Ssh on port 443… not working
-
Hello,
I'm running 2.1.5 release on i386 in a transparent setup.I realize my question may be rather simplistic but I'm by no means an expert with pfsense or freebsd. I've been able to get ssh running on my setup just fine on practically any port. However I'd like to try and run ssh on port 443 and every time I switch to 443 in the setup, I can never get my client to make a connection. I suspect there is some underlying service within pfsense that is still hanging onto 443, possibly the secure http webconfigurator. I don't have any need for https in my setup and it is already running by default as standard http on port 80. Is there some way I can check to see if something else is using that port and if so, disable it?
Here is some output of what things look like right now:
$ top last pid: 35820; load averages: 0.47, 0.19, 0.09 up 29+21:50:38 23:00:29 39 processes: 1 running, 34 sleeping, 4 zombie Mem: 114M Active, 81M Inact, 140M Wired, 10M Cache, 104M Buf, 577M Free Swap: 2048M Total, 2048M Free PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 35707 root 1 67 0 81840K 34188K piperd 0:42 4.98% php 74219 root 10 44 0 218M 104M nanslp 101:37 0.00% ntop 40183 root 1 76 20 3644K 1464K wait 26:40 0.00% sh 33736 root 1 44 0 7200K 7220K select 7:24 0.00% ntpd 76027 root 1 44 0 9260K 4896K bpf 3:53 0.00% bandwidthd 76325 root 1 44 0 9260K 5028K bpf 3:41 0.00% bandwidthd 76380 root 1 44 0 9260K 4696K bpf 3:35 0.00% bandwidthd 76479 root 1 44 0 8236K 4240K bpf 3:34 0.00% bandwidthd 22410 root 1 44 0 8016K 5156K kqread 3:00 0.00% lighttpd 15296 root 7 44 0 56472K 15052K ucond 2:40 0.00% filterdns 10037 root 1 44 0 5864K 2680K bpf 1:28 0.00% tcpdump 43918 root 1 44 0 3412K 1420K select 0:23 0.00% syslogd 44458 root 1 76 0 3352K 1336K nanslp 0:16 0.00% cron 77303 root 1 70 0 3264K 1024K nanslp 0:10 0.00% minicron 12110 root 1 44 0 3384K 1348K select 0:05 0.00% inetd 35635 root 1 45 0 78256K 28908K accept 0:04 0.00% php 260 root 1 76 20 3352K 1216K kqread 0:03 0.00% check_reload_status 10112 root 1 44 0 3264K 908K piperd 0:03 0.00% logger
$ ps PID TT STAT TIME COMMAND 10037 v0- S 1:28.28 /usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog 10112 v0- I 0:03.26 logger -t pf -p local0.info 40183 v0- IN 26:40.22 /bin/sh /var/db/rrd/updaterrd.sh 76027 v0- S 3:52.96 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd 76325 v0- S 3:40.69 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd 76380 v0- S 3:34.53 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd 76479 v0- S 3:34.16 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd 81105 v0 Is 0:00.05 login [pam] (login) 81639 v0 I 0:00.02 -sh (sh) 83507 v0 I+ 0:00.02 /bin/sh /etc/rc.initial
$ sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sockstat 72358 20 udp4 *:40679 *:* root bandwidthd 76479 20 udp4 *:16009 *:* root bandwidthd 76380 20 udp4 *:16009 *:* root bandwidthd 76325 20 udp4 *:16009 *:* root bandwidthd 76027 20 udp4 *:16009 *:* root ntop 74219 2 tcp4 *:3000 *:* root ntop 74219 20 udp4 *:16009 *:* root syslogd 43918 13 udp4 *:514 *:* root php 35707 10 udp4 *:* *:* root php 35707 20 udp4 *:40679 *:* root php 35635 10 udp4 *:* *:* root php 35635 20 udp4 *:52556 *:* root ntpd 33736 21 udp4 *:123 *:* root ntpd 33736 22 udp4 (removed):123 *:* root ntpd 33736 25 udp4 127.0.0.1:123 *:* root php 23667 10 udp4 *:* *:* root php 23667 20 udp4 *:40679 *:* root php 22571 10 udp4 *:* *:* root php 22571 20 udp4 *:52556 *:* root lighttpd 22410 9 tcp4 *:80 *:* root lighttpd 22410 11 tcp4 (removed):80 (removed):12332 root sshd 16612 5 tcp4 *:22 *:* root inetd 12110 10 udp4 127.0.0.1:6969 *:*
-
A service on the firewall cannot affect traffic passing through to other hosts.
If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.
-
This is traffic to SSH on the pfSense box though, no?
When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.
Steve
-
A service on the firewall cannot affect traffic passing through to other hosts.
If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.
I think I understand what you are saying, but when I ssh into pf from the outside, I am not hitting any host on the LAN side. I am simply establishing ssh onto pf itself. I don't have access to the console right now, but I'll check what my NAT settings and port forwarding settings are later and post back results. I can tell you though that pf is not setup to NAT anything; I have a separate router to handle all of that.
This is traffic to SSH on the pfSense box though, no?
When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.
Steve
I'll set it back to 443 this weekend and post back results from system logs (if any).
-
A service on the firewall cannot affect traffic passing through to other hosts.
If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.
Under Firewall, NAT, Port Forward has no entries. 1:1 has no entries. Outbound is set to manual with no mappings listed. NPt has no entries.
-
This is traffic to SSH on the pfSense box though, no?
When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.
