dropbear 2013.58-1 security status?

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

Post Reply
monikas
Posts: 2
Joined: Sun Apr 20, 2014 5:50 am
Location: Spain - Canary Islands

dropbear 2013.58-1 security status?

Post by monikas »

Hello,

I would like to access Gargoyle via WAN and ssh. At present I have not dared to open the SSH port of dropbear on the WAN side. Instead I forward a TCP port to an OpenSSH server behind Gargoyle running on a Raspberry Pi.

I would like to hear: Are my concerns about the vulnerabilities CVE-2013-4421 and CVE-2013-4434 of dropbear 2013.58-1 in Gargoyle 1.6.1 reasonless?

Thank you.
Gargoyle 1.6.1: NETGEAR WNDR3800, ADSL Modem: Comtrend CT-3565; ADSL connection: fixed rate 3008/320 MBit/s

ispyisail
Moderator
Posts: 4809
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: dropbear 2013.58-1 security status?

Post by ispyisail »

I don't know the answer to your question but regardless opening SSH on the WAN side is very bad practice

Use openVPN

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: dropbear 2013.58-1 security status?

Post by throughwalls »

OpenVPN is an option for large routers, but most have just 4MB of Flash. For those routers the safe option is using SSH (instead of SSL to the web GUI).

You always have a risk with any internet services. OpenVPN had a problem because it uses OpenSSL. Dropbear likely has problems. The only way to avoid problems is to prevent connections. If you do allow connections, be very careful and conservative about how you configure things.

For SSH, use very complex passwords, and allow 1 failed connection per 5 minutes.

monikas
Posts: 2
Joined: Sun Apr 20, 2014 5:50 am
Location: Spain - Canary Islands

Re: dropbear 2013.58-1 security status?

Post by monikas »

I will use OpenVPN on the WAN side, as this is the offical way to perform remote access with Gargoyle.

Furthermore I initially had not realized how amazing simple it is to setup an OpenVPN server with the web based GUI of Gargoyle.

@ ispyisail: Assuming that ssh public-key and not password authentication is used, I disagree that opening ssh on the WAN side is very bad practice.

@ throughwalls: The NETGEAR WNDR3800 has 128 MiB RAM.

Thank you both for the helpfull replies.
Gargoyle 1.6.1: NETGEAR WNDR3800, ADSL Modem: Comtrend CT-3565; ADSL connection: fixed rate 3008/320 MBit/s

ispyisail
Moderator
Posts: 4809
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: dropbear 2013.58-1 security status?

Post by ispyisail »

@ ispyisail: Assuming that ssh public-key and not password authentication is used, I disagree that opening ssh on the WAN side is very bad practice.


I'm not disagreeing with anything said

I just wonder if this apply s to the average gargoyle user who just wants to use the GUI only

With a few simple key strokes through the GUI you can SSH through OpenVPN.

If your router is up to it I don't know why you wouldn't do this as best practice?

anyway.................

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: dropbear 2013.58-1 security status?

Post by throughwalls »

Both SSH and OpenVPN configuration take technical knowledge and sophistication to do right. Neither is for beginners, at least not if you want to keep the scanning hords out.

Going back to the original question: Is the choice of this version of dropbear done by OpenWRT team, or by Gargoyle team? It does seem like it would be worth upgrading the package, both because of the two fixed CVEs and also because of the other security related changes made ( https://matt.ucc.asn.au/dropbear/CHANGES )

ispyisail
Moderator
Posts: 4809
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: dropbear 2013.58-1 security status?

Post by ispyisail »

As a rule of thumb Gargoyle is the GUI and OpenWRT is the backend.

Eric only builds against stable OpenWRT branches and at this time it is AA.

https://dev.openwrt.org/browser/branche ... adjustment

I'm not sure if this answers your question?

Post Reply