Your aptness for seeing the possible attack vectors warrants your judgement ...
> Op 10 feb. 2018, om 17:07 heeft Philip Prindeville > <philipp_s...@redfish-solutions.com> het volgende geschreven: > > >> On Feb 10, 2018, at 3:28 AM, Paul Oranje <p...@oranjevos.nl> wrote: >> >> Wouldn't it be appropriate to disallow password authentication on wan only >> and allow it on all networks "behind" the router? > > Not necessarily. > > That’s why UPnP is such an issue. A machine inside a firewall gets infected > by a virus through a download or email... then the first thing the virus does > is punch holes in the firewall to allow outside scans of the remaining hosts. > > Allowing password logins from an infected host just means that the virus has > to do slightly more work before it owns the router (ie run a password attack). > > Not substantially more secure... > > -Philip > >> >>> Op 9 feb. 2018, om 01:28 heeft Philip Prindeville >>> <phil...@redfish-solutions.com> het volgende geschreven: >>> >>> From: Philip Prindeville <phil...@redfish-solutions.com> >>> >>> Allowing password logins leaves you vulnerable to dictionary >>> attacks. We disable password-based authentication, limiting >>> authentication to keys only which are more secure. >>> >>> Note: You'll need to pre-populate your image with some initial >>> keys. To do this: >>> >>> 1. Create the appropriate directory as "mkdir -p files/root/.ssh" >>> from your top-level directory; >>> 2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into >>> "files/root/.ssh/authorized_keys" and indeed, you can collect >>> keys from several sources this way by concatenating them; >>> 3. Set the permissions on "authorized_keys" to 644 or 640. >>> >>> Signed-off-by: Philip Prindeville <phil...@redfish-solutions.com> >>> --- >>> net/openssh/Makefile | 7 +++++-- >>> 1 file changed, 5 insertions(+), 2 deletions(-) >>> >>> diff --git a/net/openssh/Makefile b/net/openssh/Makefile >>> index >>> 3a19387b0d0110fc5c25d7ffccb524a61c0588c4..7ca61f6ce6d5916016a554b4a283a874e950232c >>> 100644 >>> --- a/net/openssh/Makefile >>> +++ b/net/openssh/Makefile >>> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk >>> >>> PKG_NAME:=openssh >>> PKG_VERSION:=7.6p1 >>> -PKG_RELEASE:=1 >>> +PKG_RELEASE:=2 >>> >>> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz >>> PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ >>> @@ -248,7 +248,10 @@ define Package/openssh-server/install >>> $(INSTALL_DIR) $(1)/etc/ssh >>> chmod 0700 $(1)/etc/ssh >>> $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ >>> - sed -r -i 's,^#(HostKey >>> /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' $(1)/etc/ssh/sshd_config >>> + sed -r -i \ >>> + -e 's,^#(HostKey >>> /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' \ >>> + -e 's,^#PasswordAuthentication yes$$$$,PasswordAuthentication no,' >>> \ >>> + $(1)/etc/ssh/sshd_config >>> $(INSTALL_DIR) $(1)/etc/init.d >>> $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd >>> $(INSTALL_DIR) $(1)/usr/sbin >>> -- >>> 2.7.4 >>> >>> > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
