Cannot ssh into pfSense at WAN interface
-
@kwangmien
Did you add a firewall rule to allow SSH to the WAN address? -
Allowing SSH port 22 access via the WAN side is a recipe to be hacked.
Don't be a potential victim. Use a VPN instead.
-
@elvisimprsntr Very good advice...
Alternatively, you can source limit to a single IP or hostname to prevent random IPs filling your secure logs with ssh login attempts.
But definitely don't expose SSH (or any admin interface) to the internet at large. We don't even allow it on the corp/guest vlans. 22, 80, 443 on "this firewall" is only accessible via the management LAN.
-
@viragomann after setting a rule to allow SSH , i can now ssh in.
-
@elvisimprsntr Thanks for the advice. I am actually new to pfSense and testing the SSH at WAN interface.
-
@Troutpocket Thanks for the advice.
-
@elvisimprsntr
I use SSH with password + public key authorization. I don't think, that this is really less secure than a VPN.
VPN just provides an additional authorization layer. -
@viragomann I'd argue it's better. I still recommend source-restricting SSH just to keep your log file size down. In any case, if you're going to use a VPN then seriously consider adding MFA. There's good integration with Google Auth, DUO, and MS Entra via RADIUS auth. If (when?) OpenVPN is compromised like some of the commercial SSL vpns then hopefully MFA will save you.
-
@viragomann said in Cannot ssh into pfSense at WAN interface:
@elvisimprsntr
I use SSH with password + public key authorization. I don't think, that this is really less secure than a VPN.
VPN just provides an additional authorization layer.That assumes there is not a vulnerability which the attacker can bypass authentication.
Examples of SSH vulnerabilities which apply to pfSense.
https://nvd.nist.gov/vuln/detail/CVE-2024-6387
https://terrapin-attack.comIts your decision.
-
Yup I would always set a limited source for that.
