dropbear 2013.58-1 security status?

[monikas]

Hello,

I would like to access Gargoyle via WAN and ssh. At present I have not dared to open the SSH port of dropbear on the WAN side. Instead I forward a TCP port to an OpenSSH server behind Gargoyle running on a Raspberry Pi.

I would like to hear: Are my concerns about the vulnerabilities CVE-2013-4421 and CVE-2013-4434 of dropbear 2013.58-1 in Gargoyle 1.6.1 reasonless?

Thank you.

[ispyisail]

I don't know the answer to your question but regardless opening SSH on the WAN side is very bad practice

Use openVPN

[throughwalls]

OpenVPN is an option for large routers, but most have just 4MB of Flash. For those routers the safe option is using SSH (instead of SSL to the web GUI).

You always have a risk with any internet services. OpenVPN had a problem because it uses OpenSSL. Dropbear likely has problems. The only way to avoid problems is to prevent connections. If you do allow connections, be very careful and conservative about how you configure things.

For SSH, use very complex passwords, and allow 1 failed connection per 5 minutes.

[monikas]

I will use OpenVPN on the WAN side, as this is the offical way to perform remote access with Gargoyle.

Furthermore I initially had not realized how amazing simple it is to setup an OpenVPN server with the web based GUI of Gargoyle.

@ ispyisail: Assuming that ssh public-key and not password authentication is used, I disagree that opening ssh on the WAN side is very bad practice.

@ throughwalls: The NETGEAR WNDR3800 has 128 MiB RAM.

Thank you both for the helpfull replies.

[ispyisail]

@ ispyisail: Assuming that ssh public-key and not password authentication is used, I disagree that opening ssh on the WAN side is very bad practice.

I'm not disagreeing with anything said

I just wonder if this apply s to the average gargoyle user who just wants to use the GUI only

With a few simple key strokes through the GUI you can SSH through OpenVPN.

If your router is up to it I don't know why you wouldn't do this as best practice?

anyway.................

[throughwalls]

Both SSH and OpenVPN configuration take technical knowledge and sophistication to do right. Neither is for beginners, at least not if you want to keep the scanning hords out.

Going back to the original question: Is the choice of this version of dropbear done by OpenWRT team, or by Gargoyle team? It does seem like it would be worth upgrading the package, both because of the two fixed CVEs and also because of the other security related changes made ( https://matt.ucc.asn.au/dropbear/CHANGES )

[ispyisail]

As a rule of thumb Gargoyle is the GUI and OpenWRT is the backend.

Eric only builds against stable OpenWRT branches and at this time it is AA.

https://dev.openwrt.org/browser/branche ... adjustment

I'm not sure if this answers your question?