Ssh on port 443… not working



  • Hello,
    I'm running 2.1.5 release on i386 in a transparent setup.

    I realize my question may be rather simplistic but I'm by no means an expert with pfsense or freebsd.  I've been able to get ssh running on my setup just fine on practically any port.  However I'd like to try and run ssh on port 443 and every time I switch to 443 in the setup, I can never get my client to make a connection.  I suspect there is some underlying service within pfsense that is still hanging onto 443, possibly the secure http webconfigurator.  I don't have any need for https in my setup and it is already running by default as standard http on port 80.  Is there some way I can check to see if something else is using that port and if so, disable it?

    Here is some output of what things look like right now:

    $ top
    last pid: 35820;  load averages:  0.47,  0.19,  0.09  up 29+21:50:38    23:00:29
    39 processes:  1 running, 34 sleeping, 4 zombie
    
    Mem: 114M Active, 81M Inact, 140M Wired, 10M Cache, 104M Buf, 577M Free
    Swap: 2048M Total, 2048M Free
    
      PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
    35707 root        1  67    0 81840K 34188K piperd   0:42  4.98% php
    74219 root       10  44    0   218M   104M nanslp 101:37  0.00% ntop
    40183 root        1  76   20  3644K  1464K wait    26:40  0.00% sh
    33736 root        1  44    0  7200K  7220K select   7:24  0.00% ntpd
    76027 root        1  44    0  9260K  4896K bpf      3:53  0.00% bandwidthd
    76325 root        1  44    0  9260K  5028K bpf      3:41  0.00% bandwidthd
    76380 root        1  44    0  9260K  4696K bpf      3:35  0.00% bandwidthd
    76479 root        1  44    0  8236K  4240K bpf      3:34  0.00% bandwidthd
    22410 root        1  44    0  8016K  5156K kqread   3:00  0.00% lighttpd
    15296 root        7  44    0 56472K 15052K ucond    2:40  0.00% filterdns
    10037 root        1  44    0  5864K  2680K bpf      1:28  0.00% tcpdump
    43918 root        1  44    0  3412K  1420K select   0:23  0.00% syslogd
    44458 root        1  76    0  3352K  1336K nanslp   0:16  0.00% cron
    77303 root        1  70    0  3264K  1024K nanslp   0:10  0.00% minicron
    12110 root        1  44    0  3384K  1348K select   0:05  0.00% inetd
    35635 root        1  45    0 78256K 28908K accept   0:04  0.00% php
      260 root        1  76   20  3352K  1216K kqread   0:03  0.00% check_reload_status
    10112 root        1  44    0  3264K   908K piperd   0:03  0.00% logger
    
    
    $ ps
      PID  TT  STAT      TIME COMMAND
    10037  v0- S      1:28.28 /usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog
    10112  v0- I      0:03.26 logger -t pf -p local0.info
    40183  v0- IN    26:40.22 /bin/sh /var/db/rrd/updaterrd.sh
    76027  v0- S      3:52.96 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
    76325  v0- S      3:40.69 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
    76380  v0- S      3:34.53 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
    76479  v0- S      3:34.16 /usr/pbi/bandwidthd-i386/bandwidthd/bandwidthd
    81105  v0  Is     0:00.05 login [pam] (login)
    81639  v0  I      0:00.02 -sh (sh)
    83507  v0  I+     0:00.02 /bin/sh /etc/rc.initial
    
    $ sockstat -4
    USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
    root     sockstat   72358 20 udp4   *:40679               *:*
    root     bandwidthd 76479 20 udp4   *:16009               *:*
    root     bandwidthd 76380 20 udp4   *:16009               *:*
    root     bandwidthd 76325 20 udp4   *:16009               *:*
    root     bandwidthd 76027 20 udp4   *:16009               *:*
    root     ntop       74219 2  tcp4   *:3000                *:*
    root     ntop       74219 20 udp4   *:16009               *:*
    root     syslogd    43918 13 udp4   *:514                 *:*
    root     php        35707 10 udp4   *:*                   *:*
    root     php        35707 20 udp4   *:40679               *:*
    root     php        35635 10 udp4   *:*                   *:*
    root     php        35635 20 udp4   *:52556               *:*
    root     ntpd       33736 21 udp4   *:123                 *:*
    root     ntpd       33736 22 udp4   (removed):123      *:*
    root     ntpd       33736 25 udp4   127.0.0.1:123         *:*
    root     php        23667 10 udp4   *:*                   *:*
    root     php        23667 20 udp4   *:40679               *:*
    root     php        22571 10 udp4   *:*                   *:*
    root     php        22571 20 udp4   *:52556               *:*
    root     lighttpd   22410 9  tcp4   *:80                  *:*
    root     lighttpd   22410 11 tcp4   (removed):80       (removed):12332
    root     sshd       16612 5  tcp4   *:22                *:*
    root     inetd      12110 10 udp4   127.0.0.1:6969        *:*
    

