RT-N66u - 3.0.0.4.270.25b Merlin - Web & SSH works from WAN despite being disabled

[workfromphone]

Hi,
I am running 3.0.0.4.270.25b merlin on my RT-N66u. I have "Allow SSH access from WAN" and "Enable Web Access from WAN" both set to No. However, I can still access both SSH and the Web GUI (port 80) from the public internet. I noticed this because I saw multiple connection attempts from random IPs in the log. Looks like someone is trying to hack into my router/network.

Are these settings only enforced if the Firewall is enabled? I have it disabled because I work from home and some customer VPNs give issues with the firewall enabled.

Has anyone else noticed this?

Thanks

 

[TeHashX]

I disabled Allow "SSH access from WAN" and "Enable Web Access from WAN" for curiosity and I can't connect from wan to ssh or http, I only managed to connect to ssh from lan with wan address
It's not such a good idea to disable builtin firewall.

 

[workfromphone]

Looks like those features are dependent on the firewall as the Webserver and SSH daemon are listening on all interfaces (instead of just the LAN IP).

admin@RT-N66U:/tmp/home/root# netstat -an | egrep -e':22|:80'
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

After enabling the firewall, the access to SSH and the Web GUI from the Internet were denied. Does anyone know where the sshd or httpd config files are so I can configure them to only listen on the LAN interface?

Thanks