Obfuscated OpenSSH for remote access? The greatest invention since sliced cheese!



  • Is there any chance in the future of including Obfuscated OpenSSH within pfSense? I think it would be very useful for remote network access and configuration. I have been using it for years on both Centos , Debian and even Slax Linux routers with great success. No one has hacked in since I started using it.

    Being the dull light bulb I am, I just gave it a half-baked attempt to compile a patched version of OpenSSH_7,5p1 on FreeBSD 11.2 with the pie-in-the-sky hope of incorporating it within the current version of pfSense. Not surprising, I had very little success, because apparently compiling something even as simple as Openssh in the FreeBDS environment is a new unholy breed of cat completely outside my knowledge base. I tried their FreeBSD port stuff but that turned into a broken blind alley. I even tried downloading the FreeBDS source code from pfSense but the source code for Openssh couldn't even find its own header file. Good grief!

    Anyone that could offer some advice on the concept of of compiling OpenSSH in FreeBSD for pfSense would be greatly appreciated since I doubt the developer will bite on this concept in spite of my rabid arm waving enthusiasm.

    Using Obfuscated SSH patches allows opening the SSH directly to the internet, since throwing it on an odd port and using an obfuscated knock-knock password foils would-be attackers. Just because they find a dead open port it's hard to attack something if you don't know what it is or what version it is. I wouldn't dare leave ssh open on any port without obfuscating it since all kinds of brute force attacks are used and if they don't lock your router up with their persistent futile attempts to hack in, they will fill your log files to the rafters. Guess how I know that one.

    My favorite tool to connect to Linux with obf-ssh is the Tunnelier client from Bitvise. The sshd within Linux/BSD doesn't offer the level of security or comparability that the Bitvise server side offers (only runs in Windows) but I mostly only use it for technical remote access so it servers my purpose. With port forwarding any device in the network can be accessed, especially anything with rdp. Even the older Vsphere client can be forwarded. 902,903, & 443



  • If port knocking, because that is what it was called before, was that "good and simple" it would have been implemented in world's top ten SSH servers (sshd like) and clients.
    I just checked : Putty doesn't know what it is ....
    Port knocking isn't done by the sshd server (normally). Back then, in the good old days, it was a nifty set of "iptables" = firewall rules, some variables to mark the state "progression in state", and of you go.

    How to compiling the source for a package, the preferred way when you use FreeBSD, is documented these days. Just use stock 12.x kernel and the FreeBSD source package. It's FreeBSD's preferred way to install packages. Up to you to 'patch' to source before compiling.
    pfSense uses FreeBSD, but doesn't use the same package integration model. Compiling on pfSense isn't even possible : all the tools are missing. pfSense isn't a dev environment anyway. It's a firewall / router. One doesn't 'dev' on it's firewall ;)


  • Rebel Alliance Developer Netgate

    If it makes it into OpenSSH sshd in the base system FreeBSD, perhaps. But doubtful.


Log in to reply