SlideShare a Scribd company logo

User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018

Netgate
Netgate

This document provides an overview of user management and privileges in pfSense 2.4. It discusses setting up multiple user accounts with different levels of access, managing privileges via groups, and various authentication methods like SSH keys. It emphasizes best practices like limiting exposed services, using strong passwords, disabling accounts when unused, and relying on a remote authentication server if possible for additional security. Remote access options and the sudo package for delegating privileges are also covered.

Technology
1 of 26
Download to read offline
User Management and Privileges pfSense 2.4 January 2018 Hangout Jim Pingle
About this Hangout ● Project News ● Why use multiple users? ● pfSense Privilege System ● Working with Privileges ● Privilege Gotchas ● Group Management ● Add Privileges Screen ● User Management ● User Management Demo ● SSH Access ● SSH Authentication ● Sudo Package ● SSH Access Demo ● Remote GUI Access ● Remote SSH Access ● Security Best Practices ● External Authentication Servers ● RADIUS and LDAP will be covered next month
Project News ● 2.4.3 will be coming soon – Fixes for Meltdown/Spectre ● For pfSense in its appliance role, these are largely irrelevant as the firewall is not hosting virtual machines or running arbitrary untrusted code ● Do not give untrusted users shell access or allow them to run untrusted binaries – Other bug fixes/features ● QNAP to offer pfSense as a paid virtualized guest on their NAS products – https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html – https://www.qnap.com/en/news/2018/qnap-and-netgate-showcase-nas-with-pfsense-joint-solution-for-network-sec urity-at-ces-2018 ● pfSense is gaining support for ESPRESSObin ARM boards – aarch64 (Armada 3720) – Three gigabit ports, two in a switch setup ● 2018 Training Calendar is up – https://www.netgate.com/training/ ● 349 registered translators and 16 languages complete!
Why utilize multiple users? ● Security – Keeps the number of people with the root/admin password low ● Default admin account cannot be deleted, but may be disabled – Easier to lock out someone if they leave or only need temporary access – User access can be limited to specific pages they need to see – Users can be denied configuration write privileges ● Accountability – Configuration history shows users who made changes – Firewall and NAT rules are tagged with the creator and last person to change ● Non-Administrative Access – OpenVPN, IPsec, Captive Portal, SSH Tunneling, etc. ● Personalization – Users can have different themes, a personalized dashboard, and other GUI behavior settings ● Integration with existing authentication structure
pfSense Privilege System ● Privileges can be set per-user or inherited from a group ● Privileges exist for almost every page ● Special privileges for … – Special pages such as the Dashboard, Notices, Help, and Crash Reporter – Captive Portal access (optional) – VPN Dial-in access (IPsec, L2TP, PPPoE) – XMLRPC Synchronization – Various types of SSH access – Deny Configuration Write – “WebCfg - System: User Password Manager page” allows user to change password ● Most packages do not hook in or are not compatible with privileges, but some do
Working with Privileges ● Using groups speeds up and simplifies the process ● Save a user or group first, then edit to add individual permissions ● If a user does not have Dashboard access, after login they are redirected to the first page in their privilege list – Be wary of the permission order! ● Do not add the “Deny Config Write” privilege to the “All” or “Admins” group (for obvious reasons) ● Do not “select all” on the privilege list, be specific! – If you want to grant all GUI privileges, only give “WebCfg – All Pages” or add to Admins group! – If you select all in the list, you’ll also end up denying write access which will make changes appear to silently fail ● Menus will change to only show pages a user may access
Privilege Gotchas ● Despite the privilege system, pfSense is not intended to be a general purpose unix shell server and should not be treated as such ● Some privileges effectively give the user full administrator access due to the nature of how pfSense works – User - System: Copy files (scp) ● The user could copy or edit files on the firewall, and some files outside of their control have permissions that let all shell users read them, some of which may contain sensitive information – User - System: Shell account access ● In addition to the concerns for scp, the user could also copy and run their own executable code – WebCfg - All pages ● This is the standard privilege to give access to all pages, which gives the user full access in the GUI – WebCfg - Diagnostics: Backup & Restore ● A user could download a backup which contains sensitive information, or upload a new configuration enacting any settings they want – WebCfg - Diagnostics: Command ● A user could run arbitrary commands, make arbitrary changes to the system or configuration, or download any file on the firewall
