• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Request - backup/restore related security issue

Scheduled Pinned Locked Moved General pfSense Questions
4 Posts 2 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    miloman
    last edited by Sep 6, 2012, 9:27 AM

    I currently have a wget script that takes a daily backup of my firewall. You know… Just in case.

    In the wget script i have to enter a username and password in cleartext. Therefore i have created a group with a backup user that only has access to /diag_backup.php

    The problem, as i see it, is if my backup user gets compromised you could log into my firewall, download the configuration, alter the firewall rules, and reupload the configuration. Sure the firewall would reboot, and i would notice it. But it would be alot better to have a /diag_backup.php and a /diag_restore.php.

    Just my 2 cents.

    :)

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Sep 6, 2012, 7:58 PM

      It's not really a security issue, it has exactly the permissions you gave it.

      So setup a backup with SSH keys or use another mechanism that is more secure than a remote wget call.

      And of course there is always the AutoConfigBackup package if you're a support customer ;-)

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • M
        miloman
        last edited by Sep 7, 2012, 8:39 AM Sep 7, 2012, 8:34 AM

        @jimp:

        It's not really a security issue, it has exactly the permissions you gave it.

        So setup a backup with SSH keys or use another mechanism that is more secure than a remote wget call.

        And of course there is always the AutoConfigBackup package if you're a support customer ;-)

        Lets call it a feature then. A feature you can bypass IF you want to pay for it. ;)

        I might just go ahead and edit the /diag_backup.php file and remove the restore function. If i ever want to use it i can always active the function again.  Might do a writeup. :)

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 7, 2012, 11:33 AM

          Setting it up with ssh and cron would be more secure and require no hacking. Have the firewall push its own config off to a box using an account that does ssh key only auth and upload the config to a write-only directory on the backup system. ACB isn't required, it just makes things easy/automatic.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received