How to Access pfSense Remotely Using SSH
SSH, also known as secure shell provides an effective method to remotely access a pfSense router. The primary advantage of using SSH instead of another protocol such as telnet is security. SSH traffic is fully encrypted which prevents other users from seeing the traffic through sniffers or man in the middle type attacks.
SSH can also provide more than a simple remote shell, you can also securely transfer files, and forward ports to the remote network.
How to Enable the SSH Service
By default the SSH service is disabled for security purposes. To enable the service log into the web interface of the pfSense router.
- Access the advanced settings page in the system menu.
- Check the box labeled 'Enable Secure Shell'
- Change the default port by entering a new port number in the 'SSH Port' box. This step is optional but recommended.
- Click save at the bottom of the page to apply the changes and start the service.
I strongly recommend changing the default port for the service. There are thousands of bots out on the internet that will search out active SSH servers and attempt to brute force the root password. You can avoid being an easy target by selecting a random port number above 1024.
Another method to add additional security against brute force attacks is to setup the Denyhosts service.
Testing the Service Locally
At this point the service should be running , to test it out you can attempt connecting wirh a client such as Putty.
Putty is a very popular (and free) SSH client that is simple to use. The program only consists of a single file, Putty.exe.
After you run Putty enter the LAN ip or hostname of the pfSense router in the host box at the top. If you have configured the service to run on a different port then change the port to the one you entered in the settings.
Click 'open' at the bottom of the program to connect to the server.
The Console Menu
If the connection was successful you will be prompted for a username, enter root. The server will also prompt you for a password. The password will be the same one you use to access the web interface with as the admin user
To access the shell select option number 8..
Changing the Admin / Root Password
To change the root password for the system open the user manager in the system menu. Click the edit button next to the admin user to assign a new password.
If you want you can also setup additional user accounts here as well.
Enabling Access From The Internet
In order to access the SSH service from outside of the local network you must create a firewall rule to permit the traffic to pass. Without a firewall rule to permit the traffic the packets would simply be dropped by the firewall.
To allow the traffic click on 'Rules' in the firewall menu.
Creating a Firewall Rule
Create a new firewall rule by clicking on the plus symbol on the lower right hand side of the firewall rules page. This will open the firewall rule editor page.
The default action for a new rule is 'pass' which will allow the traffic.
- Set the interface to WAN.
- Make sure the protocol is set to TCP, which is the protocol SSH runs on.
- In the destination settings select a type of 'WAN address'.
- In the destination port range enter 22, or the port you configured SSH to run on, in the from box. You can leave the 'to' port blank.
- Enter a description for the rule such as 'Allow SSH to WAN'
- Click save to finish the creation of the firewall rule.
Applying the Changes
The new firewall rule will not be activated until the changes have been applied. Click on the 'Apply Changes' button to enable the new rule in the system.
After applying the new rule you should be able to access the SSH service by pointing the client to the WAN IP address of the pfSense box. I like to set up dynamic DNS instead of having to keep track of IP addresses.
Setting Up Key Based Authentication
Even if you've changed the listening port for SSH the service can still be discovered by port scanning. Once discovered bots can launch brute force attacks against the server to try to find accounts with weak passwords.
To make the service much more secure you can enable key based authentication. With key authentication enabled hackers can attempt to guess passwords all day long but without the private key they will never be granted access.
To turn off password authentication and require a secure RSA key enable the checkbox "disable password login for secure shell'. You can find this setting on the advanced system settings page in the secure shell section.
Generating a Public / Private Key Pair
To take advantage of key based logins we must create a pair of keys. The public key will be entered into pfSense and the private key will be stored on the client.
The easiest way to generate a key pair is to use the Puttygen program. Click then generate button then move the mouse around to create some randomness for the key.
Adding the Public Key to the Server
After generating the key pair the public key needs to be added to the user account on pfSense.
- Open the user manager in the system menu.
- Click the 'E' button next to the user you want to add the key for. The root user is called admin in the user manager.
- Click the checkbox In the authorized keys section labeled 'click to paste an authorized key'.
- Paste the public key that was generated from Puttygen into the box.
- Click save.
Saving the Private Key
The final step is to save the corresponding private key and configure the Putty client to use it. For even more additional security I recommend setting a passphrase for the private key.
Without a passphrase anyone with a copy of the private key file can connect to the server. By adding a passphrase the key cannot be used without first knowing what the phrase is.
To store the private key on the local computer click on the save private key button in Puttygen.
To load the key into Putty go to the Auth settings page found under Connection\SSH. Click on the browse button and locate where you saved the private key file.
Testing the Key
After the key is loaded into the client you can attempt to connect to the SSH server. You should see a message like the one in the screenshot below indicating the public key is being used for authentication.
If you assigned a pass phrase for the private key you will be prompted to enter it at this time.
Transferring Files Over SSH with WinSCP
SSH can also be used for transferring files to or from pfSense using SCP (secure copy protocol). With SCP you can transfer files securely to or from the remote system while utilizing the existing SSH authentication system.
For Windows users there is a great SCP client called WinSCP. The WinSCP program provides an easy to use interface for transferring files over SSH.
When WinSCP starts the login screen is displayed, enter the ip address of the pfSense box in the host name field. If you're not running SSH on the default port (22) then change the port number accordingly.
Log in using the same credentials you use when connecting with SSH.
After the connection is established you will be presented with a directly listing of the remote system on the right hand side. The left side of the screen displays the local file system.
The WinSCP interface is essentially identical to windows explorer, you can drag and drop files and directories between the remote and local computer.
The Many Uses of SSH
As you can see SSH is incredibly versatile! There are many more things you can do with the protocol to make system administration easier. You can even set up scripts to run commands on remote systems at predetermined times. Best of all everything done over SSH is fully secure thanks to the encryption it uses.
If you know of any more great uses for secure shell please leave a comment below.
© 2012 Sam Kear
More by this Author
The Snort package allows you to turn a pfSense firewall into a powerful network intrusion detection system. Learn how to set it up here.
The pfBlocker package adds the ability to add IP block lists to a pfSense router or firewall. The package combines the functionality of the popular IP Block List and Country Block packages. There are several free...
By default the Squid Proxy has no visibility of encrypted HTTPS traffic. Enabling HTTPS interception will allow you to monitor and log encrypted web traffic passing through the Squid proxy server.
No comments yet.