A plan of secure access from WAN involving a non-root user and OpenSSH

manywrt · July 27, 2021, 2:57am

Hello! I am new to both OpenWrt and Linux and just managed to get a new TP-LINK C7 version 5 flashed with OpenWrt. The flashing went swimingly. Thanks.

I plan to send this C7 to my mother's house and take care of it over Internet.

I therefore came up with the following plan of "secure access" involving a non-root user and OpenSSH.

I would appreciate it if you take a look at it and see whether there is anything hare-brained in it.

The plan:

Add a new user bobby to C7.

Note. I am somewhat concerned about OpenWrt being a "single user mode OS," as per this post. But the post does not seem to say anything against what I propose to do below.

Replace Dropbear with OpenSSH per this Old OpenWrt Wiki article.

Note. By the end of the process, OpenSSH listens on port 22, and Dropbear on port 2222 (unless Dropbear is stopped and disabled).

Create an SSH key pair for bobby, and add public key to C7's /home/bobby/.ssh/authorized_keys.

Note. I don't add any public key to C7's /root/.ssh/authorized_keys

Set OpenSSH to disallow password authentication, i.e. to use key authentication only.
Set a C7 (WAN to LAN) port forward rule whereby C7 redirects e.g. WAN port 20022 to 192.168.1.1:22 (or whatever is C7's LAN side I.P. address:whatever is OpenSSH's listening port).

Note. By now, the only allowed from-WAN SSH-ing into C7 is for user bobby to use port 20022 and the right private key (matching the public key added to C7's bobby).

Let us say C7 is sitting in Los Angeles, and I am in New York. From New York, set up an SSH tunnel to C7 choosing dynamic port forwarding, thus causing C7 to become New York's SOCKS proxy.
Set New York's Web browser to use the tunnel as SOCKS proxy, point Web browser to 192.168.1.1 (C7's LAN side I.P. address), see LuCI load, and login as root.
If I need command line to tweak any C7 router settings, SSH into C7 as bobby and use "su" or "sudo" to acquire root privileges.
Since I can create SSH tunneling into C7, use C7 as my SOCKS proxy for Internet surfing or to RDP or VNC "over SSH" into computers living in C7's LAN.

That ends the plan.

I understand that exposing an OpenWrt router to WAN is dangerous. But if the exposure is limited to SSH by key authentication, as per above, it would be no more or less dangerous than exposing any other computer on the same limited basis. Right?

I have known OpenWrt only a few days and am just coming from Windows to Linux. I may be talking much nonsense and would love to have it exposed before I actually implement it. Thanks.

psherman · July 27, 2021, 3:04am

Your best option is to set up a vpn. Wireguard is a particularly good vpn protocol for this because it allows you to have external access enabled such that connecting is easy and high performance, but it will not respond to probes or port scans. This is preferable since this will prevent random people/bots from hammering on your router looking for vulnerabilities and/or trying to discover credentials.

manywrt · July 27, 2021, 3:08am

Thank you. Eventually I plan to "move up" to VPN. I am looking at Wireguard and OpenVPN. As of today, my competency is limited to SSH (severely limited even there). I would appreciate it very much if you kindly reviewed this "plan" of mine for what it is, to see if there was any glaring hole in it, obvious to an expert.

psherman · July 27, 2021, 3:10am

The “hole” in your plan is that you will be opening ssh to the internet. This is not advisable if it can be avoided.

Another issue is that you aren’t protecting your router by setting up an non-root account that has super user privileges. If your account gets compromised, they will have your password so they can su all they want.

anon50098793 · July 27, 2021, 3:29am

you need more layers such as;

source ip or vlsm allow rule
port knock
syn connect limit / (peristent) ban ipset
time based rules
possible fail2ban style dropping/alerting mechanism to guage your exposure...

key alone is not enough... if I had to choose one of the above... it would be the syn connect limit ipset... or the best a vpn as @psherman mentions...

psherman · July 27, 2021, 4:43am

It is worth stating that setting up WireGuard is actually easier than the plan outlined in the OP.

manywrt · July 27, 2021, 4:47am

Thank you. Could you elaborate a little on "syn connect limit." You don't have to explain. Just some keywords to use on a Google search, e.g. name of command or protocol that I would implement.

anon50098793 · July 27, 2021, 4:51am

"ssh syn ipset" (limit||recent) or just "iptables limit blacklist" or something

(wont save you from a botnet but will deter 97% script kiddie probes and whatnot... which if you watch your firewall logs... will reach thousands within days)

manywrt · July 27, 2021, 6:20am

Thank you. I believe I'm sold on Wireguard. Is there any "Start here if you are installing Wireguard on OpenWrt"-type resources you can recommend? I can Google for them. But if there is one you might already have in mind.

faser · July 27, 2021, 6:21am

Well I guess google would have pointed you back to here

system · August 6, 2021, 6:22am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.