Privilege Gotchas ● Full access privileges (cont’d) – WebCfg - Diagnostics: Edit File ● A user could read/write any file on the firewall, including the configuration and GUI source code – WebCfg - Diagnostics: Factory defaults ● A user could reset the configuration, leading to a denial of service or permissive outbound access – WebCfg - System: Authentication Servers ● A user could alter authentication parameters for a remote auth server to gain additional privileges – WebCfg - System: Group Manager / WebCfg - System: Group Manager: Add Privileges ● A user can alter groups to gain additional privileges – WebCfg - System: User Manager / WebCfg - System: User Manager: Add Privileges ● A user can alter users to gain additional privileges, add a new administrator user, etc – WebCfg - System: User Manager: Settings ● A user could change where the GUI obtains its authentication to gain additional access
Privilege Gotchas ● Be careful of pages that can execute commands or apply changes – Denying configuration write access does not prevent these actions which can make changes! ● By default, SSH users do not get the menu because they do not have access to the commands – Using sudo can help delegate – Shell users still may have access to files and other parts of the system that are sensitive even if they cannot run commands as root
Group Management ● Groups are the easiest way to manage privileges for multiple users ● Great for single privileges that many, but not all, will have, such as IPsec Xauth Dialin or Captive Portal ● System > User Manager, Groups tab ● Click + Add to create a group, give it a name ● Scope is local for groups that exist on this firewall, remote for groups used with LDAP/RADIUS – Primary difference is that remote scope groups can have longer names and the name may contain spaces ● Users may be assigned here for batch changes, or the group may be added to a user directly for individual changes – Ctrl/shift/cmd to select multiple users depending on operating system/browser – Click Move to “Member of” list to add a user to this group, and the Move to “Not member of” list button to remove them ● Click Save ● Click the pencil icon to edit the group ● Click + Add to add privileges to the group
Add Privileges Screen ● Editing privileges for users and groups works identically ● The user or group being edited is printed at the top of the page ● The Assigned Privileges box lists all privileges the user does not yet have – Privileges already granted to the user/group must be edited on the user/group edit screen – Use shift/ctrl/cmd select to select multiple entries depending on your OS ● The Filter box searches for privileges matching a given string, and the filtered list is shown in the Assigned Privileges box – Type some text and press Enter or click Filter at the bottom of the page to search ● When a privilege is selected, the info box at the bottom of the page shows a description of the privilege ● Click Save when finished and the list of privileges will appear on the group or user
User Management ● System > User Manager, Users tab ● Click + Add to create a new user ● Username, password, confirm password are only required fields ● Account can be disabled or have a set expiration date – Account will be disabled on that day (e.g. expire tomorrow will expire at midnight tonight) – If expired, remember to fix date before re-enabling the account ● Custom Settings allow users to have a different theme, dashboard preferences, and other GUI behavior controls specific to their login ● Group membership can be managed for the user by moving groups over to the Member of side
User Management ● User Certificate can be created if there is a suitable CA+Key available – Process is different during account creation: check the box, enter a name, choose options – Later when editing account, click + Add and then a cert can be created, imported, etc. ● Authorized keys are keys for SSH access, check the box, paste in one or more ssh public keys for the user – Make sure the user also gets a privilege which grants them access to ssh! ● IPsec Pre-Shared Key – Used for PSK-based mobile IPsec access (not xauth, IKEv2, etc) ● Click Save ● Privileges can be added by editing the user again after save
User Management Demo ● Group List, Add/Edit Group, Privileges ● User List, Add/Edit User, Privileges ● User login / logout – Show “default” landing page behavior (Users: sue, alice, bill) – Show what happens when a user has no GUI permissions (User: norm) ● Show menu changes ● Deny Config Write demo ● Show system log entries for redirects and other access info
SSH Access ● Enable under System > Advanced, Admin Access tab ● Several levels of access: – User – System – SSH Tunneling ● Allows user to connect and create SSH forwards, but no shell or SCP – User – System – Copy Files ● Allows user to connect with an SCP client such as scp, Filezilla, WinSCP, etc. to transfer files – User – System – Shell Account Access ● Access to the shell, tunneling, and SCP
