Skynet Skynet resetting ssh access to LAN only?

[Sas]

I noticed after installing Skynet that my router (RT-AC86U) seemingly had its ssh access changed from "LAN & WAN" to "LAN Only", which I thought was odd. I have reset it a couple of times since to "LAN & WAN", only to have it revert to "LAN Only". A look through the logs found that Skynet was indeed doing this:

Jul 25 16:25:53 Skynet: [!] Insecure Setting Detected - Disabling WAN SSH Access

Since I am only allowing key login (not password) to this, I am comfortable leaving this port accessible to the outside world. Is there a setting for skynet to leave my settings the way I have purposely set them?

 

[Sas]

I THINK I just found the setting in Menu 11 (settings) then Menu 8 (secure mode) set to Disabled. We will see...

 

[JimbobJay]

Yeah, this is correct. With Secure Mode (which I believe is switched on by default now) Skynet disables SSH and Web GUI access from the WAN interface, amongst other things. I believe the general consensus on this forum is that the safest way to access your router remotely is to have an OpenVPN server running on it with TLS Keys, not just username and password, to create an OpenVPN tunnel into your network, through which you can then SSH into the router. This is pretty easy to do with Merlin's fw.

Technically, from a security standpoint, SSH with keys only and password disabled should be just as secure as OpenVPN, but I believe the idea is that there are more eyes and audits on the OpenVPN codebase than there are Dropbear's (the software running the SSH server on the router). You definitely want Secure Mode to disable WAN access to Web GUI though.

 

[L&LD]

@Sas, you may be comfortable with the options you've chosen. It doesn't make them any safer though.

Disable WAN access completely and run an OpenVPN server instead (on a port other than the default, and above 50,000), for maximum (and real) security.

 

[Sas]

@Sas, you may be comfortable with the options you've chosen. It doesn't make them any safer though.

Disable WAN access completely and run an OpenVPN server instead (on a port other than the default, and above 50,000), for maximum (and real) security.

Thanks, but I want to make the point that OpenVPN **is also** WAN access. If we wanted to have (real) maximum security, we would unplug from the internet. SSH on a non standard port with key login only (password login disabled) is not less safe than OpenVPN.

 

[octopus]

@Sas, you may be comfortable with the options you've chosen. It doesn't make them any safer though.

Disable WAN access completely and run an OpenVPN server instead (on a port other than the default, and above 50,000), for maximum (and real) security.

I have my ssh always on and with a port lower than 1024 and not have any problems with that. Using ED25519 ssh key since a while back.

 

[Adamm]

SSH on a non standard port with key login only (password login disabled) is not less safe than OpenVPN.

It most definitely is, the point is limiting what services are exposed to WAN, not exposing multiple and less pen-tested services such as dropbear.

 

[JimbobJay]

Whilst SSH access using keys is generally viewed as extremely secure, nothing is risk free. Bugs and security flaws can be found, and are more likely to be found and fixed in OpenSSH than in Dropbear, not because Dropbear is the more secure SSH server and has less bugs, but because there are more eyes on the code.

The general idea is to simply reduce your potential attack surface as much as possible. The fewer holes you punch in your WAN interface, the better, even if they are holes that have encrypted authentication built in. Seeing as it’s so easy to setup an OpenVPN server using Merlin’s firmware, and so easy to just flick the OpenVPN connection on before remotely SSH-ing into the router, that’s what I do, and would probably recommend you do too.

 

[L&LD]

I have my ssh always on and with a port lower than 1024 and not have any problems with that. Using ED25519 ssh key since a while back.

I too have ssh always on. But using a port that is reserved is (eventually) asking for trouble/interference. No matter how long it has currently worked for you.

Well-Known TCP/IP Port Numbers, Service Names & Protocols [Comprehensive Reference]

A comprehensive list of commonly used network port numbers and a description of service provided by each.

www.meridianoutpost.com