Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question/ security concern with Pfsense 2 and console

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    6 Posts 5 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      romainp
      last edited by

      Hi,
      I have just see a thing that really bugs me with pfsense 2 (current release 2.0-BETA4 (i386) built on Wed Dec 15 07:49:38 EST 2010)

      It seems that I juste have to plug a monitor and and keyboard and then at the console press the '8' key to have full root access to the pfsense box…
      I have to fully tested this but assuming I am root without asking any password then I could reconfigure PFsense, change settings, reboot  and so one... it seems to me a major security concern.

      Can you explain this behaviour?
      Thanks

      1 Reply Last reply Reply Quote 0
      • P Offline
        pwnell
        last edited by

        System > Advanced > Password protect the console menu

        1 Reply Last reply Reply Quote 0
        • R Offline
          romainp
          last edited by

          Thanks! I can breath again ;-)
          I have checked the help link to learn more about this option but there are not too much informations. Am I too impatient and the doc will be posted at some time? :-)

          A big thanks for the quick reply

          1 Reply Last reply Reply Quote 0
          • _ Offline
            _igor_
            last edited by

            Due to the beta-status of 2.0 the doc is not complete. But it will be completed. 1.2-release not even has a documentation, there is a book too. So please be patient, it will be cleared all.

            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              There is not much to learn about the option, it does exactly what it says: It password protects the console menu. :)

              Though I would also call your attention to this:
              http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Forgotten_Password_with_Locked_Console

              If you really don't trust users that much you really need some kind of locked cage to hold such equipment in, or keep it in a locked datacenter room.

              Controlling physical access is key if you are really worried that someone would hook up a keyboard and monitor that shouldn't be doing that.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                jimp is correct.  This feature is more security theater than security.  If the attacker has physical access to your hardware, the fact that the console has a password prompt is entirely trivial to bypass.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.