Ssh secure?
-
Hello, I just setup a pfsense box (used old core 2 duo pc) for a remote location (it will be a few hours away). I will be accessing this location from home. Is it secure to have ssh open in case I need to get into the pfsense server? Are there precautions built into the pfsense server to stop or make it difficult for people trying to access my box via ssh?
thanks all!
-
Simple, set SSH to use RSA/DSA key only login.
-
use vpn to remotely manage.
-
Simple, set SSH to use RSA/DSA key only login.
actually I was just looking up how to do that, found a tutorial on creating key using putty and puttygen. I have the keys created.. followed these steps on the pfsense server
6 Save The Public Key On The Server
Then log in to your SSH server (if you have closed the previous SSH session already), still with the username and password, and paste the public key into the file
~/.ssh/authorized_keys2 (in one line!) like this:
mkdir ~/.ssh
chmod 700 ~/.sshvi ~/.ssh/authorized_keys2
ssh-rsa AAAAB3NzaC1yc2EA[…]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
That file must be write/readable only by that user, so we run
chmod 600 ~/.ssh/authorized_keys2
–--------------
I have done this so far... and selected to use the key in putty. When I logon with putty I get this now.
Using username "admin".
Server refused our key
Using keyboard-interactive authentication.
–------So following these steps so far, will it work if I change ssh to not use username/pw, will it start using the key I created in authorized_keys2?
I am quite new to all this.
thanks all
-
Not sure what doc you're following, but this is all you need to do:
Generate key in openssh format, if using putty, you'll need to convert it to openssh format first.
System -> User Manager
Edit admin user
Paste authorized key(s) (should look like ssh-dss AAAA…..== user@host)
SaveTest that you can login with the key
System -> Advanced -> Admin Access tab (default)
Check Enable Secure shell (if you've not already done so)
Check Disable password login for Secure Shell
SaveTest that you can still login with the key
Web access isn't affected by this, so if you bork it, you can fix it.
-
Ahh! I figured it out.. the gui let me paste in my created key from puttygen.. working now with a key! :)
-
While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.
To be honest in the long run its prob better to just setup vpn into your remote pfsense box. While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at. And can even be bounced off a proxy. And would make it much easier to get to things behind pfsense via the vpn if that is ever required.
If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP. Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be. Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.
-
While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.
To be honest in the long run its prob better to just setup vpn into your remote pfsense box. While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at. And can even be bounced off a proxy. And would make it much easier to get to things behind pfsense via the vpn if that is ever required.
If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP. Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be. Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.
Why not use the ssh port forwarding facility to locally forward 127.0.0.1:444 to remote side:443? That makes a nice ssh-tunnel vpn solution without having to go thru the hassle of setting up openVPN.
That way you only leave port 22 (or whatever port you want to map it to) open, and only with public key login. Sounds as good as a VPN in my book. -
While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.
To be honest in the long run its prob better to just setup vpn into your remote pfsense box. While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at. And can even be bounced off a proxy. And would make it much easier to get to things behind pfsense via the vpn if that is ever required.
If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP. Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be. Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.
My ip changes from home, I do have noip setup so I have a x.ddns.net setup for my home ip.. problem is looks like devices that restrict access to all but specified ips will not accept a domain name, just an ip address or ip range. The remote location will also have a dynamic ip, static ip is not available.
I do not have sensitive data at the remote location.. just want the pfsense box secure so it cannot be hacked.. but need remote access to it.. I think ssh with the key authentication is probably sufficient to accomplish this, yes?
-
While sure you can tunnel whatever you want through a ssh connection.. You have to setup those tunnels.. But sure ssh can be a poor mans vpn.
Can ssh bounce off a proxy? There are many advantages to vpn over ssh to be honest.. While yes some aspects of the vpn can be done via ssh and tunnels. Not sure what hassle there is to setting up a vpn - it can be done in like 2 minutes. The one advantage I would say to ssh over vpn is ssh can normally be done from a client without admin, while running openvpn on a client normally takes admin rights.
ssh can be easy to carry with you with say putty and your key on your usb stick. There are openvpn clients for your phone and or tablet running ios or android so that can be handy - while for example ssh from a tablet or phone while it can be done is a bit more of a pain point than installing app and importing config that was exported from pfsense export wizard.
-
Worth also getting some notifications, otherwise how would you know if someone has got into your system?
https://forum.pfsense.org/index.php?topic=52532.0
-
You may also be interested in rate limiting the new connections so somebody doesn't just stand there pounding on the door.
In the SSH firewall rule Advanced features - Advanced Options:
Maximum new connections per host / per second(s) (TCP only)
3 / 60 -
Is there a Fail2Ban in pfsense or freebsd?
-
Is there a Fail2Ban in pfsense or freebsd?
It's enabled by default for webgui and SSH.
https://doc.pfsense.org/index.php/Sshlockout
https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI#Locked_Out_by_Too_Many_Failed_Login_Attempts -
Thanks all for the help and suggestions, I appreciate it. I have another non related issue. How do I determine why occasionally lose internet connection for just a brief moment a few times a day since putting this pfsense box up, no issues at all with my connection before the pfserver. What should I look into to see if anythings shows up anywhere? I assume logs, but which logs, how? what am I looking for?
thanks again!
-
-
Suggest starting a new thread for this non related topic.
Edit / Update: Oh I see you did that already.
Thanks all for the help and suggestions, I appreciate it. I have another non related issue. How do I determine why occasionally lose internet connection for just a brief moment a few times a day since putting this pfsense box up, no issues at all with my connection before the pfserver. What should I look into to see if anythings shows up anywhere? I assume logs, but which logs, how? what am I looking for?
thanks again!