GUI Lockout?!
-
Hi,
On my freshly reset 2100 I cannot get SSH keys to work on 23.01.
Instead I got 'GUI Lockout' ?? All I did was enabling SSH and set a key. After save I began loose contact with pfSense. I had to revert through console. Why please?
-
@furom said in GUI Lockout?!:
Why please?
When setting up access methods, first, access a console (SSH or the classic console) and
tail -f /var/log/system.logOr look constantly here Status > System Logs > System > General
Normally, on the LAN interface, there should be a rule like this :
Without this rule, and arrros during SSH access, the process "sshguard" (will also scan failed GUI access) will block you LAN IP.
If you suspect that you're locked out : assign temporarily a static IP / mask Gateway /DNS to your device you use to access pfSense which is different as the previous (DHCP) IP, and don't make the same mistake twice.
-
@gertjan said in GUI Lockout?!:
@furom said in GUI Lockout?!:
Why please?
When setting up access methods, first, access a console (SSH or the classic console) and
tail -f /var/log/system.logOr look constantly here Status > System Logs > System > General
Normally, on the LAN interface, there should be a rule like this :
Without this rule, and arrros during SSH access, the process "sshguard" (will also scan failed GUI access) will block you LAN IP.
If you suspect that you're locked out : assign temporarily a static IP / mask Gateway /DNS to your device you use to access pfSense which is different as the previous (DHCP) IP, and don't make the same mistake twice.
Absolutely. But the issue was more of that despite I had these ports wide open for what I need, I got blocked. I have, added such rule to my main net as well and topmost. I don't doubt I have done something dumb, but I could not find it. Rules evaluates top down, and according to that I should have had all these ports open already. Thanks for reminding me tho. I have it on LAN, but should really be made available on other ones too, or as a choice...
-
@furom pretty sure even with the anti-lockout you can still have sshguard block your IP.. The rule just makes sure the ports are open.. I don't believe it disables wrong passwords from locking the IP for a specific amount of time
That is why you can add Ips to never lock out
-
@johnpoz Agreed, that seems good when debugging, but hardly something for a production system?
-
@furom hmmm? What do you mean - I have my IP in there.. Just in case - your sleepy, or you have caps lock on or something.. I have password saved, and use publickey to auth so I never send the wrong password anyway. But if you want to make sure you don't lock your IP because of typo's why would you not put in the IP of box you admin from?
-
@johnpoz I guess you're right, it probably does more good than anything else. I just think a firewall of all things is a place where protection should not be bypassed. I am having my cut of strangeness on mine so perhaps I'm a little too cautious. Not much "just works" on my box. Not even simple SSH keys... :( It console prompt just hungs when trying it. and nothing in the log, so no block...
-
It hangs at the client trying to connect? Times out eventually?
Can you still access the pfSense webgui after that?
-
@stephenw10 said in GUI Lockout?!:
It hangs at the client trying to connect? Times out eventually?
Can you still access the pfSense webgui after that?
Not for minutes at least. I am connected via webgui, so works, yes.
-
Ah, I see this could be the result of the duplicate user groups issue you also hit. I would resolve that first before digging any further here.
-
@stephenw10 said in GUI Lockout?!:
Ah, I see this could be the result of the duplicate user groups issue you also hit. I would resolve that first before digging any further here.
Thanks, I just finished typing in everything manually and somehow got DNS working too.. I hope there will be a limited number of rabbit holes ahead, I need it to "just work" for a while now... :P
I will try adding the SSH key tomorrow, with all that has been, just a tiny bit worried it won't work... :/
