Cannot ssh into pfSense at WAN interface

kwangmien

Hi,

I installed pfSense version 2.7.2.

I did the following :

a. Go to System -> Advanced -> Admin access
b. Enabled Secure Shell
c. For the SSHd Key only option, it is "Password or Public Key"
d. The Allow Agent Forwarding is unchecked
e. SSH port is 22

I used Putty to access the WAN IP address at port 22. However , nothing appear on the Putty. Based on the wireshark capture, there are no response from pfSense for the TCP SYN packets

Are there other settings that I need to set in order to ssh ? or are there any firewall rules to disable for access tcp port 22 on WAN interface ?

Thanks

Regards
Kwang Mien

viragomann

@kwangmien
Did you add a firewall rule to allow SSH to the WAN address?

elvisimprsntr

@kwangmien

Allowing SSH port 22 access via the WAN side is a recipe to be hacked.

Don't be a potential victim. Use a VPN instead.

Troutpocket

@elvisimprsntr Very good advice...

Alternatively, you can source limit to a single IP or hostname to prevent random IPs filling your secure logs with ssh login attempts.

But definitely don't expose SSH (or any admin interface) to the internet at large. We don't even allow it on the corp/guest vlans. 22, 80, 443 on "this firewall" is only accessible via the management LAN.

kwangmien

@viragomann after setting a rule to allow SSH , i can now ssh in.

kwangmien

@elvisimprsntr Thanks for the advice. I am actually new to pfSense and testing the SSH at WAN interface.

kwangmien

@Troutpocket Thanks for the advice.

viragomann

@elvisimprsntr
I use SSH with password + public key authorization. I don't think, that this is really less secure than a VPN.
VPN just provides an additional authorization layer.

Troutpocket

@viragomann I'd argue it's better. I still recommend source-restricting SSH just to keep your log file size down. In any case, if you're going to use a VPN then seriously consider adding MFA. There's good integration with Google Auth, DUO, and MS Entra via RADIUS auth. If (when?) OpenVPN is compromised like some of the commercial SSL vpns then hopefully MFA will save you.

elvisimprsntr

@viragomann said in Cannot ssh into pfSense at WAN interface:

@elvisimprsntr
I use SSH with password + public key authorization. I don't think, that this is really less secure than a VPN.
VPN just provides an additional authorization layer.

That assumes there is not a vulnerability which the attacker can bypass authentication.

Examples of SSH vulnerabilities which apply to pfSense.

https://nvd.nist.gov/vuln/detail/CVE-2024-6387
https://terrapin-attack.com

Its your decision.

stephenw10

Yup I would always set a limited source for that.