thebottle Blog

I allow SSH and only SSH into my router via WAN. I have the web interface and all other ports that don’t have specific forwards blocked for obvious reasons. When you install OpenWRT it automatically blocks everything from the WAN side, so this doesn’t require any configuration. Although if you are like me and you require access to your network from outside then you will need to make some changes.

You don’t want to have password authentication on the WAN side or it is possible to get compromised by a brute force attack. The solution is to implement public key access.

First open PuTTY Key Generator and from the top menu select Key > SSH2 RSA key. Then click on the Generate button and move your mouse around the window until it gets enough random data and creates your key. Now click on the Save private key button and save your key somewhere that you won’t lose it. If you want to password protect your key then enter a password in the password boxes. You can create one with a password and one without password if you want. Copy the text on the top where it says Public key for pasting into OpenSSH authorized_keys file. It should look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAqnogKGS3oHTp4nDfLzdwL4NlbZR3i5UXvk+oE9T
3oiycPk3r+Nj4WCWjjNnwUN/561S0G891EQNv8I3BkN1wox7ImM0SV33rdKx1md1Ay
txfs0rcymT0DS/+3AbyskzoZHmZfs3PWforj0yoEhT9SVdkwPPOq+935aM8cb33tE0=
rsa-key-20090701

Now ssh into your router and you will be adding that to the authorized_keys file with the following command:

root@router:~# echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAqnogKGS3oHTp4nDfLzdwL4NlbZR3i5UXvk+oE9T
3oiycPk3r+Nj4WCWjjNnwUN/561S0G891EQNv8I3BkN1wox7ImM0SV33rdKx1md1Ay
txfs0rcymT0DS/+3AbyskzoZHmZfs3PWforj0yoEhT9SVdkwPPOq+935aM8cb33tE0=
rsa-key-20090701 >> /etc/dropbear/authorized_keys

You will be pasting your own public key that you copied instead of the one that is in the example.

We still have a few more options that need to be changed. You don’t want to leave dropbear running on the default port or it is more likely to be discovered and attacked.

root@router:~# vi /etc/config/dropbear

Change PasswordAuth = off and Port = 443. You can change the port to anything that you like, but you want to choose something that is not common. I like port 443 because it is the SSL port so when I am tunneling through my router from work my traffic looks natural. Also, port 443 is never going to be blocked. PasswordAuth off is just turning off the password authentication which we don’t want anymore because we are using keys.

We still need to open up the port that dropbear is running on to the WAN, because as I mentioned earlier OpenWRT has all inbound WAN ports closed.

root@router:~# vi /etc/config/firewall

You can do this by editing the firewall configuration file and adding:


config 'rule' 'ssh'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_ip' ''
option 'dest_ip' ''
option 'dest_port' '443'
option 'target' 'ACCEPT'

Or you can do this in the web interface. I have X-WRT and I am not sure what web interface it uses, but for me it is under Network > Firewall > Incoming Ports.

Quick note… Some people mention that you should also run dropbear on a local port with password authentication turned on in case you lose your private key. This is not necessary if you have a web interface because you can always get into your web interface from LAN and edit the files to turn password authentication back on until you update the key file. But for those without a web interface you will want to do the following:

root@router:~# vi /etc/init.d/dropbear

You should see this line, or a line like it that starts dropbear.

/usr/sbin/dropbear $DROPBEAR_ARGS

Just add another line below it.

/usr/sbin/dropbear -p 22

Now you will also have password access from LAN on port 22.

After making all of these changes you will need to reboot or just run /etc/init.d/dropbear restart

In order to access it, open PuTTY and enter your IP and port. Then under Connection > Data for Auto-login username enter root. Under Connection > SSH > Auth click on Browse and select your private key. I recommend saving the session and then creating a shortcut to it. You can create shortcuts to putty sessions by running putty.exe @sesssion_name.