The pfSense Store

Author Topic: New Feature, Seamless upconversion of Telnet to SSH via pfSense, For SCADA  (Read 639 times)

0 Members and 1 Guest are viewing this topic.

Offline MasterX-BKC-

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +20/-9
  • FBI Infragard Member
    • View Profile
    • PFMonitor
Ever run into a telnet device you just cannot eliminate yet, because it does some important function, controls something, drives a PLC, monitors a motor, whatever the case.

Many such devices only support telnet, and have little to no security built into them.

It is now possible to use your pfsense to upconvert the telnet sessions to SSH, and use user/password auth or SSH keys.

A single pfsense unit acting as the internet gateway can handle this for a nearly unlimited number of devices, or for added security, you could affix a SG-1000 to each of your most critical devices, inline to protect them from even other devices on the local network as well.

Im developing this as a simple cmdlet, that can be run from the pfsense console screen, or from the command line option in the web interface, either way works.

And i do have this working, just putting finishing touches on the cmdlet parts.

Tested working on my own SG-1000.
51 x pfSense Devices
Member of FBIs Infragard Program
Certified Information Systems Security Officer
Certified Vulnerability Assessor

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14299
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
"or for added security, you could affix a SG-1000 to each of your most critical devices, inline to protect them from even other devices on the local network as well."

Huh??  Why would such devices be on a network with other devices.. Wouldn't such devices be isolated on their own segment?

Having a really hard time working out an actual use case.... I hear you that there are some old devices that still use telnet, that can not be upgraded in a work setup sure.. But how is your so called conversation not just running telnet via a ssh tunnel??
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline MasterX-BKC-

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +20/-9
  • FBI Infragard Member
    • View Profile
    • PFMonitor
You do realize there are a great number of such telnet devices out in the field, in little boxes on camera or light poles, or an un-manned pump station, or any number of other places, where segregated networks simply dont exist because their initial installers couldnt justify the cost for a simple little un-manned or remote accessed device.  And thought to themselves, Oh noone would ever think to hack this little thing.

Ive seen it as simple as a DSL modem crammed into a electrical breaker box, with the telnet based controller shoved in the same box, plugged into the DSL modem, and port forwarded out so they could remotely administer it.  All setup by basic level engineers with a few drops of networking experience, who didnt even know what a hacker was.
51 x pfSense Devices
Member of FBIs Infragard Program
Certified Information Systems Security Officer
Certified Vulnerability Assessor

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14299
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Ah so your talking about a device out on the public internet... So placing $149 device in front of it the sg-1000 seems like a pretty heavy price tag..  If that device doesn't support ssh..  Would it just be cheaper to just use a pi3 or something.

But now it makes more sense..   But if your going to put a box in front of such devices like a camera or something at a pump station, etc.  Even at say 50$ each - you prob better off screaming at the maker to update their device..

But thanks for clarification..  Sure if I have some shitty device out on the public internet, then yeah I agree something like a sg1000 could be handy to place in front of it.  So now I ssh to the device, and then through this tunnel I could telnet to the device behind it.

So what is your system going to be that is better/different than that?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline MasterX-BKC-

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +20/-9
  • FBI Infragard Member
    • View Profile
    • PFMonitor
My method is automated, Even the people who connect to these remote devices in many cases dont know anything about linux, or security.  So with a bit or code i wrote, When you SSH to the SG-1000 it automatically redirects you into telnet to the proper device, no need to issue any telnet commands, etc.  You SSH, and its as if you have gone directly to the telnet device in question.

The SG-1000 would also take the place of the firewalling of the crappy DSL Modems, as they could be put in transparent mode, and the pfsense then utilized for a much better firewalling solution and access control.

It would be a simultaneous upgrade to the firewall, and the telnet device at the same time, as well as facilitating better security for any other devices connected in that location.

My code supports tunneling each user account to a different telnet device, not just 1 telnet device.  So its flexible in its usage, and works on bigger models as well, such as SG-2220, and 2440.
51 x pfSense Devices
Member of FBIs Infragard Program
Certified Information Systems Security Officer
Certified Vulnerability Assessor