[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Alberto Bursi bobafetthotmail at gmail.com
Wed Feb 14 13:51:10 PST 2018



On 02/14/2018 10:36 PM, David Woodhouse wrote:
> On Wed, 2018-02-14 at 12:34 -0700, Philip Prindeville wrote:
>> Once I was messing with firewall settings and accidentally disabled
>> the firewall.  Within a few minutes, there were all sorts of password
>> attacks on the WAN port.  Having a sufficiently complex password
>> slowed things down long enough for me to re-secure the box.
> Pfft. If you had a half-decent password, the box was always secure.
>
> If you really care, perhaps roll something like this (which I have in
> my /etc/firewall.user) into the default configuration:
>
> for PROTO in iptables ip6tables ; do
>     for TABLE in forwarding_rule input_rule; do
>        $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --rcheck --hitcount 4 --seconds 60 -j LOG --log-prefix "SSH_BRUTE "
>        $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --update --hitcount 4 --seconds 60 -j REJECT --reject-with tcp-reset
>        $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --set -j RETURN
>     done
> done
>
> You have the same "problem" with external access via HTTPS, surely? Are
> you planning to ban password access to that too?
>

Just change the WAN ssh port number to something in the dynamic port 
range, pretty much 0 bots scan beyond the few well-known ports range, 
and you save CPU resources too.

-Alberto



More information about the Lede-dev mailing list