What's new

Question about SSHD

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Christian_Haitian

Occasional Visitor
Greetings,

Is it possible to setup SSHD to require private key authentication via the WAN and only username/password via LAN? If not, is it possible to run 2 instances of SSHD so that one is LAN facing and the other is WAN facing?

Thank you
 
Greetings,

Is it possible to setup SSHD to require private key authentication via the WAN and only username/password via LAN? If not, is it possible to run 2 instances of SSHD so that one is LAN facing and the other is WAN facing?

Thank you

Are you asking about SSH (not sure what SSHD is)?

If you set the setting to 'both WAN & LAN' you can get both. No restrictions as far as I know of how many logins are allowed.

BUT, opening up SSH on the WAN is about the worst security mistake you can make. Even with private key authentication enabled.

You are much better off to use SSH on the LAN only. And use OpenVPN to connect to your network and also your router too. :)
 
Greetings,

Is it possible to setup SSHD to require private key authentication via the WAN and only username/password via LAN? If not, is it possible to run 2 instances of SSHD so that one is LAN facing and the other is WAN facing?

Thank you

Not through the webui, you would have to manually configure everything if you want two separate dropbear instances.
 
Thank you both for your reply. I thought SSH authentication via WAN with private key with required passphrase was considered decent security. I use both SSH snd OpenVpn as I like to have a backup just in case one solution fails when remotely connecting. I also use non standard ports for both services. Is that not a good idea?
 
Thank you both for your reply. I thought SSH authentication via WAN with private key with required passphrase was considered decent security. I use both SSH snd OpenVpn as I like to have a backup just in case one solution fails when remotely connecting. I also use non standard ports for both services. Is that not a good idea?


This is a great question. So I looked to see if there was an authoritative answer. Here’s what Merlin said in June 2018 in answer to the question:

“Why is OpenVPN safer than SSH via keys only (i.e., no password)?”

“The openvpn code was recently audited. I don't think dropbear code ever was. The increased security lies in the underlying code, not in the authentication mechanism itself.“

https://www.snbforums.com/threads/r...-to-router-webui-over-http.47055/#post-411110
 
This is a great question. So I looked to see if there was an authoritative answer. Here’s what Merlin said in June 2018 in answer to the question:

“Why is OpenVPN safer than SSH via keys only (i.e., no password)?”

“The openvpn code was recently audited. I don't think dropbear code ever was. The increased security lies in the underlying code, not in the authentication mechanism itself.“

https://www.snbforums.com/threads/r...-to-router-webui-over-http.47055/#post-411110
I see. In reviewing CVE details for Dropbear, last reported vulnerabilities were in 2017. https://www.cvedetails.com/vulnerability-list/vendor_id-15806/year-2017/Dropbear-Ssh-Project.html

If I've found the correct dropbear that's used in Merlin's firmware, there have been routine updates to the code that includes security related fixes, however, the version in this firmware (384.8_2) was last updated in 2018. https://matt.ucc.asn.au/dropbear/CHANGES

From what I can surmise from this discussion and research, for best secure remote access, use OpenVpn with AES 256bit encryption. If a backup remote access solution is needed, dropbear SSH deamon can be used but ensure a SSHv2 key with passphrase is implemented and disable username/password login and be aware that there maybe undocumented vulnerabilities. Also enable Brute force protection. Perhaps using non standard ports can also deter random port scanners for particular externally facing services like these as well.
 
I see. In reviewing CVE details for Dropbear, last reported vulnerabilities were in 2017. https://www.cvedetails.com/vulnerability-list/vendor_id-15806/year-2017/Dropbear-Ssh-Project.html

If I've found the correct dropbear that's used in Merlin's firmware, there have been routine updates to the code that includes security related fixes, however, the version in this firmware (384.8_2) was last updated in 2018. https://matt.ucc.asn.au/dropbear/CHANGES

From what I can surmise from this discussion and research, for best secure remote access, use OpenVpn with AES 256bit encryption. If a backup remote access solution is needed, dropbear SSH deamon can be used but ensure a SSHv2 key with passphrase is implemented and disable username/password login and be aware that there maybe undocumented vulnerabilities. Also enable Brute force protection. Perhaps using non standard ports can also deter random port scanners for particular externally facing services like these as well.

The key bit I guess is “and be aware that there maybe undocumented vulnerabilities.” I think if you follow the USCERT weekly vulnerability summaries and see, for example, the dozens of high severities every month for the likes of Adobe Flash and Microsoft Windows, the conclusion is to think that “maybe” is far too optimistic. On the other hand, you could argue we are happy (relatively) to keep using Windows and yet we know for certain there are and always will be further high severity vulnerabilities yet to be patched, some of which will be zero-day vulnerabilities.
 
Last edited:
If I've found the correct dropbear that's used in Merlin's firmware, there have been routine updates to the code that includes security related fixes, however, the version in this firmware (384.8_2) was last updated in 2018

There was one CVE since then, and I had already backported back in last October.
 
Thank you both for your reply. I thought SSH authentication via WAN with private key with required passphrase was considered decent security. I use both SSH snd OpenVpn as I like to have a backup just in case one solution fails when remotely connecting. I also use non standard ports for both services. Is that not a good idea?

The fewer discrete 'holes' you have in your router to your private network, the better.

OpenVPN can be set up with two Server instances. I also haven't seen a situation when OpenVPN could not connect and SSH would. :)

Non-Standard Ports are ideal. Opening your router's SSH interface on the WAN isn't.

Every bot and script kiddie is waiting to practice their hack-fu on a router setup like that. ;)
 
Opening your router's SSH interface on the WAN isn't.
I have mine open for years and have no problem at all. But use different port and key. (ecdsa-sha2-nistp521)
 
I have mine open for years and have no problem at all. But use different port and key. (ecdsa-sha2-nistp521)

Good that you're safe, up to now. :)
 
Perhaps using non standard ports can also deter random port scanners for particular externally facing services like these as well.
Perhaps counter-intuitively, I think using non-standard ports is one of the best defences. When vulnerabilities are discovered, either in some general software like OpenSSL or something device-specific like Asus' firmware, hackers will target the specific ports in question. They might also try using other "common" ports like 80, 443, 8080, etc. What they won't do is try the hack on every single one of the 65535 possible ports. This is too time consuming for them, with little cost-benefit, when they've got millions of other easier IP addresses to try.

Of course the same logic doesn't necessarily apply if someone is targeting you specifically. But if you're attracting that kind of attention you've probably got bigger problems.
 
The fewer discrete 'holes' you have in your router to your private network, the better.

OpenVPN can be set up with two Server instances. I also haven't seen a situation when OpenVPN could not connect and SSH would. :)

Non-Standard Ports are ideal. Opening your router's SSH interface on the WAN isn't.

Every bot and script kiddie is waiting to practice their hack-fu on a router setup like that. ;)
Interestingly enough, I’ve had situations where I could not connect to my OpenVPN server from my phone via my Tmobile phone but I could via SSH? It seem to occur when my mobile phone IP was a IPv6 number but i’m not quite sure that was my issue.
 
Another safeguard is to limit what public source IPs are allowed to access your remote services. This is perhaps *the* best defense of them all since it's not possible for someone to spoof their own public IP. The problem, of course, is that you don't always know what those source IPs will be. But sometimes you do! If you're visiting the same coffee house every week, accessing from your workplace, maybe between your two homes (lucky you), then most likely you can take advantage of that fact.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top