[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server
Alberto Bursi
bobafetthotmail at gmail.com
Wed Feb 14 14:24:58 PST 2018
On 02/14/2018 10:53 PM, David Woodhouse wrote:
> On Wed, 2018-02-14 at 22:51 +0100, Alberto Bursi wrote:
>> Just change the WAN ssh port number to something in the dynamic port
>> range, pretty much 0 bots scan beyond the few well-known ports
>> range, and you save CPU resources too.
> We're talking about the default config here though. Please let's not
> encourage bogus security-through-obscurity measures in that context.
Your firewall rules weren't about security either but about twarting
dumb bots doing internet-wide scans.
And for that I think there are better ways that also save CPU resources,
as I said.
The security here still comes from having ssh using a key instead of a
password, or at the very least a very good password. (although I still
think the key is much better)
I quite frankly don't see why the default config should even enable ssh
on WAN at all (apart from special cases on some devices that only have
one port maybe), if the user wants to he should set it up on his own.
-Alberto
More information about the Lede-dev
mailing list