SSH, LuCi, GL gui security

  1. Can I disable SSH? It is not needed for me at all. I am not familiar with CLI, so it is Moro like additional attack vector than something useful.

  2. I need to use LuCi and GL gui. Both. But is it possible to prevent brute force on LuCi and GL gui? Any plugins? Any recommendations? Any guidance?

@alzhao please take a look :wink:

In luci this is possible :+1:

If you login and go to the tab System -> Administration -> SSH access (tab) you can delete all entries :+1:

this really depends, from my experience from the outside ssh is not reachable, and since your router is not having the same standards a typical server has (with open wan for ssh), you should be mostly fine, the outside is much more dangerous than a local device if you maintain good passwords.

of course it is arguable, but then you should look into key authentication, putty has a program called puttygen this works perfectly, this way you don't need a password anymore which makes it alot more secure against bruteforcing, if you still want a password you want a long one, and maybe consider installing something like fail2ban which drop connections from bruteforce attacks.

you can also segment/isolate ssh access through lucis same menu by limiting the interfaces :+1:, and disable password and root login.

1 Like
  1. Delete the dropbear item (as xize11).
  2. The GL GUI have login failed protection. If there are too many faileds, it will be temporarily locking and not allowed to log in. For Luci can refer to this sharing script (by translate to English):
    GitHub - vimers01/deny-ssh-password-attack: Openwrt 自身没有对抗ssh破解的工具,为了暴露在互联网的路由器更加安全,基于iptables编写了一个小脚本, 脚本通过crontab定时执行,.
1 Like