Firewalls, Pfsense, Security

Configuring Pfsense on a non standard SSH port with Keys

Leave a comment
In this post I will guide you through the configuration of how to enable SSH accessibility to Pfsense on a non-standard SSH with private keys in order to more strengthen the security of connecting to your firewall.

First thing I will open the web browser to Pfsense then from System tab menu I will click on Advanced
Machine generated alternative text: VSense Cet MN1agU Ava'. Wizud Max Interface
I will scroll down to Secure Shell and enable the secure shell and use different SSH port rather than the standard one 22 and also disable password login for secure shell in order to use configured keys for the user that I wanna allow to connect to SSH.
Machine generated alternative text: Shell been gran D Enable S s. Authen shell Method that has ted Di"ble login shell (RSA/DSA need to be anfgured for each Note: Leave this blank for the default of 22. SSH Conu.umka tbns
After this option is enabled I will go to User Manager and create a new User by pressing on the + button far right
Machine generated alternative text: User Manager m: admin d here. p peaÆ Full name System Administrator fM the Disabled mherited from m difEd but Username Additional u"rs an be adde m be Æhips. an that. An y b. deleted. here {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f} n figuratM adrffns an b. assigned directly object properties e n be o grey ind. d fM other tes that it is. s parts of the ystem defied object. s ch as OpenVPN, and
Then I will want this user to be part of the admin groups in order to have the required privileges to be able to configure anything from the SSH window without any issue.
Machine generated alternative text: C. fm ed by Mem USER sshuser SSH user L/Ær's full name in fw-n tbn b. rsh ips Leave blank if the account shouldnt expire, otherwise enter the expiration date in the following format: mm/ Not Of Hold d c) to Ælect mu Of hiple items CTRL (pc)/COMMAND (m
Then before I save this user I will scroll down and enable the Authorized Key option.
Machine generated alternative text: Mem b. rsh ips Not Of Hold d uÆr ertif.te. d here. c) to Ælect mu Of hiple items CTRL (pc)/coMMAND (m th Click to Paste an au d Key Save Pre -Sh re
In order to configure a Key, I will need to use a free tool to generate a public and private key for the authorization of the user.
In my case I will use Puttygen tool which is free and available to download anywhere on the internet, I will also attach the tool down in this page for anyone to use.
I will run Putty Generator and change the Number of bits in it to make the key harder to crack. So I will put 2048 bits instead of 1024.
Machine generated alternative text: File Key No key Conversions PuTTY Key Generator Help Generate Save private key Save public key Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) @SSH-2 RSA O SSH-2DSA Number of bits In a generated key
I will click on Generate and move my mouse within the putty generator window until the key is generated.
Machine generated alternative text: PuTTY Key Generator File Key Conversions Help Please generate some randomness by moving the mouse over the blank area Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) Number of bits In a generated key Save public key Generate Load Save private key SSH-2 RSA C) SSH-2 OSA
You will have to keep moving your mouse cursor within this window in order for this bar to finish generating your key.
As you can see below the Public and private keys are generated but you will have to type your own “Key Passphrase” as you will need it when you connect to the SSH session.
Machine generated alternative text: PuTTY Key Generator File Key Conversions Help Public key for pasting into OpenSSH authorized keys file ssh AAAAE3NzaC1yc2EAAAA8JQAAAQEAHpkz8HOAZg5a2SHBHSyqwuso„uGtnw2Kz 4VEncsIen1aJqcgemBc17EuFsftSXdLbq12vuijcU7yRGp&EKduion2BAajNIA/mIG3HI akDNgIhmffDRh/wMbtFc83FEwoYyjHrU4WWLJSS1wmOpCG12FNPXDru4Xg7qaxp v Key fingerprint Key comment Key p assphrase 'E key-20141231 Save public key Generate Save private key Confirm p assphrase Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) @SSH-2 RSA O SSH-2DSA Number of bits In a generated key
I will copy the Public key where it says “Public key for pasting into OpenSSH authorized_keys file” and paste it in pfsense in Authorized Keys window
Machine generated alternative text: File Key Public ssh Conversions for astin into PuTTY Key Generator Help SSH authorized AAAAE3NzaC1yc2EAAAA8JQAAAQEAHpkz8HOAZg5a2SHBHSyqwuso„uGtnw2Kz 4VEncsIen1aJqcgemBc17EuFsftSXdLbq12vuijcU7yRGp&EKduion2BAajNIA/mIG3HI akDNgIhmCfDRh/wMbtFcB3FE„YjHrU4WWLJSSlwmOpCG12FAPXDru4Xg7qaxp v Key fingerprint Key comment Key p assphrase Confirm p assphrase 'E key-20141231 Save public key Generate Save private key Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) @SSH-2 RSA O SSH-2DSA Number of bits In a generated key
Machine generated alternative text: paste an au d here.
Then Now I will save both Public and private key in a folder for my own use. Let’s create a folder called (Pfsense_SSH_Key) and save both keys in it
Machine generated alternative text: Save public key as: dew Volume (D:) Pfsense SSH Key Name private key.ppk Public key
Both keys are saved on this folder but I will need to only use the private key with an SSH tool to connect to Pfsense e.g. Putty.
Now I will get back to the user and add some effective Privileges that will allow the user to connect to the SSH, I will click on the + button
