Does anyone have any suggestions or ideas on secure remote management of multiple LEDE routers? Something like what Untangle offers or Cucumber almost does (you can only manage wifi, nothing else). We have a few routers at residential and soho clients running LEDE (I think one is running OpenWRT) and would love to be able to remotely manage them without exposing the remote interface to the public. I've spent hours searching but haven't had much luck finding anything.
Just disable password authentication and enforce private/public key login for ssh? You could also set the ssh port to non traditional ports and set up honey pot to ban ips dynamically.
I don't know that exposing SSH publicly is a great solution either. Even with password auth disabled, that's a huge potential hole if we come across an SSH vulnerability down the road. I'd prefer something outbound, like a reverse SSH, if anything. But I was hoping for something a bit easier to manage/setup. Thanks anyway!
You might look into http://openwisp.org/index.html I haven't played with it yet, but it claims to handle at least some remote management for LEDE/OpenWRT.
- Make the LEDE devices VPN clients connecting to a central VPN server. Mind the direction, LEDE is client, so no inbound access.
- The VPN network interface on every LEDE client can be firewalled as "block all except SSH". So even if soneone breaks the VPN, intruders need to break SSH, too.
- The routing strategy on the central VPN server can be set to "only route TCP 22, block everything else".
- Set SSH login to "Password Authentication: false".