• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Howdy prevent root login with ssh and yet allowing other users to login?

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 4 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    deddric
    last edited by Aug 30, 2017, 9:56 AM

    Dont feel like having root login open, sshd_config just get´s overwriten, any ideas?

    /d

    1 Reply Last reply Reply Quote 0
    • J Online
      johnpoz LAYER 8 Global Moderator
      last edited by Aug 30, 2017, 10:45 AM Aug 30, 2017, 10:38 AM

      Hmmm..  You could do public key auth only, and don't install key for the admin account which is the root account.

      Really do not understand your logic though.. This is a firewall, not some server open to the public internet with different users etc.  You don't have your ssh login open to the public internet do you?  And set to use passwords?  And not locked atleast to specific source IPs?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07 | Lab VMs 2.8, 25.07

      1 Reply Last reply Reply Quote 0
      • D Offline
        deddric
        last edited by Aug 30, 2017, 10:55 AM Aug 30, 2017, 10:49 AM

        @johnpoz:

        Hmmm..  You could do public key auth only, and don't install key for the admin account which is the root account.

        Really do not understand your logic though.. This is a firewall, not some server open to the public internet with different users etc.  You don't have your ssh login open to the public internet do you?  And set to use passwords?  And not locked atleast to specific source IPs?

        I´m not running default ssh port and blocking from most ip ranges, it would be nice to have a user "sshuser1" allowed to login and set up the ssh tunneling

        so it´s not possible to disable root login and have open for "sshuser1"  to login?

        EDIT
        Similar to this
        https://forum.pfsense.org/index.php?topic=2473.0

        1 Reply Last reply Reply Quote 0
        • D Offline
          doktornotor Banned
          last edited by Aug 30, 2017, 11:42 AM

          @deddric:

          blocking from most ip ranges

          You are doing it upside down. You should whitelist a bunch of allowed IPs or use a VPN. Not blacklist billions of them.

          1 Reply Last reply Reply Quote 0
          • D Offline
            deddric
            last edited by Aug 30, 2017, 12:34 PM Aug 30, 2017, 12:29 PM

            @doktornotor:

            @deddric:

            blocking from most ip ranges

            You are doing it upside down. You should whitelist a bunch of allowed IPs or use a VPN. Not blacklist billions of them.

            well that´s not really my setup, and it´s not what i requested help with eather, back to topic plz

            EDIT: why login with root even if you have iplists,it would still better to do that with a lower permition user

            1 Reply Last reply Reply Quote 0
            • J Online
              johnpoz LAYER 8 Global Moderator
              last edited by Aug 30, 2017, 1:08 PM

              Because what you be doing when logging in - other than root functions?  Its your firewall.. not some box to use for applications.  Its pointless to come in with some other account, just to change over to root/admin to admin the firewall.

              If you give some other account the required permissions to do the admin functions - its really no different than root ;)

              I really would not suggest that ssh even be open to the outside unless you could lock it down to specific source IPs that are in your control.  No matter what account your accessing it with.  And even so password auth not a good idea.  Limit to public key auth.

              The solution to your question has been given.  Change to public key, and do not give the admin/root (same thing in pfsense) account a public key..  Only setup key on other accounts you create.

              To remotely access your firewall you really should VPN in..

              BTW nice to see you back Dok!  Haven't seen any posts from you in some time here.  Always good to see you posting!

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07 | Lab VMs 2.8, 25.07

              1 Reply Last reply Reply Quote 0
              • D Offline
                deddric
                last edited by Aug 30, 2017, 1:54 PM

                So what´s opinion on exposing webgui (other port then default) to internet?

                /d

                1 Reply Last reply Reply Quote 0
                • N Offline
                  NogBadTheBad
                  last edited by Aug 30, 2017, 2:20 PM Aug 30, 2017, 2:11 PM

                  @deddric:

                  So what´s opinion on exposing webgui (other port then default) to internet?

                  /d

                  What The Doktor prescribed :-

                  @doktornotor:

                  or use a VPN.

                  I NAT SSH / SFTP to a Raspberry PI running FreeBSD sat in my DMZ, on the PI I'm using pf to block brute force SSH / SFTP attacks and also white list people that can connect on the WAN router.

                  https://www.cyberciti.biz/faq/freebsd-openbsd-pf-stop-ftp-bruteforce-attacks/

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • J Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by Aug 30, 2017, 3:12 PM

                    @deddric:

                    So what´s opinion on exposing webgui (other port then default) to internet?

                    Never in a million years would I do that or suggest that to anyone..  If you "must" do it then it would need to be locked to so specific source IP that is in your control.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received