SSH security question

jrjohnson27 · March 1, 2019, 1:54am

I have a question on SSH and security. I understand that this may not be specific to OpenWrt, and if this is the wrong venue to ask I apologize in advance.

I am trying to harden my setup as best I can, so I am looking to reduce exposure via SSH. I was reading up on hardening here:

https://openwrt.org/docs/guide-user/security/openwrt_security

Near the end it said:

"OpenWrt devices have 2-4 common services running, which kind of mark high-value targets for malware (even when only available in your LAN-zone): Any harmless looking web site, you have visited in your browser, could use cross site request forgery tricks, abusing an unpatched security flaw in one of these services.

These high-value services in particular are:

-the dropbear SSH server for OpenWrt commandline admin access"

And on this page:

https://openwrt.org/docs/guide-user/security/secure.access

it says:

"Also, as long as an attacker has network access to the console, he can always run a brute-force attack to find out username and password. He does not have to do that himself: he can let his computer(s) do the guessing. To render this option improbable or even impossible you can:

not offer access from the Internet at all, or restrict it to certain IP addresses or IP address ranges
a. by letting the SSH server dropbear and the web-Server uhttpd not listen on the external/WAN port
b. by blocking incoming connections to those ports (TCP 22, 80 and 443 by default) in your firewall
make it more difficult to guess:
a. don't use the username root
b. don't use a weak password with 8 or less characters
c. don't let the SSH server dropbear listen on the default port (22)
use the combination of
a. username different than root
b. tell dropbear to listen on a random port (should be >1024): System → Administration → Dropbear Instance → Port"
c. public key authentication"

As far as I can tell I've done all of the above except public key authentication (working on it). But I am wondering if I can disable dropbear and prevent any SSH unless I want to use it. I do almost everything via Luci (I am new to all this, weak with CLI, but can do SSH and text editing okay), and so only SSH in when I need to make changes I can't do with Luci. I only SSH in via lan and only when disconnected from the Internet.

So, my question is could I delete dropbear and reinstall when I want in, or should I use the option I found here on the dropbear configuration page:

https://openwrt.org/docs/guide-user/base-system/dropbear

which is:

Set to 0 to disable starting dropbear at system boot.

or something else? I won't need to SSH in that often, and never from the Internet. I am just looking for advice on how to reduce my attack surface even more. Thanks.

jeff · March 1, 2019, 2:07am

Well, having access to SSH from the outside world has saved me several times. Especially when I'm somewhere that I wouldn't have a key with me.

Meh, pick a strong password, rotate it regularly and your 90% there.

Create a non-privileged user, install sudo, disable root logins, and you're 99% of the way there.

Edit: I personally prefer OpenSSH over dropbear for both perceived security, as well as the ability to better handle command-bound keys and other advanced SSH techniques.

In my opinion, that last 1% isn't worth the time of either setting it up, or the frustration when you can't get access to your systems when you really need to.

(I also don't believe that using a non-standard port does much more than reducing log spam, if you've followed even the 90% recommendation.)

There are other things that will gain you more in terms of security for that time that, in my opinion, are more valuable.

(that's a link to my recent post on your other thread)

vgaetera · March 1, 2019, 4:34am

Limit outside access to VPN-only running with dropped privileges.
Use SSH public-key authentication and disable password authentication.

trendy · March 1, 2019, 8:48am

I would not recommend disabling SSH, as it is meant to be the last resort of accessing the device.
You can kind of do something like hiding the SSH port with knockd.

diizzy · March 1, 2019, 9:16am

In addition to that, you can easily restrict public access from networks you're known to use like your mobile provides netblock etc and not have it wide open.

eduperez · March 1, 2019, 3:28pm

Since LuCi is not safer than SSH, it does not make much sense to leave one open as a switch to open the other one...

jrjohnson27 · March 1, 2019, 10:52pm

Thanks for the replies. I see a lot in common with the replies on the other topic I started on accessing the router via http(s)://openwrt.lan. It's all about the security approach, and that applies no matter the specific questions. I really appreciate everyone taking the time to help someone new out.

jrjohnson27 · March 1, 2019, 11:04pm

I want to ask one more question before I mark this solved. This one may be tough to answer because I suspect no one is doing what I want to do here. Based on what Jeff said above, I'd like to create a non-privileged user and disable the root login, but being new I do most things right now with Luci. This came up on another topic I started, but no one answered who had done this. It wouldn't even make sense to me if it was possible. If I am running as a non-privileged user I suspect I won't be able to make changes in Luci. If I could, then it seems it's not any better security. If I can't make changes then I can't use Luci. I understand using sudo as a non-privileged user because of my limited experience using terminal on a Linux box, but it seems there would be no way to do that in Luci (obviously).

I am asking if anyone who uses or has used a current version of Luci and disabled the root account what their experience is with this and what happens. There probably won't be anyone to answer this because anyone who knows enough to disable the root account wouldn't be messing with Luci... But, in case there is someone, I'll give this a shot.

wifiseguro · March 2, 2019, 9:33am

This is my setup, unless you are keeping national security secrets in you network, I doubt no one will make the effort to break in.

Setup a VPN in a non default port > 1024
Stealth the VPN port with iptables DROP target.
Setup knockd to open VPN port with a 3 knock port secuence. Setup also a secuence to close back the doors when you are done.
Setup ssh to listen only on the VPN subnet.
Setup ssh to acept only public key auth, and run it on a non default port > 1024.
Setup email notifications for every door open, just in case.

Someone evil trying to get unautorized access will need to break port knock, iptables, openvpn and ssh to get in...I think it is too much effort unless, as I said, you host something really valuable in your network.
Regarding Luci, you could apply same procedure as with SSH.

vgaetera · March 5, 2019, 2:31am

It's not that simple:

cat << "EOF" >> "${HOME}/.profile"
sudo() { read -s -p "Password: " PASSWD; echo "$PASSWD" | /usr/bin/sudo -S "${@}"; }
EOF

jeff · March 5, 2019, 2:41am

Agreed that there is a lot more to securing a system than securing SSH.

vgaetera · March 5, 2019, 3:19am

Another point is that enabling some feature requires user to set up and utilize it properly.
Otherwise it just leads to a false feeling of protection with close to no real effect.
Also user should remember that every new feature is a potential security hole.

jrjohnson27 · March 8, 2019, 2:51am

Thanks for the additional replies. This information is very informative. I'll keep working on building my security using what you've all pointed out.