I noticed that there is now an option in Luci in Dropbear to Bind to Interface. My current configuration is to select the interface I only use for local management, change the port, uncheck Allow SSH password authentication, uncheck Allow the root user to log in with password, and set up SSH-Keys. This is the same way I have used this in all previous versions without issue. It works fine in 25.12.0. When I select Bind to Interface, though, I lose all access. I guess I am not sure how this feature works or what I need to do to use it. I can't seem to find any documentation on this. Any suggestions on how to get this to work would be appreciated. TIA.
The "bind to interface" (also known as "listen-on interface") simply changes what address the dropbear instance will use. Specifically, let's say that the router has three local subnets:
- 192.168.1.0/24 (router address 192.168.1.1)
- 192.168.2.0/24 (router address 192.168.2.1)
- 192.168.3.0/24 (router address 192.168.3.1)
By default, dropbear will listen on all 3 addresses. This means that a host can connect to any of the 3 addresses -- they're all referencing the same device after all (the router).
You can limit it to listen to only one of the addresses by biding it to an interface. In that case, the dropbear ssh instance will only be listtening to one address (let's say 192.168.3.1) -- you can think of it like ignoring nicknames and only responding to your formal name.
People often mistake the interface binding option with security. It is doesn't meaningfully change your security posture, though. The real security element comes from the firewall configuration.
There is a zone-level input rule that governs if the networks contained within can reach the router in general. This is typically set to ACCEPT for trusted networks, and REJECT or DROP for untrusted ones. However, in the case of an untrusted network, usually DHCP and DNS are then specifically allowed by means of adding firewall rules (otherwise hosts may not be able to join the network and/or use DNS).
It is, of course, possible to create more granular firewall rules than just at the zone level -- you could restrict to just specific IP/MAC addresses if you want.
A zone/network that allows input can reach the router's administrative surfaces (ssh, LuCI web interface) on any of the router's addresses unless the services are bound to a specific interface, in which case it would only be on the corresponding address.
It should also be noted that changing the ports for ssh and LuCI are not considered strong security posture improvements. Security by obscurity only deters casual attackers; anyone determined will be doing a full port scan.
Changing the interface binding and/or the port number typically only increases the annoyance level for the actual admins when they try to connect (remembering the port number and/or address), but there's nothing technically wrong with using these methods. You do need to use care, though, as if you change the firewall rules and/or interfaces after binding to a specific interface, there are situations where you can be locked out.
Using ssh keys and disabling root password access is typically the best bang-for-your-buck to improve security. Since the LuCI web interface doesn't have a key method, it would be common to disable it if you need to harden your system against local attacks. But be aware that once this is in place, if you lose your keys, you'll be locked out and you'll need to use failsafe or serial to regain access.
3 Likes
Specifically, this new “Bind to Interface” option helps differentiate the Interface and DirectInterface options in the underlying dropbear init script.
4 Likes
Thanks for all that info. I'm sorry for the lateness of my reply, I had something come up that I needed to attend to. I think I'm clear on this now. My initial issue with losing access when ticking the 'bind' box has disappeared. If that comes back I will post again regarding that specifically. Between the two replies above I have a much better handle on all this.
grea!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
Thanks dave14305, this reply was helpful. The links answered some of the questions I had.
I am posting this reply so anyone coming to this post will understand how I came to mark this one solved.
I followed the link but didn't have any option to edit. I could choose one of the two posts as the solution. I found both posts helpful. Essentially, I was asking for two things in my original post.
Why was I losing SSH access when I checked the bind to option, and secondly, more clarity on how the bind to interface works. The first issue just 'magically' disappeared, hence I didn't need to continue that line of inquiry. As for the second part of my initial post, the only way for me to mark this solved was to pick a post. I suggest anyone reading this look at both posts, as both are informative for what I was looking for. I hope this clarifies it a little bit...
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.