Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ssh secure?

    General pfSense Questions
    7
    17
    3052
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shuhdonk last edited by

      Hello, I just setup a pfsense box (used old core 2 duo pc) for a remote location (it will be a few hours away).  I will be accessing this location from home.  Is it secure to have ssh open in case I need to get into the pfsense server?  Are there precautions built into the pfsense server to stop or make it difficult for people trying to access my box via ssh?

      thanks all!

      1 Reply Last reply Reply Quote 0
      • awebster
        awebster last edited by

        Simple, set SSH to use RSA/DSA key only login.

        –A.

        1 Reply Last reply Reply Quote 0
        • H
          heper last edited by

          use vpn to remotely manage.

          1 Reply Last reply Reply Quote 0
          • S
            shuhdonk last edited by

            @awebster:

            Simple, set SSH to use RSA/DSA key only login.

            actually I was just looking up how to do that, found a tutorial on creating key using putty and puttygen.  I have the keys created.. followed these steps on the pfsense server

            6 Save The Public Key On The Server

            Then log in to your SSH server (if you have closed the previous SSH session already), still with the username and password, and paste the public key into the file

            ~/.ssh/authorized_keys2 (in one line!) like this:
            mkdir ~/.ssh
            chmod 700 ~/.ssh

            vi ~/.ssh/authorized_keys2

            ssh-rsa AAAAB3NzaC1yc2EA[…]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com

            That file must be write/readable only by that user, so we run

            chmod 600 ~/.ssh/authorized_keys2

            –--------------

            I have done this so far... and selected to use the key in putty.  When I logon with putty I get this now.


            Using username "admin".
            Server refused our key
            Using keyboard-interactive authentication.

            –------

            So following these steps so far, will it work if I change ssh to not use username/pw, will it start using the key I created in authorized_keys2?

            I am quite new to all this.

            thanks all

            1 Reply Last reply Reply Quote 0
            • awebster
              awebster last edited by

              Not sure what doc you're following, but this is all you need to do:

              Generate key in openssh format, if using putty, you'll need to convert it to openssh format first.

              System -> User Manager
              Edit admin user
              Paste authorized key(s) (should look like ssh-dss AAAA…..== user@host)
              Save

              Test that you can login with the key

              System -> Advanced -> Admin Access tab (default)
              Check Enable Secure shell (if you've not already done so)
              Check Disable password login for Secure Shell
              Save

              Test that you can still login with the key

              Web access isn't affected by this, so if you bork it, you can fix it.

              –A.

              1 Reply Last reply Reply Quote 0
              • S
                shuhdonk last edited by

                Ahh! I figured it out.. the gui let me paste in my created key from puttygen.. working now with a key! :)

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.

                  To be honest in the long run its prob better to just setup vpn into your remote pfsense box.  While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at.  And can even be bounced off a proxy.  And would make it much easier to get to things behind pfsense via the vpn if that is ever required.

                  If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP.  Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be.  Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                  1 Reply Last reply Reply Quote 0
                  • awebster
                    awebster last edited by

                    @johnpoz:

                    While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.

                    To be honest in the long run its prob better to just setup vpn into your remote pfsense box.  While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at.  And can even be bounced off a proxy.  And would make it much easier to get to things behind pfsense via the vpn if that is ever required.

                    If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP.  Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be.  Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.

                    Why not use the ssh port forwarding facility to locally forward 127.0.0.1:444 to remote side:443?  That makes a nice ssh-tunnel vpn solution without having to go thru the hassle of setting up openVPN.
                    That way you only leave port 22 (or whatever port you want to map it to) open, and only with public key login.  Sounds as good as a VPN in my book.

                    –A.

                    1 Reply Last reply Reply Quote 0
                    • S
                      shuhdonk last edited by

                      @johnpoz:

                      While public key auth is good idea, don't forget to disable password auth once you have public key setup and working.