SSH Access ● Passwords are set in config.xml only, do not use “passwd” in shell! ● Admin and Root share credentials ● Admin is locked to menu for shell and cannot use SCP, only SSH ● Root user works for SCP or SSH access ● Other users may access the shell or SCP, depending on privileges ● Other users who SCP files need to be aware of file and directory permissions ● Other users do not get the menu at login because they do not have sufficient privileges to run all commands on the menu ● Users may be granted more privileges in the shell by using the sudo package ● Just because a user can't run a command doesn't mean they can't necessarily see sensitive files, remember this is a firewall and not intended to be a multi-user UNIX shell server, only give SSH access to trusted administrators!
SSH Authentication ● SSH has several authentication modes, including – Password – least secure – Keyboard-Interactive – Still password-based, extensible – Key-based authentication – Best and most secure, but complicated to setup ● Password-based modes are susceptible to brute force attacks ● Client must create their own public/private key pair using a utility such as ssh- keygen ● Public key is copied to “authorized keys” list for their account on the server ● Private key should be protected with a passphrase and other security measures ● SSH agent/forwarding makes this more convenient
Sudo Package ● Rhymes with voodoo! ● Installed from System > Packages, Available Packages tab ● Once installed, appears as System > sudo ● Default permissions grant full sudo access to members of the admins group, as well as root and admin users ● User/Group column selects who receives the permission ● Run As column selects the user the command will run under, typically root ● No Password checkbox allows the user to run the specified command(s) without supplying their password. Convenient, but potentially dangerous!
Sudo Package ● Command list specifies what commands and parameters may be used by the user or group – Special “ALL” keyword means all commands with any parameters – A command with no parameters set after will allow any parameters: ● /sbin/pfctl – A command with a specific parameter set limits the user to only that one parameter: ● /sbin/pfctl -ss – To restrict a user to run a command without any parameters, use “” after the command name: ● /sbin/ifconfig “” – Separate commands in the list using a comma: ● /sbin/ifconfig, /sbin/pfctl, /sbin/ping, /sbin/ping6 ● Commands run using sudo are logged to the main system log
SSH Access Demo ● SSH as root/admin ● SCP as root ● Login as unprivileged user ● Use of sudo
Remote GUI Access ● Unforgivable: HTTP GUI on WAN ● Worse: HTTPS GUI port open to the world (any port) ● Good: HTTPS GUI port open to select hosts – Can use an alias with dyndns FQDN entries! ● Better: HTTPS GUI on non-standard port open to select hosts ● Best: GUI port closed to the world, access by VPN only
Remote SSH Access ● Worst: SSH port open to the world – Constant brute force attacks ● Meh: SSH port open to the world on an alternate port – Security by obscurity, may protect against some casual scans but not all ● OK: SSH port open to select hosts ● Good: SSH (any port) with key-based authentication ● Better: Key-based authentication, open to only select hosts ● Best: No direct access. Key-based auth + VPN
Security Best Practices ● Only use encrypted protocols (HTTPS, SSH, no HTTP!) – Refer to the ACME/Let’s Encrypt hangout to get a trusted HTTPS GUI Certificate ● Reduce or eliminate use of the “admin” account ● Never leave system passwords at their default value ● Give each person their own account, no sharing or role-based accounts! ● Encourage use of long passwords (bcrypt supports up to 72 character passwords) ● Set an expiration date and/or disable accounts that only need temporary access ● Remove accounts promptly when a user leaves the company ● Do not expose GUI or SSH services to the world ● Use key-based authentication for SSH ● Use remote access VPNs for management where possible ● Don't ignore physical security! – Disabling console access is OK, but not perfect, can be reset/bypassed by someone with physical access and control of the hardware
External Authentication Servers ● LDAP and RADIUS can be used for GUI access – Must have local groups defined to match user group in LDAP/RADIUS ● If a group has a space in it or a long name, set the group scope to “Remote” on pfSense – If the auth server is down, falls back to local auth ● Accessing pages will be slow because each page load must wait for the auth server to timeout ● RADIUS and LDAP can be used for OpenVPN ● RADIUS can be used for IKEv2 IPsec ● Some areas like Captive Portal and L2TP are not connected to these Authentication Servers (yet) ● More detail on LDAP and RADIUS in next hangout!
Other Notes ● XMLRPC Sync on 2.4 can use any user, but that user must have the System – HA node sync privilege ● Resetting the LAN IP address via the console or SSH will offer to reset the authentication source back to Local, if remote authentication is not functional ● Password reset function on the console menu will also re-enable admin account ● Reset a password for other accounts via shell: – pfSsh.php playback changepassword <username> – Will also optionally re-enable and remove expiration
Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc

