[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Alberto Bursi bobafetthotmail at gmail.com
Wed Feb 14 14:24:58 PST 2018



On 02/14/2018 10:53 PM, David Woodhouse wrote:
> On Wed, 2018-02-14 at 22:51 +0100, Alberto Bursi wrote:
>> Just change the WAN ssh port number to something in the dynamic port
>> range, pretty much 0 bots scan beyond the few well-known ports
>> range, and you save CPU resources too.
> We're talking about the default config here though. Please let's not
> encourage bogus security-through-obscurity measures in that context.

Your firewall rules weren't about security either but about twarting 
dumb bots doing internet-wide scans.
And for that I think there are better ways that also save CPU resources, 
as I said.

The security here still comes from having ssh using a key instead of a 
password, or at the very least a very good password. (although I still 
think the key is much better)

I quite frankly don't see why the default config should even enable ssh 
on WAN at all (apart from special cases on some devices that only have 
one port maybe), if the user wants to he should set it up on his own.

-Alberto



More information about the Lede-dev mailing list