Close SSH for couple of hours

Hii!

I'd like to close SSH and Luci for couple of hours

( I already keep luci closed , but when I close SSH I'll be truly locked out... )

Openwrt has an option where it asks you what interface should be used for SSH ( If LAN is selected, only devices on that interface can SSH )

But if you select unspecified then every interface can SSH ... Is there a reverse of this where nothing can SSH?

( Luci deletes the entire field if I select unspecified )

Can you help me write the script...

Like disable SSH , wait given time and then enable it?

Ty

I can’t really understand why and why for a couple of hours?

What is supposed to happen during that time?
You need password anyway to log on to these connections so without password no one gets inside (unless they use serial)!?

But it is probably easiest to make some kind of parent control of port 22, 80, 443 to make this work.
Listening port setting is useless way to block it.

1 Like

For some ease of mind ... I am testing some very sketchy software and would like to close everything while that is running :sweat:

cron a likely tool.

2 Likes

Why not create an additional subnet (like a guest/IoT type network), and prevent that from accessing the router (input = reject or drop).

Or, conversely, setup another network that does have input=accept that you can use in case you run into a problem.

3 Likes

SSH with mandatory private key authentication is still considered highly secure, or as secure as access to the private key is protected.

To prevent any SSH access to the router, use a firewall rule to block TCP input on port 22. The firewall system includes support for rules that enable and disable themselves based on the time of day.

3 Likes

Mainly because I am using shite router...

It has 2 ports - One is already a guest network which has input set to reject and the other port I use for my LAN interface...

I'll try figuring out how to setup time based firewall hmm

So connect to your guest network when you're using that software.

1 Like

Physically can't... Guest router is not anywhere close to PC and I can't kick it offline while I am doing this... :face_with_spiral_eyes:

I'm confused... is this the same router?

1 Like

Um , main router has 2 ports - I use one for LAN and other for guestLAN ( There are dumb APs on guestLAN so If I remove the cable and plug it into my Pc whole network over there goes down... )

...Anyways , I think I found where to add rules, does this look OK?

Screenshot from 2023-03-18 19-04-57

What about just using the guest wifi?

1 Like

no wifi card in my PC

ok... so the firewall rule you have defined should work... but if anything goes wrong with the clock, you could have a mess on your hands.

You could create a wifi only management network (with a really strong password) and maybe other 'tricks' to make it just a bit more difficult for a casual user to hop on (simple things like no DHCP server which would then require the client device uses a static IP, etc.).

1 Like

Ty , I'll try and see how it goes!

keep in mind that you've set the start time as 22:00 and the end time as 20:00, so it'll only be accessible for 2h per day.
Also make sure your time zone is set correctly and that the clock is syncing properly with ntp.

1 Like

Good thing I left Luci open :melting_face:

Screenshot from 2023-03-18 19-32-27

Not sure what gives... I lost access to SSH at 19:27 but at 19:32 I still couldn't SSH back into router...

Edit: :zipper_mouth_face: I got the time wrong lol , swapping start/end fixes it

Why not just stop the services for the given period of time.
If something goes wrong, you could always reboot the router

cat << "EOF" >> /etc/crontabs/root
0 20 * * * /etc/init.d/uhttpd start; /etc/init.d/dropbear start
0 22 * * * /etc/init.d/uhttpd stop; /etc/init.d/dropbear stop
EOF
1 Like

Thanks! I'll give this a try

I changed your script to this?

cat << "EOF" >> /etc/crontabs/root
0 20 18 * * /etc/init.d/uhttpd stop; /etc/init.d/dropbear stop
0 1 19 * * /etc/init.d/dropbear start
EOF

This should stop dropbear and luci at 20:00:00 18th and enable dropbear at 01:00:00 on 19th?

Edit:Well it didn't stop anything...

I can still access both at his time:
Screenshot from 2023-03-18 20-04-55