[OpenWrt-Devel] [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

David Woodhouse dwmw2 at infradead.org
Wed Feb 14 16:36:09 EST 2018


On Wed, 2018-02-14 at 12:34 -0700, Philip Prindeville wrote:
> Once I was messing with firewall settings and accidentally disabled
> the firewall.  Within a few minutes, there were all sorts of password
> attacks on the WAN port.  Having a sufficiently complex password
> slowed things down long enough for me to re-secure the box.

Pfft. If you had a half-decent password, the box was always secure.

If you really care, perhaps roll something like this (which I have in
my /etc/firewall.user) into the default configuration:

for PROTO in iptables ip6tables ; do
   for TABLE in forwarding_rule input_rule; do
      $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --rcheck --hitcount 4 --seconds 60 -j LOG --log-prefix "SSH_BRUTE "
      $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --update --hitcount 4 --seconds 60 -j REJECT --reject-with tcp-reset
      $PROTO -A $TABLE -p tcp --dport 22 --syn -m recent --name SSH --set -j RETURN
   done
done

You have the same "problem" with external access via HTTPS, surely? Are
you planning to ban password access to that too?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20180214/fc3609a8/attachment.bin>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list