Remotely Managing pfsense via SSH Tunneling

Рет қаралды 29,754

Күн бұрын

Пікірлер: 45

@iHelpUTechEffingham 4 жыл бұрын

"If they find an issue with public key encryption, we're all in trouble and your firewall will be the least of your concerns." Something about that made me chuckle in fear lol.

@nreitcheck 5 жыл бұрын

Just a note, do not use port 222 or 5555 as given in the example. Both ports are commonly scanned for as well as many many others. For the most 10 most common scanned ports watch AT&T ThreatTraq Internet Weather Report kzbin.info/aero/PLq4ic8ODT5PfsdQ7XBnKqIa2FBLmwjanL . Also remember to use best security practices for SSH as it can allow access to any computer on any connected network not just the localhost.

@clomok 9 ай бұрын

Perfect, this is exactly the answer I needed. Thank you!

@MirkWoot 5 жыл бұрын

Thats pretty neat, actually had no idea that was possible, the way to get the webconfigurator thru ssh.

@anyheck 5 жыл бұрын

That seems like a solid idea. I've used openvpn to have a remote router "phone home" and it's stable but certainly a more involved setup. How are you setting up the remote sites to deal with dynamic IPs and what do you do for your password management as all of the remote sites are at localhost:port? is there an autossh package on pfsense to get it to phone home to you with a reverse tunnel setup?

@PileofKyle 5 жыл бұрын

You’re a great teacher.

@wormchickenwizard 3 жыл бұрын

How do you centrally manage and monitor your entire fleet of pfsense devices for outages and other issues? Also with public/private keys for SSH, how do you keep up with with all the keys on each firewall that's specific to each of your technicians? Is there a way you can orchestrate changes like for example if a technician had their computer stolen would you have to remote into each firewall individually and revoke the key or could you do it with a couple of clicks and push that change to every firewall at once?

@ITHowToAsap 4 жыл бұрын

If pfSense is in a virtual machine and the WAN IP of it is a private, example 192.168.1.23, you must disable "Block private networks and loopback addresses" under Interfaces/Wan in order to have the Firewall rules to work.

@marcvanberkel8512 5 жыл бұрын

We made a central management system for pfsense, based on SSH port forwarding. To be able to view all kind of information in one dashboard. Uptime states CPU mem backups, live icmp etc

@LAWRENCESYSTEMS 5 жыл бұрын

We use zabbix for that

@johnhumphreys2755 Жыл бұрын

Awesome video. Thank you

@LAWRENCESYSTEMS Жыл бұрын

My pleasure!

@someyounggamer 5 жыл бұрын

Is his main OS parrot ? Great Video helped a lot with my syslog machine!

@linuxpc4me555 5 жыл бұрын

Just saw this video.. what a great tutorial! Thank you so much. One question... how would you use this with putty?

@LAWRENCESYSTEMS 5 жыл бұрын

I don't use putty anymore but it is supported this site has a write up www.akadia.com/services/ssh_putty.html

@jasonperry6046 5 жыл бұрын

!!! Ho Li $#! +. There goes any hesitation I had for going all in on pfSense. I obviously don't know what I don't know. Any suggestions for an overview of things past the basics that Linux can do?

@TaRaZ_AST 3 жыл бұрын

if you configure a rule that allows access to https, it will allow anyway, despite ssh rule. I mean I can connect via browser before(without) connecting via ssh

@ERolando78 5 жыл бұрын

Excellent video. A query how can I limit the amount of digital certificate for client devices on an Openvpn server from PfSense

@BradleyHerbst 4 жыл бұрын

Great video. Did you end up ever making a video on ssh port forwarding with pfsense?

@LAWRENCESYSTEMS 4 жыл бұрын

kzbin.info/www/bejne/aV6nhmdtr6mlh80

@BradleyHerbst 4 жыл бұрын

@@LAWRENCESYSTEMS I needed to expose mysql to my friend, but I didn't want to install ssh on the mysql server because I'm going to moving it to a container eventually, so I rather him authenticate thorough the pfsense box. I came up with this, ssh -L 3306:(ip-of-mysql-server):3306 -p (random-port-for-this) (non-admin-pfsense-username-with-publickey)@(my-public-ip-address), I'm sure this not the right way to do this, but it does work. I would like to know how to properly set this up so they can have to authenticate before they can get access to a port. I was going to setup a second openvpn on pfsense but I figured that was overkill since only need to expose one port. Thank You

@abdelhakeljamali4101 5 жыл бұрын

great video as usual. thank you

@CGW11 5 жыл бұрын

Thanks Tom! Great stuff. 👍 Can you share your bash prompt?

@booradlly 4 жыл бұрын

YES PLEASE, that was a wicked looking bash, never seen a bash so detailed. PLEASE TELL US

@booradlly 4 жыл бұрын

I asked the same question again, and he answered! (see above) github.com/flipsidecreations/dotfiles

@rogan466 5 жыл бұрын

This seems like a lot of work. Why not toss a ip on the loopback, create a ipsec tunnel to your network, this way you can manage the device at the far end from anywhere within your own management network. That way you can stay sanitized and not have ports opened etc. I understand the port is only opened from a particular source but this just seems like a lot of work.

@ronaldvaughan4117 4 жыл бұрын

Rogan, Interested in your method as well. Any existing reference as to how to actualize it? Tnx!

@marklharmon Ай бұрын

FYI, from the start it's a good idea to temporarily disable SSHGuard/Login Protection before too many failed SSH logins happen. Don't ask me how I know. 🙂

@nurhafizah210 4 жыл бұрын

hello sir, i cannot access my pfsense web gui.i installed them in virtualbox.do you know how to solve this?thank you.

@rafionroot 5 жыл бұрын

Great video, I'm having a bit of a problem hitting the localhost:5555 cant connect at all, do I need to add other rule beside the ssh allow on the WAN ? The admin access and the wan rule have been configured correctly Thanks guys

@booradlly 4 жыл бұрын

Does anyone know what BASH that is ? It is awesome looking, lots of detail.

@LAWRENCESYSTEMS 4 жыл бұрын

github.com/flipsidecreations/dotfiles

@mervinmercado4755 4 жыл бұрын

hey tom nice and great video, hoping that you have also a video on how to set up on windows command. I'm following your videos. More power and I hope sooner or later you read my comment. Keep Safe

@josecubas9460 5 жыл бұрын

teacher I am from Peru. I am a student. I would like if you could teach us from the beginning snort openaddid + pfbloquers. Excuse greetings from Peru and thanks for your videos

@Oswee 3 жыл бұрын

It would be nice if pfSense would support SSH Certificates

@jasonperry6046 5 жыл бұрын

Okay, I have watched the video again and I have a question. Can I get a let's encrypt certificate for pfSense box? Will the same scripts work that I use on my debian based boxes? I do realize it is BSD based that's why I ask.

@LAWRENCESYSTEMS 5 жыл бұрын

There is a pfsense plugin for the ACME cert system

@mathesonstep 5 жыл бұрын

So you do need the private key to login to the server correct? because if someone had your IP and your public key they shouldn't be able to do anything is that correct?

@LAWRENCESYSTEMS 5 жыл бұрын

Correct, keep your private key super locked down

@gorillaau 4 жыл бұрын

@@LAWRENCESYSTEMS Yes, peehaps even to the point why if your private key is stolen on a laptop, you should revoke the existing public key from your servers and create a new the private key. Paranoid? Perhaps but nice to know that the servers you are responsible for are not accessible by ill-gotten means.