The pfSense Store

Author Topic: webConfigurator, SSH  (Read 125 times)

0 Members and 1 Guest are viewing this topic.

Offline SR190

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
webConfigurator, SSH
« on: August 09, 2017, 09:00:51 pm »
Is it a correct assumption that someone accessing the webConfigurator via http assumes that their internal network is secure?

Also, if you choose to enable the SSH server for internal network use only, is it best practice to move it to a non-standard port?

Thanks.


Offline PiBa

  • Hero Member
  • *****
  • Posts: 608
  • Karma: +104/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: webConfigurator, SSH
« Reply #1 on: August 12, 2017, 10:26:36 am »
Passwords should never travel over unencrypted http.. That said, assuming no one else is listening on the local network, it might be 'acceptable'..
As for SSH once you get someone on the network that wants to hack your router, the ssh port will be found pretty fast no matter what port its running on assuming firewallrules allow access. Little use for moving it imho.

Offline SR190

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: webConfigurator, SSH
« Reply #2 on: August 12, 2017, 01:03:38 pm »
Thanks.

If SSH was only available on a management interface (isolated with rules) could it be exploited either externally or from within one's network?

What would the advantage of enabling SSH for internal management of pfSense if the web configurator is primarily used?
« Last Edit: August 12, 2017, 03:04:35 pm by SR190 »

Offline PiBa

  • Hero Member
  • *****
  • Posts: 608
  • Karma: +104/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: webConfigurator, SSH
« Reply #3 on: August 12, 2017, 02:15:58 pm »
SSH is useful for troubleshooting, transferring files, and restarting the webgui if for some reason it stops responding.

You can block both (webgui/ssh) to only be accessible from a management network, that would prevent all possible exploits in those services as to exploit either someone would need to be able to send it at least some 'malicious' packet..