| ▲ | evoke4908 a day ago |
| Why would you want 2fa on your router? You really should never expose the management interface to WAN, it should be locked down to only your local network. If you for some reason absolutely need to manage it remotely, that's why we have VPNs and SSH keys. |
|
| ▲ | actualwitch a day ago | parent [-] |
| So that infected tv/iot device doesn't bruteforce your router's admin account. I know you could set it up so it stops listening on 0.0.0.0 and firewall exists, but having 2fa on web ui and removing ssh should bring good enough security without much hassle. |
| |
| ▲ | nine_k a day ago | parent [-] | | Why remove ssh from the LAN? Brute-forcing a cert-based login is unrealistic, and passwords should of course be disabled. You can add a passphrase to your ssh key to make it useless when stolen. What am I missing? | | |
| ▲ | actualwitch 20 hours ago | parent [-] | | Yes, what you describe (or storing ssh key on yubikey) would be a more secure setup. I like the web ui though, so having that be available from any device including phone in a reasonably secure way would be great IMO. You can do pretty much anything via uci so when using web ui I see no reason to leave ssh running. |
|
|
