Disallowing SSH from Wifi

Hi all.

I just installed my new Turris Omnia and I want to ssh into it (which right now I can’t since I don’t know which user I should ssh to).

But, at least for now, I don’t want anybody to be able to ssh into it from the WAN (which by default is already impossible if I understand correctly) nor from the Wifi (which by default is possible, again if I understand correctly), only through the LAN RJ45 ports.

How to achieve that ?
(and yes I know that I should allow connection only through a public key, that’s for when I’ll find a way to not lose that key)

Your ssh user on new install will be root and you need to set the password, which will be identical to the LuCi login / password: Passwords - Turris Documentation

The other part of your question can be achieved in multiple ways, maybe the easiest would be a configuration of the firewall rules + firewall zones inside LuCi (this won’t be possible via reForis).

If you are not familiar with this topic, learn first how to make snapshots and reverts, it can happen that you mis-configure a firewall zone and loose access.

Using snapshots: Schnapps - Turris Documentation
Rolling back: Omnia - Turris Documentation

2 Likes

If you enable the HaaS proxy honeypot, no one will log in from the WAN on your SSH. Logs in to the HaaS proxy.

I took the question well ?

SSH from wan is not allowed by default Turris firewall rules(it works only from LAN). Why because since there is no specific rule to handle any incoming connection from wan(not only ssh) it ends up at default target which rejects. So no need to complicate things by installing Haas if you don’t need Haas honeypot.

Best way is to prove it yourself from internet. eg. turn off wifi on mobile and try to ssh to router from mobile data network such as ssh root@yourWanIP

If that is still not enough you can configure sshd to listen only on specific local subnet, eg:
ListenAddress 192.168.1.0
which means no wan.

If still not enough you can add extra firewall rules to accept only from specific subnet and reject the rest.

I did activate some honeypot application that was proposed in the initial setup, but I don’t know more about it yet (I do know what a honeypot is though, but i never used one).

As I wrote, I know that ssh is already disallowed from the WAN, I want to also disable it from Wifi.

I haven’t configured any subnet (that I know of) yet.

To prevent from wifi I think you need to modify network setting, but how no idea :slight_smile: as a last resort you can add firewall rule to prevent access from wifi interfaces.

It might be necessary to create a duplicate lan interface only for wifi and add a firewall rule for port 22 on this new interface

I think you need something like this:

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option bridge_empty '1'
	list ifname 'lan0'
	list ifname 'lan1'
	list ifname 'lan2'
	list ifname 'lan3'
	list ifname 'lan4'

config interface 'wlan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option bridge_empty '1'
	list ifname 'wlan0'
	list ifname 'wlan1'

It is just proposal, not tried.
Then you need to create zone for wlan, and set firewall rules/forwards for this zone. This you can do from Luci I think.

This sort of approach would make the firewall configuration straightforward. However, routing rather than bridging between LAN and WLAN could cause issues with seeing zeroconf/bonjour services. If this happens, perhaps try some sort of mDNS forwarding or other L7 bridge (avahi perhaps?). Like @iron-maiden, I have not tried any of this, just giving a pointer in case you see issues like this.

Another option I just realized is to do this on sshd level. Assign lan ip statically and just allow those:

https://docs.rackspace.com/support/how-to/restrict-ssh-login-to-a-specific-ip-or-host/