Machine generated alternative text: Effective privile ges Inheraed From admins Nan* WebCfg . All pages Allow access to all pages
And from the System Privileges I will add user – system – shell account access and SSH tunneling
Machine generated alternative text: Add privileges System: User manager: S privileg r - Deny Write SBÆtem - Capy files r - - IP„c.uth Dialin - - L2TP r VPN - PPPOE r VPN-PPTpc.'in portal 'gr. - C..pt -System -SSH tunneling WebCfg - All p.geE - (Ell
Then save these settings and then save the user settings.
Machine generated alternative text: System: User Manager admin d here. Full name System Admi mstrator ssH User Disabled mherited from b. modifEd but Username Additional u"rs an be adde m be Æhips. An ian that a ey annot be deleted. here are ppe e bCanfvguratM an be assigned directly object properties an fM the l_/Ær pem grey ind. d fM other tes that it is. s parts of the defied object. s ch as OpenVPN, and
Then configure a Firewall rule with the new SSH port that I have configured in Advanced window, I will go to Firewall tab -> Rules then create a new rule that will allow my public IP address (my work IP address) to my Pfsense’s WAN Address (My Home IP address) on port 2222.
Machine generated alternative text: Firewall: Rules LAN DMZ Source RFC 1918 networks Rese Ned/ not assigned by ID Proto Port Destina tion WAN address Port 2222 Ga tewa y Queue none Schedule Description 3 Ock private Bock
Once this is configured, now I can test SSH connection using Putty tool (Not Putty generator)
Type the IP address in the hostname field, then the port address that I configured for SSH and select SSH under Connection Type
Machine generated alternative text: Cat egory Logging Terminal Keybo ard Features E Window Behaviour Translation Selection Colouæ Connection Data Telnet Rlogin + SSH Serial PuTTY Configuration Basic options for your Pu TTY session Specify the destination you want to connect to Host Name (or IP address) Connection type C) Raw C) Telnet C) Rlogin @SSH laad save or delete a stored session o Serial Save Delete Saved Sessions Defautt Settings H p VAN Controller Zentyal Close window on exit Aways C) Never @Only on clean exit
Before clicking on Open to open the connection I have to load the private key from SSH -> Auth
Machine generated alternative text: Cat egory Terminal Keybo ard Features E Window Behaviour Translation Selection Colours Connection Data Telnet Rlogin SSH Auth PuTTY Configuration Options controlling SS H authentication Bypass authentication entirely (SS H-2 only) Display pre-authentication banner (SSH-2 only) Authentication methods ktempt authentication using Pageant kempt TIS or CryptoCard auth (SSH-I) ktempt 'keyboard*nteractive" auth (SSH-2) Authentication parameters Alow agent forwarding Alo'* attem ed chan es of usemame in SSH-2 Phvate key file for authentication D XPfsense S S H Keybhvat e key .ppk Browse
Now I will click on Open, it should give you a warning when it opens up
Machine generated alternative text: PuTTY Security Alert The server's host key is not cached In the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 2048 If you trust this host, hit Yes to add the key to PulTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache hit No. If you do not trust this host, hit Cancel to abandon the
Click Yes and continue then type the Username that I setup and the passphrase that you set it up.
Machine generated alternative text: login as: sshuser Authenticating with public key Passphrase for key
After successful login it will show the following and here you can startt
Machine generated alternative text: login as: sshuser Authenticating with public key Passphrase for key copyright (c) 1920, 1923, 1926, 19EE, 1990, 1991, 1993, 1994 The Regents of the University of California. rights reserved . 12 1 . s-RELEÄSE) IsshuserÉl / home/sshuser
I am going to try and show the network configuration by typing Ifconfig …
Machine generated alternative text: login as: sshuser Authenticating with public key Passphrase for key copyright (c) 1920, 1923, 1926, 19EE, 1990, 1991, 1993, 1994 The Regents of the University of California. rights reserved. 1 so 12.1 de O del de2. enco s-RELEÄSE) Isshuser al / home/sshuser (I) . metric O mtu oxl fl , BROADCAST , RUNNING, PROMISC, SIMPLEX, MULTICÄSD ether les. scope id i net IES.: netmask OxffffffeO broadcast i nets feEO: : 215: Sdff:fe34: prefixlen €4 media: Ethernet autoselect (100baseTX) status: active fl , BROADCAST , RUNNING, SIMPLEX, MULTICÄSD ether 00 i net 192 IEE I ISS netmask OxffffffOO broadcast i nets feEO: : 215: Sdff:fe34: 7 eac*del prefixlen €4 media: Ethernet autoselect (100baseTX) status: active fl , BROADCAST , RUNNING, SIMPLEX, MULTICÄSD ether OO metric O mtu ISOO 192.1€E.1.2ss scope id Ox2 metric O mtu 1 soo i net 10 10.0 ISS netmask OxffffffOO broadcast 10 10.0. 2 SS i nets feEO: : 215: Sdff:fe34: 7ead*de2 prefixlen €4 media: Ethernet autoselect (100baseTX) status: active flags—O-O metric O mtu 1536 scope id Ox3 O mtu 16324 pfsyncO: flags—O-O metric O mtu 1460 syncpeer: 224.0. 0.240 maxupd: 12B syncok: I 100: metric opt i
So everything seems to be working as expected, If you want to provide more admin privileges to this particular user you will have to login as the admin and from the user’s “Effective Privileges” section add more system privileges to it.
Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.