Recommended

Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
Netgate
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
Netgate
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Netgate
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Netgate
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCC
GLC Networks
 
Routing Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on MikrotikRouting Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on Mikrotik
Achmad Mardiansyah
 

Recommended

Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
Netgate
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
Netgate
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Netgate
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Netgate
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCC
GLC Networks
 
Routing Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on MikrotikRouting Information Protocol (RIP) on Mikrotik
Routing Information Protocol (RIP) on Mikrotik
Achmad Mardiansyah
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
Netgate
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
Netgate
 
ALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configurationALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configuration
Wahyu Nasution
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
Tunnel vs VPN on Mikrotik
Tunnel vs VPN on MikrotikTunnel vs VPN on Mikrotik
Tunnel vs VPN on Mikrotik
GLC Networks
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話
upaa
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Netgate
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
Netgate
 
9534715
95347159534715
9534715
Pavel Odintsov
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
Netgate
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
Faisal Reza
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotik
Achmad Mardiansyah
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
Netgate
 
How To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachHow To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open Approach
ShapeBlue
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
Jignesh H. Bhalsod
 
Cumulus networks conversion guide
Cumulus networks conversion guideCumulus networks conversion guide
Cumulus networks conversion guide
Scott Suehle
 
CloudInit Introduction
CloudInit IntroductionCloudInit Introduction
CloudInit Introduction
Publicis Sapient Engineering
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
Mostafa El Lathy
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep Dive
GLC Networks
 
User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015
Netgate
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
Erdo Deshiant Garnaby
 

More Related Content

What's hot

Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
How To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachHow To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open Approach
ShapeBlue
 

What's hot (20)

OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
 
ALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configurationALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configuration
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
 
Tunnel vs VPN on Mikrotik
Tunnel vs VPN on MikrotikTunnel vs VPN on Mikrotik
Tunnel vs VPN on Mikrotik
 
VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話VyOS Users Meeting #2, VyOSのVXLANの話
VyOS Users Meeting #2, VyOSのVXLANの話
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
 
9534715
95347159534715
9534715
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
 
Routing fundamentals with mikrotik
Routing fundamentals with mikrotikRouting fundamentals with mikrotik
Routing fundamentals with mikrotik
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
 
How To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open ApproachHow To Monetise & Bill CloudStack - A Practical Open Approach
How To Monetise & Bill CloudStack - A Practical Open Approach
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
 
Cumulus networks conversion guide
Cumulus networks conversion guideCumulus networks conversion guide
Cumulus networks conversion guide
 
CloudInit Introduction
CloudInit IntroductionCloudInit Introduction
CloudInit Introduction
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep Dive
 

Similar to User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018

access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
jemtallon
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
APSU
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
APSU
 
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
scorlosquet
 

Similar to User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018 (20)

User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to Exploitation
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
Users and groups in Linux
Users and groups in LinuxUsers and groups in Linux
Users and groups in Linux
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
006.itsecurity bcp v1
006.itsecurity bcp v1006.itsecurity bcp v1
006.itsecurity bcp v1
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
 
Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modules
 
Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferences
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!
 
