How to disable (temporary!) SSH?
And how to re-enable it when it will be needed?
Why do you want to disable SSH?
If you plan to disable SSH, you need another interface to reenable it. Every 'simple' interface would be more insecure than securing SSH.
The router is not a computer with local monitor and keyboard.
But a router has a very good firewall to orchestrate the allowed, rejected and dropped network flow. Instead of disabling a service, you may want to configure the network.
In theory:
Within Luci -> System -> Startup -> Dropbear.
Behind that click on "Disable" and then "Stop".
Then SSH should be disabled and stopped.
If you disable it and somehow your webinterface were not to work... It will be hard to do anything to fix or diagnose that. You can setup SSH to only listen on a specific interface in System -> Administration -> SSH Access -> Interface. That could be used to prevent it from being reachable from unwanted places.
1 Like
Because I don’t need it. Allowing something not used = widening attack vector
That’s why I asked advice
Theoretically, I want to BAN it everywhere, and allow only from 10.0.0.9 (my tablet IP)
Reenable there too?
Disabling dropbear will do the trick.
But be warned: If GUI fails, there will be no way to "repair" the router - you will need to hard reset it using Uboot then.
I would not recommend to disable SSH.
Choosing a good password and setting up SSH keys is totally fine.
Or by “reset” button.
How possible it can happen?
I afraid of compromised devices in LAN.
In my LAN my devices uses VPN (on each device) but some other devices (relatives) not.
SSH is industry standard and very secure. I wouldn't think so much about it.
A good password (>16 chars) should be usually enough for good protection inside your LAN.
GUI can fail and it happens. It happens more often if you play around with your router often and try to install software or try to script something, whatever.
If you don't trust devices (like really don't trust) put them into the guest LAN.
Yes, using the "Enable" and "Start" buttons.
Just disable root logins with password and install an authorized SSH-key on it (which you store password protected on your own device).
3 Likes
This devices needs to communicate with printer (which is not possible in guest network).
My devices are regularly monitored, but relative’s devices are not. They nearly always download something shady that I needed to block via hosts more than 5000 shady domains.
Plus guest lan not physically separated, so if their devices will be infected by RAT for example, attacker will easily bypass it just scanning all SSIDs on one BSSID (as guest and main network have same BSSID but different SSID)
I don’t have PC. Only Android laptop-tablet and many phones.
Several SSH-clients apps for Android can also use SSH-keys. It is a VERY common way to authenticate using that way in SSH.
Which would still not get them the password of that other SSID nor access to the other SSID.
Anyway, if you do not trust devices in your network do not bother. Having a device connected to a VPN will not protect those devices, because that will still not physically separate them from those apparent hackers that are already apparently got within your LAN-network.
You have your answer. Your security measures likely are based on bullshit and I highly doubt they make any difference, but if they make you happy do as you wish.
2 Likes
Well you can use guest network or make one yourself from luci.
From firewall perspective this can also work, in luci -> network -> firewall -> traffic rules
You can define a new traffic rule such as:
name: yourname
src: the zone for your safe clients
dest: the zone of unsafe clients
destination ip: the ip of the printer.
destination port: optional, but even tightens security more.
Note you don't need another rule in reversed order, only your devices are allowed to talk to printer not the printer to the device.
But since guest isolation is also active on the wireless part in luci -> network -> wireless -> guest ap (click edit), you may want to disable that if it gives issues over the firewall of things.
1 Like
Many thanks!
This config worked. Printer works. Put them to guest LAN!
1 Like