  • Rebel Alliance Developer Netgate

    A service on the firewall cannot affect traffic passing through to other hosts.

    If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.


  • Netgate Administrator

    This is traffic to SSH on the pfSense box though, no?

    When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.

    Steve



  • @jimp:

    A service on the firewall cannot affect traffic passing through to other hosts.

    If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.

    I think I understand what you are saying, but when I ssh into pf from the outside, I am not hitting any host on the LAN side.  I am simply establishing ssh onto pf itself.  I don't have access to the console right now, but I'll check what my NAT settings and port forwarding settings are later and post back results.  I can tell you though that pf is not setup to NAT anything;  I have a separate router to handle all of that.

    @stephenw10:

    This is traffic to SSH on the pfSense box though, no?

    When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.

    Steve

    I'll set it back to 443 this weekend and post back results from system logs (if any).



  • @jimp:

    A service on the firewall cannot affect traffic passing through to other hosts.

    If anything on the firewall is affecting it, it would have to be a NAT rule (Port forward, etc), or possibly a port forward in combination with NAT reflection.

    Under Firewall, NAT, Port Forward has no entries.  1:1 has no entries.  Outbound is set to manual with no mappings listed.  NPt has no entries.



  • @stephenw10:

    This is traffic to SSH on the pfSense box though, no?

    When you set SSH to run on port 443 do you see anything in the logs? I would expect some error if two services try to claim the same port.

    Steve

    Ok when I make a successful ssh into my system, the system log looks like this:

    Nov 10 17:25:24 	sshd[34537]: Received disconnect from x.x.x.x: 11: Closed due to user request.
    Nov 10 17:25:11 	sshd[34537]: Accepted keyboard-interactive/pam for admin from x.x.x.x port 54142 ssh2
    

    I also have it create a log entry every time this event is triggered which shows up in the Firewall log.

    Now when I change the System, Advanced entry to 443, and also my corresponding WAN rule which handles this traffic to 443, my ssh client keeps trying to connect but I don't get anything which prompts me for a login/password, so it times out.  I look in the System Logs and find the change I made in the Advanced settings shows up as this:

    Nov 10 17:29:08 	sshd[14583]: Server listening on 0.0.0.0 port 443.
    Nov 10 17:29:08 	sshd[14583]: Server listening on :: port 443.
    

    Here is some other diagnostic output from the change:

    
    $ sockstat -4
    USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
    root     sockstat   68630 20 udp4   *:40679               *:*
    root     sleep      67072 20 udp4   *:35821               *:*
    root     sh         20054 20 udp4   *:35821               *:*
    root     lighttpd   19588 14 tcp4   *:80                  *:*
    root     lighttpd   19588 16 tcp4   (removed):80       (removed):1538
    root     lighttpd   19588 20 udp4   *:35821               *:*
    root     sshd       14583 5  tcp4   *:443                 *:*
    root     bandwidthd 76479 20 udp4   *:16009               *:*
    root     bandwidthd 76380 20 udp4   *:16009               *:*
    root     bandwidthd 76325 20 udp4   *:16009               *:*
    root     bandwidthd 76027 20 udp4   *:16009               *:*
    root     ntop       74219 2  tcp4   *:3000                *:*
    root     ntop       74219 20 udp4   *:16009               *:*
    root     syslogd    43918 13 udp4   *:514                 *:*
    root     php        35707 10 udp4   *:*                   *:*
    root     php        35707 20 udp4   *:40679               *:*
    root     php        35635 10 udp4   *:*                   *:*
    root     php        35635 20 udp4   *:52556               *:*
    root     ntpd       33736 21 udp4   *:123                 *:*
    root     ntpd       33736 22 udp4   (removed):123      *:*
    root     ntpd       33736 25 udp4   127.0.0.1:123         *:*
    root     php        23667 10 udp4   *:*                   *:*
    root     php        23667 20 udp4   *:40679               *:*
    root     php        22571 10 udp4   *:*                   *:*
    root     php        22571 20 udp4   *:52556               *:*
    root     inetd      12110 10 udp4   127.0.0.1:6969        *:*
    

