Hello,
I would like to access Gargoyle via WAN and ssh. At present I have not dared to open the SSH port of dropbear on the WAN side. Instead I forward a TCP port to an OpenSSH server behind Gargoyle running on a Raspberry Pi.
I would like to hear: Are my concerns about the vulnerabilities CVE-2013-4421 and CVE-2013-4434 of dropbear 2013.58-1 in Gargoyle 1.6.1 reasonless?
Thank you.
dropbear 2013.58-1 security status?
Moderator: Moderators
dropbear 2013.58-1 security status?
Gargoyle 1.6.1: NETGEAR WNDR3800, ADSL Modem: Comtrend CT-3565; ADSL connection: fixed rate 3008/320 MBit/s
Re: dropbear 2013.58-1 security status?
I don't know the answer to your question but regardless opening SSH on the WAN side is very bad practice
Use openVPN
Use openVPN
-
- Posts: 89
- Joined: Thu Apr 22, 2010 3:24 pm
Re: dropbear 2013.58-1 security status?
OpenVPN is an option for large routers, but most have just 4MB of Flash. For those routers the safe option is using SSH (instead of SSL to the web GUI).
You always have a risk with any internet services. OpenVPN had a problem because it uses OpenSSL. Dropbear likely has problems. The only way to avoid problems is to prevent connections. If you do allow connections, be very careful and conservative about how you configure things.
For SSH, use very complex passwords, and allow 1 failed connection per 5 minutes.
You always have a risk with any internet services. OpenVPN had a problem because it uses OpenSSL. Dropbear likely has problems. The only way to avoid problems is to prevent connections. If you do allow connections, be very careful and conservative about how you configure things.
For SSH, use very complex passwords, and allow 1 failed connection per 5 minutes.
Re: dropbear 2013.58-1 security status?
I will use OpenVPN on the WAN side, as this is the offical way to perform remote access with Gargoyle.
Furthermore I initially had not realized how amazing simple it is to setup an OpenVPN server with the web based GUI of Gargoyle.
@ ispyisail: Assuming that ssh public-key and not password authentication is used, I disagree that opening ssh on the WAN side is very bad practice.
@ throughwalls: The NETGEAR WNDR3800 has 128 MiB RAM.
Thank you both for the helpfull replies.
Furthermore I initially had not realized how amazing simple it is to setup an OpenVPN server with the web based GUI of Gargoyle.
@ ispyisail: Assuming that ssh public-key and not password authentication is used, I disagree that opening ssh on the WAN side is very bad practice.
@ throughwalls: The NETGEAR WNDR3800 has 128 MiB RAM.
Thank you both for the helpfull replies.
Gargoyle 1.6.1: NETGEAR WNDR3800, ADSL Modem: Comtrend CT-3565; ADSL connection: fixed rate 3008/320 MBit/s
Re: dropbear 2013.58-1 security status?
I'm not disagreeing with anything said@ ispyisail: Assuming that ssh public-key and not password authentication is used, I disagree that opening ssh on the WAN side is very bad practice.
I just wonder if this apply s to the average gargoyle user who just wants to use the GUI only
With a few simple key strokes through the GUI you can SSH through OpenVPN.
If your router is up to it I don't know why you wouldn't do this as best practice?
anyway.................
-
- Posts: 89
- Joined: Thu Apr 22, 2010 3:24 pm
Re: dropbear 2013.58-1 security status?
Both SSH and OpenVPN configuration take technical knowledge and sophistication to do right. Neither is for beginners, at least not if you want to keep the scanning hords out.
Going back to the original question: Is the choice of this version of dropbear done by OpenWRT team, or by Gargoyle team? It does seem like it would be worth upgrading the package, both because of the two fixed CVEs and also because of the other security related changes made ( https://matt.ucc.asn.au/dropbear/CHANGES )
Going back to the original question: Is the choice of this version of dropbear done by OpenWRT team, or by Gargoyle team? It does seem like it would be worth upgrading the package, both because of the two fixed CVEs and also because of the other security related changes made ( https://matt.ucc.asn.au/dropbear/CHANGES )
Re: dropbear 2013.58-1 security status?
As a rule of thumb Gargoyle is the GUI and OpenWRT is the backend.
Eric only builds against stable OpenWRT branches and at this time it is AA.
https://dev.openwrt.org/browser/branche ... adjustment
I'm not sure if this answers your question?
Eric only builds against stable OpenWRT branches and at this time it is AA.
https://dev.openwrt.org/browser/branche ... adjustment
I'm not sure if this answers your question?