1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Thibor - denying ssh access to router for wireless clients

Discussion in 'HyperWRT Firmware' started by SirDracula, Feb 22, 2006.

  1. SirDracula

    SirDracula Network Guru Member

    http admin interface and telnet admin can be disabled for wireless clients. Is it possible to do the same for sshd? If not, could you please add this feature in a future firmware version? I do not want the wireless clients to have any access to any services in the router, for security reasons.

    Thank you.
     
  2. Thibor

    Thibor Super Moderator Staff Member Member

    add it in and i'll include it
     
  3. SirDracula

    SirDracula Network Guru Member

  4. Thibor

    Thibor Super Moderator Staff Member Member

    hmm, you could always write it. i'll have a look at it if you're not capable. the code should be very similar to "Wireless Access Web" and shouldn't take long, but to be honest i would just remove password access to sshd and set a pubkey. why would it matter if wireless clients could access the ssh server if they couldn't get to the file system.
     
  5. SirDracula

    SirDracula Network Guru Member

    From what I read there are occasional bugs and vulnerabilities in sshd that may allow (wireless) clients to break in even if I use only a pubkey. I would like to keep temptation to hammer my router trying to get in at a minimum.

    Is the access to http and telnet disabled via an iptables rule?

    thank you
     
  6. Thibor

    Thibor Super Moderator Staff Member Member

    access to the web interface can be disabled via the management page. access to sshd and telnet from wireless connections can be disallowed via the firewall_script
     
  7. SirDracula

    SirDracula Network Guru Member

    Would it be possible to add a rule to the firewall (and maybe an option in the web interface) in general that says "do not allow any connection to the router from any of the wireless clients"? Of course, this should not break the NAT functionality for the wireless clients, just disable access to the router's services.

    For example a hotspot may want to allow public access to the wireless clients but it doesn't want them to attempt to mess with the router's settings or try and break into the router's possibly vulnerable services.
     
  8. Thibor

    Thibor Super Moderator Staff Member Member

    i will look at adding these things, no promises though as they can EASILY be done via the startup script. Adding checkboxes for users that can't be arsed using the firewall script isn't exactly what i had in mind
     
  9. SirDracula

    SirDracula Network Guru Member

    I understand that in general you don't want to add such boxes in the interface, but security should be a priority and should be easy to configure. Entering firewall scripts may be error-prone and provide a false sense of security.

    What would the iptables command look like to block all wireless client connections to the router so that I can use that in the firewall script for now?

    thank you for your help.
     
  10. Thibor

    Thibor Super Moderator Staff Member Member

    off the top of my head i don't know, but i can find out soon enough,
    it would be something like:
    iptables -t mangle -A PREROUTING -i eth1 -p tcp --destination-port 22 -j DROP
    this is probably incorrect, but you get the gist, wireless interface is eth1
    i think i'll change the "Wireless Access Web" button to deny ALL access to the router itself from the Wireless interface
     
  11. SirDracula

    SirDracula Network Guru Member

    Not sure you may want to do that, then others will complain that they want to turn off http access but allow ssh for example.

    I think it's better to have a global option "disable all access from wireless clients" and if that's checked, the other individual options for http, telnet, ssh don't do anything. But if it's not checked, users could still enable/disable access on a per service basis. It seems that doing an all or nothing option is moving backwards.

    I'm fine with it either way, but others may have a different need.
     
  12. Thibor

    Thibor Super Moderator Staff Member Member

    i'll add it in tonight
     
  13. SirDracula

    SirDracula Network Guru Member

    Cool. Thanks.

    Do you think this option should go in the Firewall tab or the Advanced options?
     
  14. Thibor

    Thibor Super Moderator Staff Member Member

    it will be placed in Management.asp directly beneath Remote Access:
     
  15. Thibor

    Thibor Super Moderator Staff Member Member

    i've looked at the sources and the bottom line is: i'm not going to do it i'm afraid. it will require a lot of effort just to restrict wireless users access to dropbear. sorry
     
  16. SirDracula

    SirDracula Network Guru Member

    Oh well, it was worth looking into it at least. Thanks for the effort.
     
  17. Thibor

    Thibor Super Moderator Staff Member Member

    no problem, on the plus side you can probably expect to see Thibor14 today :) if final testing goes well
     

Share This Page