I have lot of
echo: system,error,critical login failure for user root from xx.yyy.zz.foo via ssh
messages when logged via ssh.
How can I disable that message from logging at all?
Or at least popping up in ssh console?
You shouldn’t be happy with people trying to brute force your router. Secure it by source IP or connect via VPN or at the very least setup port knocking
Generally, public access for any router management service is not recommended.
Allow VPN connections to router( from public internet)?
Why would it be safer than secured ssh access?
I need some kind of management access to router.
An additional layer of security?
Bit worried you asking this question.
In theory, SSH is as secure as SSTP, which in turn is as secure as IPsec, as long as all of them use the same encryption and authentication algorithms.
In practical use, it’s all software written mostly by humans so it contains mistakes that can be misused to gain unauthorized access. So there is the concept of a “security onion”, which says you should protect access to the device using multiple layers of security. Like VPN and SSH with different passwords and ideally also usernames.
If VPN software on router gets cracked, other layers of security does not matter.
I consider ssh safer, more reviewed and tested than VPN software, so prefer to expose ssh than VPN to public.
If by “reviewed” you mean 3rd party review of source code, it will probably disappoint you that gentlemen in Riga have repeatedly stated here on the forum, in response to concerns regarding CVS related to openssh, that they use their own implementation of SSH.
Leaving aside that whilst everyone can (as in “is allowed to”) review the source, only few can (as in “are capable to”) understand it to such a depth that they are able to actually spot a weakness.
please have a good and thorough read here https://medium.com/@im0nk3yar0und/securing-your-mikrotik-49cb28161f9e
and reconsider the decision to expose SSH to the internet … by not even changing the default port tcp/22 to something else!