Todo #11779
closed
Feedback on Configuration — Advanced Configuration Options — Admin Access Tab
0%
Description
Page: https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
Feedback:
When trying to access my own SSH-server from my internal network, I detected unexpected behavoir when then secure shell option was activated, I did expect the pfSense shell server to listen to to the gateway address, but it was listening to the external IPV4-address. My points:
1) I would expect an option to have the server listen to a) the internal gateway address and/or the external IPV4-address and/or a to be defined IPV6-address
2) As it is now calls intended for some local SSH-server / SFTP-server are "trapped" by the pfSense internal server unless an alternative IP-port is specified
3) The option to access the pfSense shell based on password only is "not so secure". Certainly not from the outside. I would never allow that.
Advice:
- make sure that the SSH-server is only listening to explicitly defined IPV4 and/or IPV6 addresses
- advice to use a not standard IP-port in order not to block some local SSH-/SFTP server
- advice not to use the standard IP-port for security reasons
- advice not to use password only if the server is accessible from the internet
Sincerely,
Louis
Updated by Jim Pingle about 3 years ago
- Status changed from New to Rejected
- make sure that the SSH-server is only listening to explicitly defined IPV4 and/or IPV6 addresses
Not possible yet, feature request is open for it: #628
- advice to use a not standard IP-port in order not to block some local SSH-/SFTP server
- advice not to use the standard IP-port for security reasons
That's already covered on the page: https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html#ssh-port
- advice not to use password only if the server is accessible from the internet
Already covered on the page: https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html#best-practices-for-ssh