Cell PhonesComputersConsumer ElectronicsGraphic Design & Video EditingHome Theater & AudioIndustrial TechnologyInternet

How to Access pfSense Remotely Using SSH

Updated on May 8, 2014
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

SSH, also known as secure shell provides an effective method to remotely access a pfSense router. The primary advantage of using SSH instead of another protocol such as telnet is security. SSH traffic is fully encrypted which prevents other users from seeing the traffic through sniffers or man in the middle type attacks.

SSH can also provide more than a simple remote shell, you can also securely transfer files, and forward ports to the remote network.

How to Enable the SSH Service

By default the SSH service is disabled for security purposes. To enable the service log into the web interface of the pfSense router.

  1. Access the advanced settings page in the system menu.
  2. Check the box labeled 'Enable Secure Shell'
  3. Change the default port by entering a new port number in the 'SSH Port' box. This step is optional but recommended.
  4. Click save at the bottom of the page to apply the changes and start the service.

I strongly recommend changing the default port for the service. There are thousands of bots out on the internet that will search out active SSH servers and attempt to brute force the root password. You can avoid being an easy target by selecting a random port number above 1024.

Another method to add additional security against brute force attacks is to setup the Denyhosts service.

The secure shell service can be enabled in the advanced system settings.
The secure shell service can be enabled in the advanced system settings.

Testing the Service Locally

At this point the service should be running , to test it out you can attempt connecting wirh a client such as Putty.

Putty is a very popular (and free) SSH client that is simple to use. The program only consists of a single file, Putty.exe.

After you run Putty enter the LAN ip or hostname of the pfSense router in the host box at the top. If you have configured the service to run on a different port then change the port to the one you entered in the settings.

Click 'open' at the bottom of the program to connect to the server.

I recommend using the Putty SSH client.
I recommend using the Putty SSH client.

The Console Menu

If the connection was successful you will be prompted for a username, enter root. The server will also prompt you for a password. The password will be the same one you use to access the web interface with as the admin user

To access the shell select option number 8..

After logging in the console menu will be displayed.
After logging in the console menu will be displayed.

Changing the Admin / Root Password

To change the root password for the system open the user manager in the system menu. Click the edit button next to the admin user to assign a new password.

If you want you can also setup additional user accounts here as well.

The root password can be changed through the user manager.
The root password can be changed through the user manager.

Enabling Access From The Internet

In order to access the SSH service from outside of the local network you must create a firewall rule to permit the traffic to pass. Without a firewall rule to permit the traffic the packets would simply be dropped by the firewall.

To allow the traffic click on 'Rules' in the firewall menu.

A firewall rule must be created to allow access to the SSH service from outside the local network.
A firewall rule must be created to allow access to the SSH service from outside the local network.

Creating a Firewall Rule

Create a new firewall rule by clicking on the plus symbol on the lower right hand side of the firewall rules page. This will open the firewall rule editor page.

The default action for a new rule is 'pass' which will allow the traffic.

  1. Set the interface to WAN.
  2. Make sure the protocol is set to TCP, which is the protocol SSH runs on.
  3. In the destination settings select a type of 'WAN address'.
  4. In the destination port range enter 22, or the port you configured SSH to run on, in the from box. You can leave the 'to' port blank.
  5. Enter a description for the rule such as 'Allow SSH to WAN'
  6. Click save to finish the creation of the firewall rule.

The firewall rule editor has many settings that allow you to customize the rule for your needs.
The firewall rule editor has many settings that allow you to customize the rule for your needs.

Applying the Changes

The new firewall rule will not be activated until the changes have been applied. Click on the 'Apply Changes' button to enable the new rule in the system.

After applying the new rule you should be able to access the SSH service by pointing the client to the WAN IP address of the pfSense box. I like to set up dynamic DNS instead of having to keep track of IP addresses.

The changes must be applied in order for the new rule to take effect.
The changes must be applied in order for the new rule to take effect.

Setting Up Key Based Authentication

Even if you've changed the listening port for SSH the service can still be discovered by port scanning. Once discovered bots can launch brute force attacks against the server to try to find accounts with weak passwords.

To make the service much more secure you can enable key based authentication. With key authentication enabled hackers can attempt to guess passwords all day long but without the private key they will never be granted access.

To turn off password authentication and require a secure RSA key enable the checkbox "disable password login for secure shell'. You can find this setting on the advanced system settings page in the secure shell section.

Generating a Public / Private Key Pair

To take advantage of key based logins we must create a pair of keys. The public key will be entered into pfSense and the private key will be stored on the client.

The easiest way to generate a key pair is to use the Puttygen program. Click then generate button then move the mouse around to create some randomness for the key.

Puttygen can be used to generate a pair of keys for authentication.
Puttygen can be used to generate a pair of keys for authentication.

Adding the Public Key to the Server

After generating the key pair the public key needs to be added to the user account on pfSense.

  1. Open the user manager in the system menu.
  2. Click the 'E' button next to the user you want to add the key for. The root user is called admin in the user manager.
  3. Click the checkbox In the authorized keys section labeled 'click to paste an authorized key'.
  4. Paste the public key that was generated from Puttygen into the box.
  5. Click save.

The public key must be added to the user account on pfSense.
The public key must be added to the user account on pfSense.

Saving the Private Key

The final step is to save the corresponding private key and configure the Putty client to use it. For even more additional security I recommend setting a passphrase for the private key.

Without a passphrase anyone with a copy of the private key file can connect to the server. By adding a passphrase the key cannot be used without first knowing what the phrase is.

To store the private key on the local computer click on the save private key button in Puttygen.

To load the key into Putty go to the Auth settings page found under Connection\SSH. Click on the browse button and locate where you saved the private key file.

Access the auth settings page to load the private key into Putty.
Access the auth settings page to load the private key into Putty.

Testing the Key

After the key is loaded into the client you can attempt to connect to the SSH server. You should see a message like the one in the screenshot below indicating the public key is being used for authentication.

If you assigned a pass phrase for the private key you will be prompted to enter it at this time.

Example of a key based login.
Example of a key based login.

Transferring Files Over SSH with WinSCP

SSH can also be used for transferring files to or from pfSense using SCP (secure copy protocol). With SCP you can transfer files securely to or from the remote system while utilizing the existing SSH authentication system.

For Windows users there is a great SCP client called WinSCP. The WinSCP program provides an easy to use interface for transferring files over SSH.

When WinSCP starts the login screen is displayed, enter the ip address of the pfSense box in the host name field. If you're not running SSH on the default port (22) then change the port number accordingly.

Log in using the same credentials you use when connecting with SSH.

WinSCP works very well for transferring files over the SSH protocol.
WinSCP works very well for transferring files over the SSH protocol.

After the connection is established you will be presented with a directly listing of the remote system on the right hand side. The left side of the screen displays the local file system.

The WinSCP interface is essentially identical to windows explorer, you can drag and drop files and directories between the remote and local computer.

The WinSCP  interface is very similar to Windows explorer.
The WinSCP interface is very similar to Windows explorer.

The Many Uses of SSH

As you can see SSH is incredibly versatile! There are many more things you can do with the protocol to make system administration easier. You can even set up scripts to run commands on remote systems at predetermined times. Best of all everything done over SSH is fully secure thanks to the encryption it uses.

If you know of any more great uses for secure shell please leave a comment below.

© 2012 Sam Kear

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    Click to Rate This Article