I want to harden the ssh security on my router. What is the most recommended way?
I currently have a password enabled to access ssh but I want to switch to an ssh key instead. Are there any instructions for the AR750? I can see in Luci a field to add a public key but can someone help me with some clear instructions specific to AR750S (openwrt) on how to generate the private/public key? If you can forward me to a documentation page that would be helpful as well.
Once this is done, I will disable password access and root login from Luci and possibly change the default port as well. Is it recommend to create a new user and add that user to sudo group?
FWIW, I will be accessing ssh from my iOS and Windows (SCP) clients.
Some believe that OpenSSH is more robust than dropbear. OpenSSH can be installed as a package.
While OK to replace dropbear post-facto, don’t build firmware without dropbear in the ROM itself without making custom accommodation for running OpenSSH under failsafe.
Thanks. I just realized that I can maybe use my wireguard server instead and that would be secured enough? In that case how can I whitelist just that IP for SSH access and deny everything else? Thanks.
-Generated ssh keys
-I have removed SSH password authentication altogether.
-I have disabled root login with password.
-Changed the port
I created a new user as well but I am just using root with ssh keys for now. If I want to login with the new user, I need to copy the keys to his home directory /home/.ssh/ am I correct?
Also your last line “Disable Root SSH access” disables root access to SSH with a password. am I correct?
PS. Is there a good script for our AR750S against brute attack? How do you cope with an ever growing log file?
FWIW, it doesn’t look like dropbear supports ed25519 keys (edit: or at least didn’t support my OpenSSL-generated one)
Personally, I’d not enable ALL ALL=(ALL) ALL but always require a password for use of sudo. Though this may be related to the suggestion around targetpw (which I don’t use on my non-OpenWrt boxes, as I need to take actions as a user without a login, such as www).