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
 
Ch11
Ch11Ch11
Ch11
 
e-DMZ Products Overview
e-DMZ Products Overviewe-DMZ Products Overview
e-DMZ Products Overview
 
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
 
Lecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdfLecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdf
 
Primavera unifier in action - Oracle Primavera Collaborate 14
Primavera unifier in action - Oracle Primavera Collaborate 14Primavera unifier in action - Oracle Primavera Collaborate 14
Primavera unifier in action - Oracle Primavera Collaborate 14
 

More from Netgate

More from Netgate (19)

Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
 
High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
 
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
 
pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
 

Recently uploaded

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 

User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018

  • 1. User Management and Privileges pfSense 2.4 January 2018 Hangout Jim Pingle
  • 2. About this Hangout ● Project News ● Why use multiple users? ● pfSense Privilege System ● Working with Privileges ● Privilege Gotchas ● Group Management ● Add Privileges Screen ● User Management ● User Management Demo ● SSH Access ● SSH Authentication ● Sudo Package ● SSH Access Demo ● Remote GUI Access ● Remote SSH Access ● Security Best Practices ● External Authentication Servers ● RADIUS and LDAP will be covered next month
  • 3. Project News ● 2.4.3 will be coming soon – Fixes for Meltdown/Spectre ● For pfSense in its appliance role, these are largely irrelevant as the firewall is not hosting virtual machines or running arbitrary untrusted code ● Do not give untrusted users shell access or allow them to run untrusted binaries – Other bug fixes/features ● QNAP to offer pfSense as a paid virtualized guest on their NAS products – https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html – https://www.qnap.com/en/news/2018/qnap-and-netgate-showcase-nas-with-pfsense-joint-solution-for-network-sec urity-at-ces-2018 ● pfSense is gaining support for ESPRESSObin ARM boards – aarch64 (Armada 3720) – Three gigabit ports, two in a switch setup ● 2018 Training Calendar is up – https://www.netgate.com/training/ ● 349 registered translators and 16 languages complete!
  • 4. Why utilize multiple users? ● Security – Keeps the number of people with the root/admin password low ● Default admin account cannot be deleted, but may be disabled – Easier to lock out someone if they leave or only need temporary access – User access can be limited to specific pages they need to see – Users can be denied configuration write privileges ● Accountability – Configuration history shows users who made changes – Firewall and NAT rules are tagged with the creator and last person to change ● Non-Administrative Access – OpenVPN, IPsec, Captive Portal, SSH Tunneling, etc. ● Personalization – Users can have different themes, a personalized dashboard, and other GUI behavior settings ● Integration with existing authentication structure
  • 5. pfSense Privilege System ● Privileges can be set per-user or inherited from a group ● Privileges exist for almost every page ● Special privileges for … – Special pages such as the Dashboard, Notices, Help, and Crash Reporter – Captive Portal access (optional) – VPN Dial-in access (IPsec, L2TP, PPPoE) – XMLRPC Synchronization – Various types of SSH access – Deny Configuration Write – “WebCfg - System: User Password Manager page” allows user to change password ● Most packages do not hook in or are not compatible with privileges, but some do
  • 6. Working with Privileges ● Using groups speeds up and simplifies the process ● Save a user or group first, then edit to add individual permissions ● If a user does not have Dashboard access, after login they are redirected to the first page in their privilege list – Be wary of the permission order! ● Do not add the “Deny Config Write” privilege to the “All” or “Admins” group (for obvious reasons) ● Do not “select all” on the privilege list, be specific! – If you want to grant all GUI privileges, only give “WebCfg – All Pages” or add to Admins group! – If you select all in the list, you’ll also end up denying write access which will make changes appear to silently fail ● Menus will change to only show pages a user may access
