Blocking SSH - Firewall Rule Troubles - SOLVED
-
I'm glad someone agrees that something isn't right here. Thanks. I only have one rule in my OpenVPN tab - allow local net to any.
For the allow any any rule for the Public net, I assumed for the subnet that is routed to us via BGP that I would need to allow that net through the WAN interfaces. I have ~600 residential WiSP customer NATed behind 1-10, and about 180 commercial customers directly on that network (20 and up).
-
I'm baffled with this situation as well and certainly agree that something isn't right. I too would like to block inbound ssh requests from the WAN (while leaving LAN connectivity enabled) and nothing I'm trying is working properly. When I scan my port 22 and the server is off, it obviously won't respond. When I enable the ssh server and scan, it responds without any rules defined (as expected). So then I decided to attempt a rule to allow LAN access but block all WAN requests. I clicked on my WAN tab and my 3rd entry was entered as follows:
block IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none
I enabled the server again, with the rule in place, and I was still seeing that the port was open from the WAN. I googled around and figured I might try a floating reject rule as well. I left the previous entry in the WAN rules but added the same as above to my Floating rules. I put this in as the 1st entry. I saved the config, bounced the SSH server (checkbox from System > Advanced), scanned again and sure enough it was still seeing port 22 as open.
I should also point out that I do have OpenVPN enabled as well. I'm at a loss as to what I could try next.
-
Here is the thing.. By default pfsense blocks all inbound traffic to wan.. So unless you create a rule to allow it - its going to be blocked.. Do you have firewall off?
He clearly has a rule that is any any to "public net" My my guess that is what is being hit for him.
I have ssh enabled on my lan, I hit it every day to be honest.. But from public its denied.. I see hits to it all the time, see previous pic.. If its not being blocked you got something wrong in your rules.. Please post your floating rules and wan rules..
-
An interesting article by Fireeye about recent SSH brute force attacks. Almost makes you want to open ssh on the WAN ;D
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
-
If you want to have fun with ssh, run a honeypot and see the IPs from china light you up like a xmas tree ;)
To be honest anyone that would run a ssh server that allows passwords is asking for trouble, whenever I bring up something that has ssh enabled - first thing I do is enable public key and turn off password auth.
-
block IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none
Don't use a source port. Source ports are random. That rule will never match.
Those block ssh rules do nothing because you never pass ssh below them.
What do PUBLIC address and PUBLIC net expand to? You are probably passing the TCP/22 traffic with that last pass any to PUBLIC net rule.
This would be a lot easier to diagnose without all the obfuscation of IP addresses.
 -
So, I did mention it in the original post, but the "Public" net is the one that is advertised by us via BGP. Consider it a DMZ of hosts - 64.141.y.x. To permit routing to those hosts via the two WAN interfaces, do I not need to implicitly allow traffic to them, to avoid the default block rule???
-
Yes.
Please post all applicable interfaces, subnets, and rules. Trying to help you with everything obfuscated is nearly impossible. PM if you must. They're just IP addresses.
-
You would need to allow the services you want to run on those IP.. that sure and the hell wouldn't be a any any ;)
-
So if I am serving Internet to multiple commercial/industrial customers on that network, shouldn't I be passing everything to them and letting them control their own firewalling? I will take new screenshots of all rules and post them in a minute…
-
Okay, soooo….
Shaw WAN (WAN1) - 64.141.127.248/29
Telus WAN (WAN2) - 204.191.241.0/29
Public (~DMZ) - 64.141.125.0/24 - advertised on both WANs via BGPShaw WAN Rules:
Telus WAN Rules:
Pubic Interface Rules:
All of these are for VoIP devices - companies host POTS lines here and we connect them to VoIP adapters and transport to their remote facilities via our microwave network.
Also, there are no rules in the floating tab.
-
To be honest anyone that would run a ssh server that allows passwords is asking for trouble, whenever I bring up something that has ssh enabled - first thing I do is enable public key and turn off password auth.
I'm all for more security. What do you mean? Do you use a hardware credential? On these two systems I am the only one that ever uses SSH for access (but limited access).
-
public key auth - look it up. Takes 2 seconds to implement.
So your routing traffic to this segment behind pfsense. So pfsense has an IP in this network, and it listens on ssh because you enable ssh. So block ssh to that interface IP.
So this segment
Public (~DMZ) - 64.141.125.0/24Pfsense is what 64.141.125.1 ?? Block traffic to pfsense IP from the public internet - I agree your customers need to do their own firewall if not using your services for that.
-
That's what I had done originally - I had rules to block SSH to the interface's real IP and the CARP IP. I will add them again right now.
-
And you mention you see stuff in the logs for attempted auth.. And what IP are they authing too?
If that is the IP I can validate if ssh is open to the public.
-
That's what I had done originally…
I did the same. My rules don't seem to work after I enable the SSH server via the checkbox.
Floating:
block IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * noneWAN:
block IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none -
I just added the rules again and changed the port back to default 22. You can try to SSH to 64.141.125.250, .251 or .254 (CARP).
-
I just added the rules again and changed the port back to default 22. You can try to SSH to 64.141.125.250, .251 or .254 (CARP).
They are all open. Sounds like your rules aren't working either.
-
Source is not going to be 22 source could be ANY, and ssh is not UDP..
And yes that is open!! on the 250, 251 and 254
login as:
Password for admin@router1.morad:
251 shows
steve.morad -
Ah, yep. Good point. I'll make the change and try again.
