diff --git a/package/base-files/files/bin/login.sh b/package/base-files/files/bin/login.sh
index 25627b66b2..754d290857 100755
--- a/package/base-files/files/bin/login.sh
+++ b/package/base-files/files/bin/login.sh
@@ -10,8 +10,7 @@ then
 else
 cat << EOF
  === IMPORTANT ============================
-  Use 'passwd' to set your login password
-  this will disable telnet and enable SSH
+  Use 'passwd' to set your login password!
  ------------------------------------------
 EOF
 fi
diff --git a/package/base-files/files/lib/preinit/99_10_failsafe_login b/package/base-files/files/lib/preinit/99_10_failsafe_login
index 15dcbd884f..b12e31702a 100644
--- a/package/base-files/files/lib/preinit/99_10_failsafe_login
+++ b/package/base-files/files/lib/preinit/99_10_failsafe_login
@@ -1,9 +1,10 @@
 #!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
 # Copyright (C) 2010 Vertical Communications
 
 failsafe_netlogin () {
-	telnetd -l /bin/login.sh <> /dev/null 2>&1
+	dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+	dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
 }
 
 failsafe_shell() {
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8988e0db12..f140f36dcc 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2015.68
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
index f3931b0ccc..805a0964ab 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -18,6 +18,17 @@
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
+@@ -95,8 +95,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+ 
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
 @@ -131,9 +131,9 @@ If you test it please contact the Dropbe
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644
index 0000000000..7c67b086bb
--- /dev/null
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+ 				AUTH_METHOD_NONE_LEN) == 0) {
+ 		TRACE(("recv_msg_userauth_request: 'none' request"))
+ 		if (valid_user
+-				&& svr_opts.allowblankpass
++				&& (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ 				&& !svr_opts.noauthpass
+ 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+ 				&& ses.authstate.pw_passwd[0] == '\0') 
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644
index 0000000000..ee6d273344
--- /dev/null
+++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+ 		m_free(hostkey_file);
+ 	}
+ 
++	if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+ 	loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+ 	loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++	}
+ 
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+ 	if (svr_opts.delay_hostkey) {
diff --git a/package/utils/busybox/Config-defaults.in b/package/utils/busybox/Config-defaults.in
index 7b4cd99a5d..d961bfaaee 100644
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -2187,19 +2187,19 @@ config BUSYBOX_DEFAULT_TCPSVD
 	default n
 config BUSYBOX_DEFAULT_TELNET
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_TTYPE
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNET_AUTOLOGIN
 	bool
 	default n
 config BUSYBOX_DEFAULT_TELNETD
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_STANDALONE
 	bool
-	default y
+	default n
 config BUSYBOX_DEFAULT_FEATURE_TELNETD_INETD_WAIT
 	bool
 	default n
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 9571d48bec..a65f44f8fe 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -110,7 +110,6 @@ define Package/busybox/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(CP) $(PKG_INSTALL_DIR)/* $(1)/
 	$(INSTALL_BIN) ./files/cron $(1)/etc/init.d/cron
-	$(INSTALL_BIN) ./files/telnet $(1)/etc/init.d/telnet
 	$(INSTALL_BIN) ./files/sysntpd $(1)/etc/init.d/sysntpd
 	$(INSTALL_BIN) ./files/ntpd-hotplug $(1)/usr/sbin/ntpd-hotplug
 	-rm -rf $(1)/lib64
diff --git a/package/utils/busybox/files/telnet b/package/utils/busybox/files/telnet
deleted file mode 100755
index a1d1cdf9b1..0000000000
--- a/package/utils/busybox/files/telnet
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2011 OpenWrt.org
-
-START=50
-
-USE_PROCD=1
-PROG=/usr/sbin/telnetd
-
-has_root_pwd() {
-	local pwd=$([ -f "$1" ] && cat "$1")
-	      pwd="${pwd#*root:}"
-	      pwd="${pwd%%:*}"
-
-	test -n "${pwd#[\!x]}"
-}
-
-get_root_home() {
-	local homedir=$([ -f "$1" ] && cat "$1")
-	homedir="${homedir#*:*:0:0:*:}"
-
-	echo "${homedir%%:*}"
-}
-
-has_ssh_pubkey() {
-	( /etc/init.d/dropbear enabled 2> /dev/null && grep -qs "^ssh-" /etc/dropbear/authorized_keys ) || \
-	( /etc/init.d/sshd enabled 2> /dev/null && grep -qs "^ssh-" "$(get_root_home /etc/passwd)"/.ssh/authorized_keys )
-}
-
-start_service() {
-	if ( ! has_ssh_pubkey && \
-	     ! has_root_pwd /etc/passwd && ! has_root_pwd /etc/shadow ) || \
-	   ( ! /etc/init.d/dropbear enabled 2> /dev/null && ! /etc/init.d/sshd enabled 2> /dev/null );
-	then
-		procd_open_instance
-		procd_set_param command "$PROG" -F -l /bin/login.sh
-		procd_close_instance
-	fi
-}