Steve
Ok when I make a successful ssh into my system, the system log looks like this:
Nov 10 17:25:24 sshd[34537]: Received disconnect from x.x.x.x: 11: Closed due to user request. Nov 10 17:25:11 sshd[34537]: Accepted keyboard-interactive/pam for admin from x.x.x.x port 54142 ssh2
I also have it create a log entry every time this event is triggered which shows up in the Firewall log.
Now when I change the System, Advanced entry to 443, and also my corresponding WAN rule which handles this traffic to 443, my ssh client keeps trying to connect but I don't get anything which prompts me for a login/password, so it times out. I look in the System Logs and find the change I made in the Advanced settings shows up as this:
Nov 10 17:29:08 sshd[14583]: Server listening on 0.0.0.0 port 443. Nov 10 17:29:08 sshd[14583]: Server listening on :: port 443.
Here is some other diagnostic output from the change:
$ sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sockstat 68630 20 udp4 *:40679 *:* root sleep 67072 20 udp4 *:35821 *:* root sh 20054 20 udp4 *:35821 *:* root lighttpd 19588 14 tcp4 *:80 *:* root lighttpd 19588 16 tcp4 (removed):80 (removed):1538 root lighttpd 19588 20 udp4 *:35821 *:* root sshd 14583 5 tcp4 *:443 *:* root bandwidthd 76479 20 udp4 *:16009 *:* root bandwidthd 76380 20 udp4 *:16009 *:* root bandwidthd 76325 20 udp4 *:16009 *:* root bandwidthd 76027 20 udp4 *:16009 *:* root ntop 74219 2 tcp4 *:3000 *:* root ntop 74219 20 udp4 *:16009 *:* root syslogd 43918 13 udp4 *:514 *:* root php 35707 10 udp4 *:* *:* root php 35707 20 udp4 *:40679 *:* root php 35635 10 udp4 *:* *:* root php 35635 20 udp4 *:52556 *:* root ntpd 33736 21 udp4 *:123 *:* root ntpd 33736 22 udp4 (removed):123 *:* root ntpd 33736 25 udp4 127.0.0.1:123 *:* root php 23667 10 udp4 *:* *:* root php 23667 20 udp4 *:40679 *:* root php 22571 10 udp4 *:* *:* root php 22571 20 udp4 *:52556 *:* root inetd 12110 10 udp4 127.0.0.1:6969 *:*
I don't know why it shows up with the 0.0.0.0 address in the log. My LAN port is set to 'none' and WAN is a static IP address. I have the OPT1 interface set up as Bridge0 between the two and there are no VLANs in use.
-
0.0.0.0 means bind to all addresses on the host. So you could ssh to your LAN address, WAN address, etc. Firewall rules permitting, of course.
-
0.0.0.0 means bind to all addresses on the host. So you could ssh to your LAN address, WAN address, etc. Firewall rules permitting, of course.
I guess I don't understand what you mean. My LAN port has no address; my WAN port's address isn't routable. How would I be able to ssh to the WAN port?
-
If you're not using the WAN address to SSH to what are you using?
What address do the logs show sshd is listening on when it's set to use port 22?
Steve
-
If you're not using the WAN address to SSH to what are you using?
What address do the logs show sshd is listening on when it's set to use port 22?
Steve
Oh I see what you're saying now. Let me clarify: I posted this thread because I wasn't able to ssh remotely, as in, via the internet, to my pfsense box on port 443. I am always able to ssh from any machine on the LAN to the WAN port address.
And here are the log entries when I change it back to port 22 in the Advanced settings:
Nov 10 20:51:14 check_reload_status: webConfigurator restart in progress Nov 10 20:51:14 check_reload_status: starting sshd Nov 10 20:51:14 php: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator. Nov 10 20:51:14 php: /system_advanced_admin.php: secure shell configuration has changed. Restarting sshd. Nov 10 20:51:14 php: /system_advanced_admin.php: secure shell configuration has changed. Stopping sshd. Nov 10 20:51:14 sshd[19816]: Received signal 15; terminating. Nov 10 20:51:13 check_reload_status: Reloading filter Nov 10 20:51:13 check_reload_status: Syncing firewall Nov 10 20:50:35 php: rc.restart_webgui: Creating rrd update script Nov 10 20:50:35 kernel: Bump sched buckets to 256 (was 0) Nov 10 20:50:35 kernel: Bump sched buckets to 256 (was 0) Nov 10 20:50:35 kernel: Bump sched buckets to 256 (was 0) Nov 10 20:50:35 kernel: Bump sched buckets to 256 (was 0) Nov 10 20:50:35 kernel: Bump sched buckets to 256 (was 0) Nov 10 20:50:33 sshd[19816]: Server listening on 0.0.0.0 port 22. Nov 10 20:50:33 sshd[19816]: Server listening on :: port 22.
Edit: Now that I just posted this, I realize that the problem may in fact not be on pfsense, rather it's probably my router not properly passing traffic on 443. Let me look into that one for a bit and I'll try to report back soon.
-
Ah OK. Also do you know that your ISP isn't blocking port 443? I haven't seen that for a while but it used to be quite common.
Steve
-
When running the pfsense gui on 443 its possible you may run into problems running something like SSH on 443 also.
Its so hit and miss with systems that when I run services on 443 or 80 I just put the pfsense gui somewhere else, like 7443But yeah - could also be your modem.
-
Ok well I feel like an idiot now. Turns out the problem was on the router actually in that there was a nat rule I previously setup to pass traffic from the outside in on set ranges of ports. I literally have not logged into this device in several years and completely forgot all about this. Once I modified some of the nat settings, traffic on 443 was passed just fine. The problem never was on the pfsense side.
Sorry for wasting everyone's time on this but I do appreciate the help in trying to track down the issue.
-
No problem. Easily done. ;)
Steve