Hello, The SSH access setting in Openwrt sets which interface dropbear will bind to. This means that dropbear will only accept ssh connections that arrive on that specific interface. If all you need to do is connect from inside your network, then binding to LAN is fine. If you want to access ssh from anywhere else, then you need to instruct dropbear to bind to all interfaces. This idea of binding to an interface is different from a firewall, though they do something of the same thing.
What you probably want, is to tell dropbear to listen to all interfaces, and then make sure your firewall is configured to drop all incoming connections from the outside. In that case, any SSH connections will be dropped, and your ssh service will be invisible to the outside world. Fwknop comes into play here. It allows you to authenticate, and a temporary rule is added, allowing only your IP address to connect to the ssh service. So, set dropbear back to unspecified, and then look at your firewall settings. In the web interface, go to Network-> Firewall. Under zones, Input and Forward should be set to reject for the wan network. You might have a rule in the "Traffic Rules" tab that is allowing ssh connections. I suppose one other thing to check is that in Network-> Interfaces, the wan interface is set to use the wan firewall zone. --Jonathan On 07/14/2016 04:43 PM, Tomáš Iglo wrote: > Hi, > in my OpenWRT (Chaos Calmer) if I've configured SSH Access in Dropbear to > listening on WAN interface, SSH access is working and I can login to router > via SSH to it, but this means, that my SSH port is open to the Internet. > > If I've configured SSH Access to LAN interface (as it is by default) fwknop2 > sends SPA packet, in systemLog it shows me that port is open for that > external IP for some time: > > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info> fwknopd[7244]: > (stanza #1) SPA Packet from IP: 46.XX.XX.XX received with access source match > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info> fwknopd[7244]: > Added access rule to FWKNOP_INPUT for 46.XX.XX.XX -> 0.0.0.0/0 > <http://0.0.0.0/0> tcp/22, expires at 1468530367 > Thu Jul 14 23:06:07 2016 daemon.info <http://daemon.info> fwknopd[7244]: > Removed rule 1 from FWKNOP_INPUT with expire time of 1468530367 > > but my SSH connection fails to "Connection timeout". > > Should be SSH Access setup to the LAN, right? Is this configuration below > wrong? > > My setup: > - Using ssh keys, which are mentioned in /etc/dropbear/authorized_keys > > - UCI: > password - OFF > rootLogin - OFF > > - OpenWRT - System - Administration - SSH Access - Dropbear instance - > Interface: LAN > > - Names of interfaces: > WAN: eth0.1 > LAN: br-lan > > - access.conf > SOURCE ANY > keytype Base 64 key > hkeytype Base 64 key > KEY_BASE64 xxxxxx > HMAC_KEY_BASE64 xxxxxxx > OPEN_PORTS tcp/22 > > - fwknopd.conf > PCAP_INTF eth0.1 > ENABLE_IPT_FORWARDING y > > > Thank you for your help. > > Have a nice day, > > Tomas > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity planning > reports.http://sdm.link/zohodev2dev > > > > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
