SSH Access

[dills2214]

Hello all, new to the site. Ever since I bought a rt-n66u, this site has been a great resource, so thank you!

I had a lot of trouble with VPN access in the stock firmware, as well as 5 GHz access. I also was looking for SSH, but it's not offered.

Well, I finally took the plunge, and downloaded Merlin's firmware, and I am so glad I did. It is really fantastic.

I still had trouble accessing SSH, until I disabled the firewall completely. I just wanted to make sure that was necessary, in order to ssh into the device? If so, how susceptible am I to hackers due to this change alone?


If anyone can offer any incite, please let me know. Thanks!

 

[Fraoch]

Are you trying to access it via WAN from outside your network? If so take a look at the settings in Administration - System first. I'm not sure what all these do as I don't SSH from outside (I would suspect "allow SSH access from WAN" and "allow SSH port forwarding" should do the trick) but there's one thing you definitely shouldn't do...

I still had trouble accessing SSH, until I disabled the firewall completely. I just wanted to make sure that was necessary, in order to ssh into the device?

Don't disable the firewall! Your router and LAN devices are now completely open to the entire Internet.

If so, how susceptible am I to hackers due to this change alone?

Huge, you're now completely unprotected!

Once you put your firewall back on and enable SSH from the outside, make sure you have a strong password - one not found in the dictionary, using upper and lower case, numbers and symbols, and change it frequently. Your SSH port will be open and it's a common attack using brute force. Might want to change your SSH port to a random one to help.

 

[dills2214]

Yeah, I definitely had the check box for WAN access on. I tried different ports, I just couldn't connect.

 

[dills2214]

My password is definitely secure. I also don't use a standard port, but I have tried the standard port, just to see if it works, which is doesn't.

I have tried port forwarding on and off, though that won't matter, as I am not forwarding ports through the SSH client (not yet anyway).

 

[Fraoch]

Have you re-enabled your firewall though?

 

[dills2214]

I have, though the port scans I've run don't seem to change whether the firewall is on or off, all ports show as connection refused except port 80 with firewall off.

 

[RMerlin]

I have, though the port scans I've run don't seem to change whether the firewall is on or off, all ports show as connection refused except port 80 with firewall off.

Is it possible that your modem also has its own router/firewall functionality, which would shield any port you might open on your router?

 

[dills2214]

I just have a Motorola SB6120 SURFboard. Nothing fancy, no wireless, docsis 3.

I will leave the firewall on. I don't want to leave unused ports open.


I just wish I could get SSH working, but I'm not sure what else to try. Opening the firewall is the only thing that has helped.


Maybe I need to manually forward the ssh port under "Virtual Server / Port Forwarding" ?

 

[dills2214]

Settings I am using:

Using version 3.0.0.4.270.26 (Merlin Build)

Enable SSH - Yes

Allow SSH Port Forwarding - Yes

Allow SSH access from WAN - Yes

Allow SSH password login - Yes

No SSH Auth. Keys set up for now, just trying to get this working with standard login

 

[RMerlin]

Settings I am using:

Using version 3.0.0.4.270.26 (Merlin Build)

Enable SSH - Yes

Allow SSH Port Forwarding - Yes

Allow SSH access from WAN - Yes

Allow SSH password login - Yes

No SSH Auth. Keys set up for now, just trying to get this working with standard login

Unfortunately I cannot reproduce the problem here. My development router always has SSH accessible from WAN, since I use scp to push test FWs from my development VM to it, so I know it does work.

Can you confirm that the SSH daemon is properly running?

ps w | grep dropbear

You should not need to forward any port - using the option to enable WAN access will open the proper port in the firewall. Make sure you do have the firewall enabled, and that you are running in Router mode (since the other modes don't really have an actual WAN interface to speak of).

 

[dills2214]

I think I figured it out...

I manually setup port forwarding and it worked. I took that off and it still worked. I remembered I made one other change...

I think setting a host in the DMZ caused my problems. I normally put my xbox in the dmz because I'm not worried about port scans, and it makes online gaming work a lot better. I have always used dd-wrt in the past on other routers and this was never an issue. With this router, that must mess up the routing tables.

Oh well, I will manually forward the xbox live ports and leave the DMZ blank. Problem solved I think. I bet that was why I had so many issues with setting up a VPN as well.

Thanks for the help. Much appreciated. Keep up the good work too, this custom firmware is really nice. Love it!

 

[RMerlin]

Personally, I think DMZ mode should never be used except for troubleshooting firewall-related issues, or if you have a very particular network setup (for example if you are doing plain routing and no NAT). It does bring some quirks with it when you use it.

 

[dills2214]

Personally, I think DMZ mode should never be used except for troubleshooting firewall-related issues, or if you have a very particular network setup (for example if you are doing plain routing and no NAT). It does bring some quirks with it when you use it.

I guess I didn't realize that. From now on, I will just forward specific ports as needed. Thanks again.