    This is a great question. So I looked to see if there was an authoritative answer. Here’s what Merlin said in June 2018 in answer to the question:

    “Why is OpenVPN safer than SSH via keys only (i.e., no password)?”

    “The openvpn code was recently audited. I don't think dropbear code ever was. The increased security lies in the underlying code, not in the authentication mechanism itself.“

    https://www.snbforums.com/threads/r...-to-router-webui-over-http.47055/#post-411110
     
  6. Christian_Haitian

    Christian_Haitian New Around Here

    Joined:
    Dec 1, 2018
    Messages:
    9
    I see. In reviewing CVE details for Dropbear, last reported vulnerabilities were in 2017. https://www.cvedetails.com/vulnerability-list/vendor_id-15806/year-2017/Dropbear-Ssh-Project.html

    If I've found the correct dropbear that's used in Merlin's firmware, there have been routine updates to the code that includes security related fixes, however, the version in this firmware (384.8_2) was last updated in 2018. https://matt.ucc.asn.au/dropbear/CHANGES

    From what I can surmise from this discussion and research, for best secure remote access, use OpenVpn with AES 256bit encryption. If a backup remote access solution is needed, dropbear SSH deamon can be used but ensure a SSHv2 key with passphrase is implemented and disable username/password login and be aware that there maybe undocumented vulnerabilities. Also enable Brute force protection. Perhaps using non standard ports can also deter random port scanners for particular externally facing services like these as well.
     
  7. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,692
    Location:
    United Kingdom
    The key bit I guess is “and be aware that there maybe undocumented vulnerabilities.” I think if you follow the USCERT weekly vulnerability summaries and see, for example, the dozens of high severities every month for the likes of Adobe Flash and Microsoft Windows, the conclusion is to think that “maybe” is far too optimistic. On the other hand, you could argue we are happy (relatively) to keep using Windows and yet we know for certain there are and always will be further high severity vulnerabilities yet to be patched, some of which will be zero-day vulnerabilities.
     
    Last edited: Apr 17, 2019 at 11:42 AM
    thelonelycoder likes this.
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,807
    Location:
    Canada
    There was one CVE since then, and I had already backported back in last October.
     
  9. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    8,488
    The fewer discrete 'holes' you have in your router to your private network, the better.

    OpenVPN can be set up with two Server instances. I also haven't seen a situation when OpenVPN could not connect and SSH would. :)

    Non-Standard Ports are ideal. Opening your router's SSH interface on the WAN isn't.

    Every bot and script kiddie is waiting to practice their hack-fu on a router setup like that. ;)
     
    martinr likes this.
  10. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    1,106
    I have mine open for years and have no problem at all. But use different port and key. (ecdsa-sha2-nistp521)
     
    Grisu likes this.
  11. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    8,488
    Good that you're safe, up to now. :)
     
    martinr likes this.
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,049
    Location:
    UK
    Perhaps counter-intuitively, I think using non-standard ports is one of the best defences. When vulnerabilities are discovered, either in some general software like OpenSSL or something device-specific like Asus' firmware, hackers will target the specific ports in question. They might also try using other "common" ports like 80, 443, 8080, etc. What they won't do is try the hack on every single one of the 65535 possible ports. This is too time consuming for them, with little cost-benefit, when they've got millions of other easier IP addresses to try.

    Of course the same logic doesn't necessarily apply if someone is targeting you specifically. But if you're attracting that kind of attention you've probably got bigger problems.
     
  13. Christian_Haitian

    Christian_Haitian New Around Here

    Joined:
    Dec 1, 2018
    Messages:
    9
    Interestingly enough, I’ve had situations where I could not connect to my OpenVPN server from my phone via my Tmobile phone but I could via SSH? It seem to occur when my mobile phone IP was a IPv6 number but i’m not quite sure that was my issue.
     
    L&LD likes this.
  14. eibgrad

    eibgrad Regular Contributor

    Joined:
    Feb 20, 2017
    Messages:
    68
    Another safeguard is to limit what public source IPs are allowed to access your remote services. This is perhaps *the* best defense of them all since it's not possible for someone to spoof their own public IP. The problem, of course, is that you don't always know what those source IPs will be. But sometimes you do! If you're visiting the same coffee house every week, accessing from your workplace, maybe between your two homes (lucky you), then most likely you can take advantage of that fact.
     
    martinr and L&LD like this.