    I don't know why it shows up with the 0.0.0.0 address in the log.  My LAN port is set to 'none' and WAN is a static IP address.  I have the OPT1 interface set up as Bridge0 between the two and there are no VLANs in use.


  • LAYER 8 Netgate

    0.0.0.0 means bind to all addresses on the host.  So you could ssh to your LAN address, WAN address, etc.  Firewall rules permitting, of course.



  • @Derelict:

    0.0.0.0 means bind to all addresses on the host.  So you could ssh to your LAN address, WAN address, etc.  Firewall rules permitting, of course.

    I guess I don't understand what you mean.  My LAN port has no address; my WAN port's address isn't routable.  How would I be able to ssh to the WAN port?


  • Netgate Administrator

    If you're not using the WAN address to SSH to what are you using?

    What address do the logs show sshd is listening on when it's set to use port 22?

    Steve



  • @stephenw10:

    If you're not using the WAN address to SSH to what are you using?

    What address do the logs show sshd is listening on when it's set to use port 22?

    Steve

    Oh I see what you're saying now.  Let me clarify:  I posted this thread because I wasn't able to ssh remotely, as in, via the internet, to my pfsense box on port 443.  I am always able to ssh from any machine on the LAN to the WAN port address.

    And here are the log entries when I change it back to port 22 in the Advanced settings:

    Nov 10 20:51:14 	check_reload_status: webConfigurator restart in progress
    Nov 10 20:51:14 	check_reload_status: starting sshd
    Nov 10 20:51:14 	php: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator.
    Nov 10 20:51:14 	php: /system_advanced_admin.php: secure shell configuration has changed. Restarting sshd.
    Nov 10 20:51:14 	php: /system_advanced_admin.php: secure shell configuration has changed. Stopping sshd.
    Nov 10 20:51:14 	sshd[19816]: Received signal 15; terminating.
    Nov 10 20:51:13 	check_reload_status: Reloading filter
    Nov 10 20:51:13 	check_reload_status: Syncing firewall
    Nov 10 20:50:35 	php: rc.restart_webgui: Creating rrd update script
    Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
    Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
    Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
    Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
    Nov 10 20:50:35 	kernel: Bump sched buckets to 256 (was 0)
    Nov 10 20:50:33 	sshd[19816]: Server listening on 0.0.0.0 port 22.
    Nov 10 20:50:33 	sshd[19816]: Server listening on :: port 22.
    

    Edit:  Now that I just posted this, I realize that the problem may in fact not be on pfsense, rather it's probably my router not properly passing traffic on 443.  Let me look into that one for a bit and I'll try to report back soon.


  • Netgate Administrator

    Ah OK. Also do you know that your ISP isn't blocking port 443? I haven't seen that for a while but it used to be quite common.

    Steve



  • When running the pfsense gui on 443 its possible you may run into problems running something like SSH on 443 also.
    Its so hit and miss with systems that when I run services on 443 or 80 I just put the pfsense gui somewhere else, like 7443

    But yeah - could also be your modem.



  • Ok well I feel like an idiot now.  Turns out the problem was on the router actually in that there was a nat rule I previously setup to pass traffic from the outside in on set ranges of ports.  I literally have not logged into this device in several years and completely forgot all about this.  Once I modified some of the nat settings, traffic on 443 was passed just fine.  The problem never was on the pfsense side.

    Sorry for wasting everyone's time on this but I do appreciate the help in trying to track down the issue.


  • Netgate Administrator

    No problem. Easily done.  ;)

    Steve


Log in to reply