Ssh secure?
-
While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.
To be honest in the long run its prob better to just setup vpn into your remote pfsense box. While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at. And can even be bounced off a proxy. And would make it much easier to get to things behind pfsense via the vpn if that is ever required.
If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP. Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be. Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.
-
While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.
To be honest in the long run its prob better to just setup vpn into your remote pfsense box. While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at. And can even be bounced off a proxy. And would make it much easier to get to things behind pfsense via the vpn if that is ever required.
If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP. Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be. Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.
Why not use the ssh port forwarding facility to locally forward 127.0.0.1:444 to remote side:443? That makes a nice ssh-tunnel vpn solution without having to go thru the hassle of setting up openVPN.
That way you only leave port 22 (or whatever port you want to map it to) open, and only with public key login. Sounds as good as a VPN in my book. -
While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.
To be honest in the long run its prob better to just setup vpn into your remote pfsense box. While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at. And can even be bounced off a proxy. And would make it much easier to get to things behind pfsense via the vpn if that is ever required.
If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP. Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be. Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.
My ip changes from home, I do have noip setup so I have a x.ddns.net setup for my home ip.. problem is looks like devices that restrict access to all but specified ips will not accept a domain name, just an ip address or ip range. The remote location will also have a dynamic ip, static ip is not available.
I do not have sensitive data at the remote location.. just want the pfsense box secure so it cannot be hacked.. but need remote access to it.. I think ssh with the key authentication is probably sufficient to accomplish this, yes?
-
While sure you can tunnel whatever you want through a ssh connection.. You have to setup those tunnels.. But sure ssh can be a poor mans vpn.
Can ssh bounce off a proxy? There are many advantages to vpn over ssh to be honest.. While yes some aspects of the vpn can be done via ssh and tunnels. Not sure what hassle there is to setting up a vpn - it can be done in like 2 minutes. The one advantage I would say to ssh over vpn is ssh can normally be done from a client without admin, while running openvpn on a client normally takes admin rights.
ssh can be easy to carry with you with say putty and your key on your usb stick. There are openvpn clients for your phone and or tablet running ios or android so that can be handy - while for example ssh from a tablet or phone while it can be done is a bit more of a pain point than installing app and importing config that was exported from pfsense export wizard.
-
Worth also getting some notifications, otherwise how would you know if someone has got into your system?
https://forum.pfsense.org/index.php?topic=52532.0
-
You may also be interested in rate limiting the new connections so somebody doesn't just stand there pounding on the door.
In the SSH firewall rule Advanced features - Advanced Options:
Maximum new connections per host / per second(s) (TCP only)
3 / 60 -
Is there a Fail2Ban in pfsense or freebsd?
-
Is there a Fail2Ban in pfsense or freebsd?
It's enabled by default for webgui and SSH.
https://doc.pfsense.org/index.php/Sshlockout
https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI#Locked_Out_by_Too_Many_Failed_Login_Attempts -
Thanks all for the help and suggestions, I appreciate it. I have another non related issue. How do I determine why occasionally lose internet connection for just a brief moment a few times a day since putting this pfsense box up, no issues at all with my connection before the pfserver. What should I look into to see if anythings shows up anywhere? I assume logs, but which logs, how? what am I looking for?
thanks again!
-
-
Suggest starting a new thread for this non related topic.
Edit / Update: Oh I see you did that already.
Thanks all for the help and suggestions, I appreciate it. I have another non related issue. How do I determine why occasionally lose internet connection for just a brief moment a few times a day since putting this pfsense box up, no issues at all with my connection before the pfserver. What should I look into to see if anythings shows up anywhere? I assume logs, but which logs, how? what am I looking for?
thanks again!