                      To be honest in the long run its prob better to just setup vpn into your remote pfsense box.  While 22 is common to block - running openvpn on say 443 tcp is prob open no matter where your at.  And can even be bounced off a proxy.  And would make it much easier to get to things behind pfsense via the vpn if that is ever required.

                      If wanting to really lock it down be it ssh or vpn and you know your always going to be accessing it from the same spot - lock down the rule to only allow access from that specific source IP.  Only concern is if that IP changes or you will need access from other locations your not sure what the IP will be.  Use of a fqdn as source could be ways around issues of IP changing, if you have a way to edit the IP the fqdn resolves too.

                      My ip changes from home, I do have noip setup so I have a x.ddns.net setup for my home ip.. problem is looks like devices that restrict access to all but specified ips will not accept a domain name, just an ip address or ip range.  The remote location will also have a dynamic ip, static ip is not available.

                      I do not have sensitive data at the remote location.. just want the pfsense box secure so it cannot be hacked.. but need remote access to it.. I think ssh with the key authentication is probably sufficient to accomplish this, yes?

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        While sure you can tunnel whatever you want through a ssh connection..  You have to setup those tunnels.. But sure ssh can be a poor mans vpn.

                        Can ssh bounce off a proxy?  There are many advantages to vpn over ssh to be honest..  While yes some aspects of the vpn can be done via ssh and tunnels.  Not sure what hassle there is to setting up a vpn - it can be done in like 2 minutes.  The one advantage I would say to ssh over vpn is ssh can normally be done from a client without admin, while running openvpn on a client normally takes admin rights.

                        ssh can be easy to carry with you with say putty and your key on your usb stick.  There are openvpn clients for your phone and or tablet running ios or android so that can be handy - while for example ssh from a tablet or phone while it can be done is a bit more of a pain point than installing app and importing config that was exported from pfsense export wizard.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                        1 Reply Last reply Reply Quote 0
                        • F
                          firewalluser last edited by

                          Worth also getting some notifications, otherwise how would you know if someone has got into your system?

                          https://forum.pfsense.org/index.php?topic=52532.0

                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                          Asch Conformity, mainly the blind leading the blind.

                          1 Reply Last reply Reply Quote 0
                          • N
                            NOYB last edited by

                            You may also be interested in rate limiting the new connections so somebody doesn't just stand there pounding on the door.

                            In the SSH firewall rule Advanced features - Advanced Options:
                            Maximum new connections per host / per second(s) (TCP only)
                            3 / 60

                            1 Reply Last reply Reply Quote 0
                            • F
                              firewalluser last edited by

                              Is there a Fail2Ban in pfsense or freebsd?

                              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                              Asch Conformity, mainly the blind leading the blind.

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned last edited by

                                @firewalluser:

                                Is there a Fail2Ban in pfsense or freebsd?

                                It's enabled by default for webgui and SSH.

                                https://doc.pfsense.org/index.php/Sshlockout
                                https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI#Locked_Out_by_Too_Many_Failed_Login_Attempts

                                1 Reply Last reply Reply Quote 0
                                • S
                                  shuhdonk last edited by

                                  Thanks all for the help and suggestions, I appreciate it.  I have another non related issue. How do I determine why occasionally lose internet connection for just a brief moment a few times a day since putting this pfsense box up, no issues at all with my connection before the pfserver.  What should I look into to see if anythings shows up anywhere?  I assume logs, but which logs, how?  what am I looking for?

                                  thanks again!

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    doktornotor Banned last edited by

                                    @shuhdonk:

                                    I have another non related issue.

                                    Then please start a new thread.

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      NOYB last edited by

                                      Suggest starting a new thread for this non related topic.

                                      Edit / Update: Oh I see you did that already.

                                      @shuhdonk:

                                      Thanks all for the help and suggestions, I appreciate it.  I have another non related issue. How do I determine why occasionally lose internet connection for just a brief moment a few times a day since putting this pfsense box up, no issues at all with my connection before the pfserver.  What should I look into to see if anythings shows up anywhere?  I assume logs, but which logs, how?  what am I looking for?

                                      thanks again!

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post