On 02/14/2018 10:53 PM, David Woodhouse wrote:
On Wed, 2018-02-14 at 22:51 +0100, Alberto Bursi wrote:
Just change the WAN ssh port number to something in the dynamic port
range, pretty much 0 bots scan beyond the few well-known ports
range, and you save CPU resources too.
We're talking about the default config here though. Please let's not
encourage bogus security-through-obscurity measures in that context.
Your firewall rules weren't about security either but about twarting
dumb bots doing internet-wide scans.
And for that I think there are better ways that also save CPU resources,
as I said.
The security here still comes from having ssh using a key instead of a
password, or at the very least a very good password. (although I still
think the key is much better)
I quite frankly don't see why the default config should even enable ssh
on WAN at all (apart from special cases on some devices that only have
one port maybe), if the user wants to he should set it up on his own.
Lede-dev mailing list