Protect pfSense: Better security when changing pfSense access-ports
-
These days I see enormous number of attracts coming from the internet.
At the same time I have a guest-vlan and an IOT-vlan and other vlan's, witch could potentially be used to attack my network from inside.
For these reasons / to protect pfSense, I changed the normal TCP-port in system/advanced to some other value. I did the same for the SSH port.
This action makes it less likely that those ports are attacked and as important it makes it possible to block those ports for all vlans not being your management vlan. I did define the following floating rules:
- floating rule-1 (quick) pass the management ports for vlan-A-net
- floating rule-2 (quick) reject the management ports for any
One disadvantage when entering <ipaddress>:<new-ip-port> of http://<ipaddress>:<new-ip-port> the browser will respond with "400 Bad Request", which can be solved by using http"S"
Note that the here suggested measures are IMHO especially needed because the actual pfSense versions do not have the option to define the allowed source addresses for the GUI and for SSH
I additionally protect my network by rules at the end of each vlan / interface rule set, to block unintended access form one vlan to other vlans of my network. Again attacks can also come from inside !!
-
You can also block access to "This Firewall" which will prevent the specified network from being able to access the firewall on any port. This is what I do on most of my networks. Above this rule I allow NTP. DNS is handled by a different system.
-
hey there,
I don't really believe in "security by obscurity" aka changing ports to another one...but that just my 2 cents.Here no VLAN is allowed to get to pfsense's GUI or else, using the mentioned block for "This firewall". Only managment VLAN is able to reach pfsense for configuring purposes.
And even more: not every client in mangement VLAN can get access, I use aliases for those machines that must access GUI or ssh of pfsense.Since this is pure home usage I also blocked VPN access to "This firewall".
For my purposes it's enough to secure my firewall (besides strong passwords of course).
Since attacks from the inside are indeed an important issue, I also went to change native VLAN on my cisco switches: they use VLAN1 as default (unused for data traffic of users), then have the used VLANs with rules on firewall AND a seperated management VLAN. My native VLAN is running on another VLAN yet, a client connecting to an uplink between those locked away switches will end up in this native VLAN...and will go nowhere from there, does not get any IP, DNS or anything. It is fully seperated from the rest. Hope that is ONE stone of my wall protecting my homenet...
:) -
Note that:
- The main reason to change the port numbers is that that allowed me to treat / filter them different from the standard port "filtering"
- ports 443, 80 and 22 are forwarded to my Apache and sftp server, where the "new ports are solely reserved for pfSense management
- I do use pfSense provided services like dns and dhcp. Stronger, I refuse connection to external DNS-services and log eventually block dns-querys
-
@louis2 said in Protect pfSense: Better security when changing pfSense access-ports:
The main reason to change the port numbers is that that allowed me to treat / filter them different from the standard port "filtering"
I will agree with this reasoning.. I run for example gui on 8443 for this reason, I have other use for 443 and don't want the gui listening on it.
But I also concur with changing it doesn't get you really add extra security to be honest, changing it can lower your log entries will give you that. It might prevent some low level scripts or bots or whatever from finding say your ssh server, but does that make your ssh more secure? If your service can be exploited/compromised by some means - changing its port isn't going to fix that security issue. There is nothing wrong with doing it - if you have a reason to do it, like you want to use port X for something else, etc. But what I wouldn't agree with is changing the port removing the need for actual security measures. Making sure up to date, making sure methods of auth are sound, for ssh for example use public key auth vs passwords would be a good security measure to take.
Only allowing trusted IPs to even talk to the service via your firewall would be good security stance. Limiting what IPs can actually access it would be better than changing the port. For example if only US IPs would need to access ssh, then on the firewall limit access to only US IPs. Best if you can set this to only specific IPs - but limiting scope to who can actually talk, is better than just trying to hide it from the internet by using a non standard port. But sure if you want to limit what IPs can talk to your service, and you want to run that service on a nonstandard port for that service - there is nothing wrong with that.
Nothing wrong with changing ports if you're clear its not a substitution for valid security practices.
Changing ports can come with their own issues though - user has to know what that port you changed it to is, non standard ports might not work from all locations. Changing ports could introduce their own security issues if firewall rules are not correct, and port X is allowed for something else, and its not known or clear that some service is also running on that port that shouldn't be allowed in the rule, etc.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
hey there,
I completely agree with changing ports being necessary in certain settings, such as different services running on same default port and such, having a nas running it almost isn't avoidable even.
Just wanted to say, that changing ports to make your firewall more secure against inside/outside attacks is not the main brick in your (fire)wall... ;) -
@johnpoz said in Protect pfSense: Better security when changing pfSense access-ports:
I run for example gui on 8443 for this reason,
That's exactly what I do as well as have a specific browser that's use only to access the GUI.
