Improve router remote administration security

Many home routers, like the Asus RT-AC68U, offer a web remote administration interface.  This interface is useful when you need to manage the router away from home.  However, frequently the only authentication mechanism is a single password.  The router is thus vulnerable to password guessing on the internet facing administration interface.

The Asus router also offers an SSH interface that allows direct access to the router OS.  SSH is a well tested secure interface that offers password and certificate based authentication.  While most router settings can be configured by the SSH interface it is not as user friendly as the web administration interface.

Using SSH’s tunneling capability the router can be configured to provide the security of SSH and the user friendliness of the web administration interface over the Internet.

SSH’s tunneling protocol can establish a local end point and proxy that local end point to a securely connected remote end point.  We can use this capability to securely tunnel from the Internet via SSH to the routers web administration interface.

Prerequisites

  • This tutorial assumes basic familiarity with SSH and use of public and private keys for SSH authentication.
  • The router is configured to use a dynamic DNS provider to allocate a DNS name to the external interface of the router.

Configure the router

Configure the router to enable the SSH interface.  Ensure that only certificate based authentication is enabled.  (If password authentication is enabled then the system is vulnerable to password guessing.)  Add in the public keys of any SSH accounts permitted to access the router.

Disable the internet administration interface.

Configure the SSH interface and disable the Internet access to the administration interface.
Configure the SSH interface and disable the Internet access to the administration interface.

Establish an SSH Tunnel

On a remote machine in a command shell (MacOS, Linux, Unix, Windows with Cygwin, …) setup the SSH tunnel using -L option.

ssh -N -L 9000:192.168.0.1:8443 admin@myrouter1234.dyndns-home.com

The above command will establish a connection from port 9000 on the localhost to port 8443 on 192.168.0.1 (substitute with the LAN address of your router) via myrouter1234.dyndns-home.com.  Where myrouter1234.dyndns-home.com is the internet facing name of your router provided by a Dynamic DNS provider.  The -N option instructs ssh to not send any remote commands to the SSH server on the router.

Connect to the Admin Interface

In a browser go to https://localhost:9000 to access the routers admin interface.

Admin Interface

To terminate the session simply Ctrl-C to kill SSH in the command shell.