SSH, LuCi questions

  1. Can I disable SSH? It is not needed for me at all. I am not familiar with CLI, so it is more like additional attack vector than something useful.
  2. I need to use LuCi. No way to remove it. But is it possible to prevent brute force on LuCi? Any plugins? Any recommendations? Any guidance?

After googling I found this. Will it help? Or too ancient?

Device RPI4

  1. Network/administration/SSH Access->Password authentication; uncheck.

  2. long password like 'mydoggyrunsawayallthetime'. Since by default, it is only accesssable on local network (lan) you should get home and catch them befores they crack that.

This will allow Key authentication? I mean disable at all. (Not delete)

If it won't accept an SSH password it won't let anyone in.

But you can test it. Just SSH in and try to log in.

Well, with full cisclosure (as I missed this in the first post) if they are bold enough to bring a keyboard and a monitor, there is no terminal protection.

it assumes the router's ssh port is open for access from internet.
if you're stupid enough to do this, there's fail2ban.

You can disable or remove dropbear.

But remember your support here at the forum will be limited without ssh or serial connection.

Ssh is also a way in to the router that often work when luci fails and before the serial connection is needed.

OP got an RPi, there's always the console, from where ssh can be reenabled.

1 Like

Like I said:
They can always get into terminal with a keyboard and a monitor; if they want to remove everything.

I want to block access to it from my LAN. And protect LuCi from brute force.

Guest network is not what I need because it will create another network that will work with main network. If main network got brute forced still an issue

you can bind LuCI to 127.0.0.1, then you'll have to tunnel the traffic via ssh to reach it.

another option is to add an extra password in front or the webUI.
https://openwrt.org/docs/guide-user/services/webserver/uhttpd#basic_authentication_httpdconf

How this will be visible? I don’t have PC. Only Tablet (with root) and OTG support. And GL router and this device (RPi).

So will Adndroid be able to work with it?

If you

  1. Network/administration/SSH Access->Password authentication; uncheck.

you cannot SSH in from anywhere.

Try it:
Uncheck it, save, save and apply and try to SSH in.

it should be a vanilla user/password browser popup

image

Ok. So I will need to enter something like:

user:pass

And then default LuCi auth? If so, ok. Good

I've told you how.

Are you asking about the wireless security letting them in Wi-Fi with poor passwords? Because you brought up the guest network.

Because those are seperate issues.
I do not care they are different but if I'm thinking "protection from the internet" and you are worried about a weak Wi-Fi password getting them into the lan we would need to get on the same page.

Yes. That’s it. Not “8888888888” but not “5|#<.g.#|i#|%|

Okay, got it.

You can still use words that make a sentance or you can jumble words (runningtreebrooksaddleknightoverwatch) and that would take years to attack, even though they are words subject to a dictionary attack; you could still remember it.

And your browser, on your tablet, will offer to save the password so you do not need to.

Anything over 17 characters will take years.
Or you could get an app that makes up totally random passwords and saves them on your tablet. Use once and, and wi-fi should save the passsword after first successful log in.

1 Like

tried it, and it works,

Thanks! I will set it!