  • 7. Privilege Gotchas ● Despite the privilege system, pfSense is not intended to be a general purpose unix shell server and should not be treated as such ● Some privileges effectively give the user full administrator access due to the nature of how pfSense works – User - System: Copy files (scp) ● The user could copy or edit files on the firewall, and some files outside of their control have permissions that let all shell users read them, some of which may contain sensitive information – User - System: Shell account access ● In addition to the concerns for scp, the user could also copy and run their own executable code – WebCfg - All pages ● This is the standard privilege to give access to all pages, which gives the user full access in the GUI – WebCfg - Diagnostics: Backup & Restore ● A user could download a backup which contains sensitive information, or upload a new configuration enacting any settings they want – WebCfg - Diagnostics: Command ● A user could run arbitrary commands, make arbitrary changes to the system or configuration, or download any file on the firewall
  • 8. Privilege Gotchas ● Full access privileges (cont’d) – WebCfg - Diagnostics: Edit File ● A user could read/write any file on the firewall, including the configuration and GUI source code – WebCfg - Diagnostics: Factory defaults ● A user could reset the configuration, leading to a denial of service or permissive outbound access – WebCfg - System: Authentication Servers ● A user could alter authentication parameters for a remote auth server to gain additional privileges – WebCfg - System: Group Manager / WebCfg - System: Group Manager: Add Privileges ● A user can alter groups to gain additional privileges – WebCfg - System: User Manager / WebCfg - System: User Manager: Add Privileges ● A user can alter users to gain additional privileges, add a new administrator user, etc – WebCfg - System: User Manager: Settings ● A user could change where the GUI obtains its authentication to gain additional access
  • 9. Privilege Gotchas ● Be careful of pages that can execute commands or apply changes – Denying configuration write access does not prevent these actions which can make changes! ● By default, SSH users do not get the menu because they do not have access to the commands – Using sudo can help delegate – Shell users still may have access to files and other parts of the system that are sensitive even if they cannot run commands as root
  • 10. Group Management ● Groups are the easiest way to manage privileges for multiple users ● Great for single privileges that many, but not all, will have, such as IPsec Xauth Dialin or Captive Portal ● System > User Manager, Groups tab ● Click + Add to create a group, give it a name ● Scope is local for groups that exist on this firewall, remote for groups used with LDAP/RADIUS – Primary difference is that remote scope groups can have longer names and the name may contain spaces ● Users may be assigned here for batch changes, or the group may be added to a user directly for individual changes – Ctrl/shift/cmd to select multiple users depending on operating system/browser – Click Move to “Member of” list to add a user to this group, and the Move to “Not member of” list button to remove them ● Click Save ● Click the pencil icon to edit the group ● Click + Add to add privileges to the group
  • 11. Add Privileges Screen ● Editing privileges for users and groups works identically ● The user or group being edited is printed at the top of the page ● The Assigned Privileges box lists all privileges the user does not yet have – Privileges already granted to the user/group must be edited on the user/group edit screen – Use shift/ctrl/cmd select to select multiple entries depending on your OS ● The Filter box searches for privileges matching a given string, and the filtered list is shown in the Assigned Privileges box – Type some text and press Enter or click Filter at the bottom of the page to search ● When a privilege is selected, the info box at the bottom of the page shows a description of the privilege ● Click Save when finished and the list of privileges will appear on the group or user
  • 12. User Management ● System > User Manager, Users tab ● Click + Add to create a new user ● Username, password, confirm password are only required fields ● Account can be disabled or have a set expiration date – Account will be disabled on that day (e.g. expire tomorrow will expire at midnight tonight) – If expired, remember to fix date before re-enabling the account ● Custom Settings allow users to have a different theme, dashboard preferences, and other GUI behavior controls specific to their login ● Group membership can be managed for the user by moving groups over to the Member of side
