How to disable SSH access to my router

How to disable SSH access to my router? I need only Luci now. But I must be able to enable SSH again if I will need it.

It is not recommended to do this, but simply disable dropbear.

1 Like

Why? What consequences I can expect? Won’t I be able to enable it again?

Also doesn’t it decrease my security adding additional attack vector?

You can certainly re-enable it. The problem is that you might need to re-enable it when you don't have access via the LuCI interface... and in that case, you're stuck (there are still ways to fix it, but it's more work).

Actually, the web server is a more likely issue from the perspective of attack vectors. I'd disable that before disabling ssh.

But, if your lan is trusted, neither should be a significant risk.

If your lan isn't trusted, neither should be allowed and then there are other approaches you can take to create a management network that can access the router.

1 Like

What do you mean? Main LAN is only me. I never give its credentials. Guest network for everyone + IOT (Xiaomi lamps)

P.S: what is flow_offloading in firewall? I don’t want to open separate thread to ask only this

1 Like

So why do you feel the need to disable ssh on your lan?

1 Like

I afraid that someone can brute force main password or use some kind of vulnerability to hack into using SSH… Or I am too paranoid?

1 Like

more likely on the web interface, actually. You can use ssh keys (and not passwords) to avoid the problem with brute force password attacks. You can't do that with the web interface.

That's for you to judge... but if you're the only one on the trusted lan, you should be able to trust yourself and the devices that you deem to be trustworthy.

1 Like

Yes, that’s right. But I afraid that someone will hack LAN, and only after that will try to attack SSH etc. If there is no reason to do that, then it is ok, if not I want to be as secure as possible

I hope this quote and Wikipedia link help.

Good encryption and strong password on wifi. Physical access protection for the router itself and any ethernet ports that might be wired elsewhere.

If you're really that concerned, create a separate management network on one of your router's ethernet ports (assuming you have a spare. Leave that disconnected except for when you actually need to make changes to your router -- then plug in a trusted computer and make those changes. With that type of configuration, you could reject all input except for DHCP and DNS so that the router is as secure as it can be.

But in the end, if you use ssh keys and disable the LuCI web interface as well as the password login for ssh, that's the most secure method short of a dedicated management network (with those same restrictions, if you really want to tighten things).

Also, if you are worried about someone hacking your trusted lan, you also need to secure your computers and other devices -- those may be more immediate targets than the router itself.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.