I have a question on SSH and security. I understand that this may not be specific to OpenWrt, and if this is the wrong venue to ask I apologize in advance.
I am trying to harden my setup as best I can, so I am looking to reduce exposure via SSH. I was reading up on hardening here:
https://openwrt.org/docs/guide-user/security/openwrt_security
Near the end it said:
"OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpatched security flaw in one of these services.
These high-value services in particular are:
-the dropbear SSH server for OpenWrt commandline admin access"
And on this page:
https://openwrt.org/docs/guide-user/security/secure.access
it says:
"Also, as long as an attacker has network access to the console, he can always run a brute-force attack to find out username and password. He does not have to do that himself: he can let his computer(s) do the guessing. To render this option improbable or even impossible you can:
- not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges
a. by letting the SSH server dropbear and the web-Server uhttpd not listen on the external/WAN port
b. by blocking incoming connections to those ports (TCP 22, 80 and 443 by default) in your firewall - make it more difficult to guess:
a. don't use the username root
b. don't use a weak password with 8 or less characters
c. don't let the SSH server dropbear listen on the default port (22) - use the combination of
a. username different than root
b. tell dropbear to listen on a random port (should be >1024): System → Administration → Dropbear Instance → Port"
c. public key authentication"
As far as I can tell I've done all of the above except public key authentication (working on it). But I am wondering if I can disable dropbear and prevent any SSH unless I want to use it. I do almost everything via Luci (I am new to all this, weak with CLI, but can do SSH and text editing okay), and so only SSH in when I need to make changes I can't do with Luci. I only SSH in via lan and only when disconnected from the Internet.
So, my question is could I delete dropbear and reinstall when I want in, or should I use the option I found here on the dropbear configuration page:
https://openwrt.org/docs/guide-user/base-system/dropbear
which is:
Set to 0 to disable starting dropbear at system boot.
or something else? I won't need to SSH in that often, and never from the Internet. I am just looking for advice on how to reduce my attack surface even more. Thanks.