To make your router even more secure and protected against new attacks, follow these steps:
Why a non-standard port? Because the standard SSH port (22) is targeted by script kiddies these days, using simple brute force attacks to gain access to your box. Usually you'll only notice a bunch of login attempts in your system log, so no real harm done. But better safe then sorry, so by moving Dropbear/OpenSSH1) to a non-standard port, your logs will be not be cluttered with these attempts. Of course a full port scan will still reveal the port, but it's now more difficult to find the port, and that's what we need.
Log in as root and go into the FREESCO setup, by typing :
setup
and <enter>, then choose advanced settings (a), and Option #47.
Advanced settings (x - exit) []? 47
type <enter>, then here :
Enable SSHD to allow remote access to Freesco. You can use SSH
and perform any console commands including this setup script.
WARNING:y - Enable service worldwide, insecure!
s - Enable service locally, secure (recommended)
n - Disable service
NOTE: If you are going to export this service from a local computer
using standard port (22), you must not answer s.
47 Enable SSH server y/s/n [y]?
type “y” and <enter>, when asked :
471 SSH port [22]? 222
type the port number you would like ssh to use (for instance 222 ) followed by <enter>
472 Allow root to login with SSH (y/n) [y]?
Dropbear sshd v0.44-p10
Usage: dropbear [options]
Options are:
-s Disable password logins
-g Disable password logins for root
-j Disable local port forwarding
-p port Listen on specified tcp port, up to 10 can be specified
(default 22 if none specified)
472 Extra command line options. None are required. []?
you can leave this empty.
Exit the setup with “x”,<enter>, and save settings with “s”,<enter>.
Then back at the prompt you should restart the firewall with :
rc_masq restart
The FREESCO default ssh server is now accessible via the port you configured. You can try using putty or another ssh client to connect to the router, it should work.
go to /rc/rcuser :
cd /rc/rcuser
then edit the startup script for opensshd :
edit rc_opensshd
In this file find the lines that say :
# Port to listen for connections on. PORT=22 if [ "$1" = firewall ]; then #comment out the next lines to make sshd worldwide accessible #echo -n "Block opensshd connection from inet...I"
Change it to read :
# Port to listen for connections on. PORT=xxxx if [ "$1" = firewall ]; then #comment out the next lines to make sshd worldwide accessible #echo -n "Block opensshd connection from inet...I"
Where xxxx is number of the port you wish to give to openssh. To finish type
rc_opensshd restart rc_masq restart
go to /pkg/etc/
cd /pkg/etc/
then edit the config file for openssh :
edit sshd_config
In this file find the line that says :
#Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress ::
and change it to read :
Port xxxx #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress ::
Where xxxx is number of the port you wish to give to openssh. To finish type
rc_opensshd restart rc_masq restart
To disable root access with dropbear/openssh follow these steps :
Add a new user who will be the admin on FREESCO with
useradd your_admin
Choose (N)ormal user, with a home directory.
Go to /etc
cd /etc
Edit the password file :
edit passwd
In this file locate the following line :
your_admin:xxxxxxxxxx:100x:100:your_admin:/home/your_admin:/bin/sh
change it in :
your_admin:xxxxxxxxxx:0:0:your_admin:/home/your_admin:/bin/sh
Save the file with ALT+x
copy it in the boot directory
cp passwd /boot/etc/
Try to login with ssh as the user your_admin and the corresponding password.
IF, AND ONLY IF, that works, you can then go to /etc and edit the password file again :
cd /etc edt passwd
Find the line that says :
root:xxxxxxxxxx:0:0:root:/home/root:/bin/sh
and change it to read
root:xxxxxxxxxx:0:0:root:/home/root:/bin/false
save changes and copy the file in /boot/etc/
cp passwd /boot/etc/
That's it!
The root user is now disabled and only your_admin can login with ssh and admin rights.