SSH Access (Dropbear Instance) & SSH-Keys

How should the 2 tabs for "SSH Access" and "SSH-Keys" be configured for router? Remote access is not needed so would like to configure settings for security to prevent any access.

By default, the firewall will block access from the wan (upstream/internet).

If your lan is fully trusted, you don't need to do anything more than set a strong password on the router's root account (and wifi, too, if relevant).

You don't need to change ports -- I recommend leaving ssh alone at port 22.

If you use keys instead of passwords, that will make the system more secure from your lan, but if you disable password authentication, be aware that only hosts that have a key will be able to login via ssh.

2 Likes

It could be needed in the future, if you encounter issues, and you will not be able to enable it back, if the web interface fails.

2 Likes

Not to mention that to get any meaningful support here in the forum ssh access is pretty much required sooner or later.

2 Likes

Well, technically your current luci connection is also “access” but to the uhttpd server at port 80 if unsecured and 443 if secured. So it isn’t any security difference to have access to port 443 or 22. The problem really is port 80.

2 Likes

:warning: Others have already advised you against this above. It was better to leave them at default.

screen814

screen815

  1. You don't need to touch the "SSH-Keys" tab on a default OpenWrt config - it should be empty.

I'm curious, since that's the case, are you gonna disable the web GUI too?

Thanks. I am new to all this. I don't know how the firewall is setup as well. I guess I basically should leave everything at default.

1 Like

Thanks. I'm just a novice home user. :wink:

1 Like

Thanks. I don't know how to disable the web GUI. All I see is a "Delete" button, no "Disable" button. How would I disable, if needed?

If needed?

You stated:

Whoa!

I hate to mention this...but you understand in order to actually access, configure, or otherwise administratively manipulate your device - that you need management access.

That's provided via (in order of easy for novice users):

  • the web GUI (you just asked how to disable this)
  • SSH - (you asked how to disable this)
  • Serial access (which can be password protected, there's also other ways to alter the serial port in the booted system) - keep in mind, this isn't available in all makes/models

:spiral_notepad: You're unwittingly creating a logical chicken-or-the egg configuration scenario where you're eventually locked out of your own device. Unfortunately this security paradigm is strong in n00b users (no clue why).*

SSH access. :smiley: *

:+1:

*-(I was gonna suggest the delete button too and :warning: provide another warning.)

Let's be sure to clarify that remote access will typically mean the ability to connect to your router/network for administration from outside your network (i.e. from somewhere else via the internet). This is not enabled by default, and we do not recommend exposing those to the internet.

Regarding the rest of the 'default' administrative access -- you should generally leave it alone unless you have specific reasons to adjust things. Typically, your lan is considered trusted. As long as that is true and you leave the device in the default state with respect to the lan's ability to access the router, any device on your network can be used to administer the router. If you don't trust your lan, you can limit the hosts that can access the router and/or create multiple networks such that you have one that is fully trusted and the untrusted devices sit on another network that doesn't have the ability to access the router itself.

2 Likes

Thanks. I misunderstood and didn't realize it is not enabled by default. I researched online and read that one should disable the remote router access. So, I thought I needed to change some settings to accomplish this.

I am confused by what you are saying. I simply initially searched online on how to protect the router. One suggestion was to prevent remote access, which I thought involved changing some settings as I could not find anywhere in the GUI to simply click and disable it.

Since above suggestions were to not change anything, I thought I would just leave as defaults. But then, I saw your question, "are you gonna disable the web GUI too?". So, I replied "How would I disable, if needed?" which means that if there was a way to simply disable, maybe I can just do that as well.

"I hate to mention this...but you understand in order to actually access, configure, or otherwise administratively manipulate your device - that you need management access." I for sure do not understand as much you. I just understand that I needed to login, change password, set the APN name and setup the wi-fi password. Most of the other topics in the router settings I am researching online and trying to ask questions here to get a better understanding.

1 Like

Where did you search? OpenWrt forums? Other sites? Was it referring to routers in general, or OpenWrt specifically?

Remote access is not enabled by default, and there's no "remote access" checkbox" -- it's a matter of changing the firewall rules to allow it ssh/web access to the router, or the installation and configuration of a VPN.

I just did some google searches on how to prevent a router from hacking. Here are some examples of them mentioning to disable remote access.

I think they are just referring routers in general. I don't recall exactly which other sites cause I think I landed on so many sites and read a lot and didn't keep track of everything. But then I saw this forum (from google search results) and saw some information/images posted by others that looked similar to my router and decided to post to get more advice. Thanks for the clear explanation and follow-up. :sweat_smile:

Yeah, and they give entirely generic advice that probably doesn't apply to many routers. Certainly not OpenWrt.

2 Likes

Thanks again. Sorry by the way, I think I messed up earlier with a reply to someone else and wasn't suppose to be directed to you. I tried to delete it but I think I made things worst.