  • 13. User Management ● User Certificate can be created if there is a suitable CA+Key available – Process is different during account creation: check the box, enter a name, choose options – Later when editing account, click + Add and then a cert can be created, imported, etc. ● Authorized keys are keys for SSH access, check the box, paste in one or more ssh public keys for the user – Make sure the user also gets a privilege which grants them access to ssh! ● IPsec Pre-Shared Key – Used for PSK-based mobile IPsec access (not xauth, IKEv2, etc) ● Click Save ● Privileges can be added by editing the user again after save
  • 14. User Management Demo ● Group List, Add/Edit Group, Privileges ● User List, Add/Edit User, Privileges ● User login / logout – Show “default” landing page behavior (Users: sue, alice, bill) – Show what happens when a user has no GUI permissions (User: norm) ● Show menu changes ● Deny Config Write demo ● Show system log entries for redirects and other access info
  • 15. SSH Access ● Enable under System > Advanced, Admin Access tab ● Several levels of access: – User – System – SSH Tunneling ● Allows user to connect and create SSH forwards, but no shell or SCP – User – System – Copy Files ● Allows user to connect with an SCP client such as scp, Filezilla, WinSCP, etc. to transfer files – User – System – Shell Account Access ● Access to the shell, tunneling, and SCP
  • 16. SSH Access ● Passwords are set in config.xml only, do not use “passwd” in shell! ● Admin and Root share credentials ● Admin is locked to menu for shell and cannot use SCP, only SSH ● Root user works for SCP or SSH access ● Other users may access the shell or SCP, depending on privileges ● Other users who SCP files need to be aware of file and directory permissions ● Other users do not get the menu at login because they do not have sufficient privileges to run all commands on the menu ● Users may be granted more privileges in the shell by using the sudo package ● Just because a user can't run a command doesn't mean they can't necessarily see sensitive files, remember this is a firewall and not intended to be a multi-user UNIX shell server, only give SSH access to trusted administrators!
  • 17. SSH Authentication ● SSH has several authentication modes, including – Password – least secure – Keyboard-Interactive – Still password-based, extensible – Key-based authentication – Best and most secure, but complicated to setup ● Password-based modes are susceptible to brute force attacks ● Client must create their own public/private key pair using a utility such as ssh- keygen ● Public key is copied to “authorized keys” list for their account on the server ● Private key should be protected with a passphrase and other security measures ● SSH agent/forwarding makes this more convenient
  • 18. Sudo Package ● Rhymes with voodoo! ● Installed from System > Packages, Available Packages tab ● Once installed, appears as System > sudo ● Default permissions grant full sudo access to members of the admins group, as well as root and admin users ● User/Group column selects who receives the permission ● Run As column selects the user the command will run under, typically root ● No Password checkbox allows the user to run the specified command(s) without supplying their password. Convenient, but potentially dangerous!
  • 19. Sudo Package ● Command list specifies what commands and parameters may be used by the user or group – Special “ALL” keyword means all commands with any parameters – A command with no parameters set after will allow any parameters: ● /sbin/pfctl – A command with a specific parameter set limits the user to only that one parameter: ● /sbin/pfctl -ss – To restrict a user to run a command without any parameters, use “” after the command name: ● /sbin/ifconfig “” – Separate commands in the list using a comma: ● /sbin/ifconfig, /sbin/pfctl, /sbin/ping, /sbin/ping6 ● Commands run using sudo are logged to the main system log
  • 20. SSH Access Demo ● SSH as root/admin ● SCP as root ● Login as unprivileged user ● Use of sudo
  • 21. Remote GUI Access ● Unforgivable: HTTP GUI on WAN ● Worse: HTTPS GUI port open to the world (any port) ● Good: HTTPS GUI port open to select hosts – Can use an alias with dyndns FQDN entries! ● Better: HTTPS GUI on non-standard port open to select hosts ● Best: GUI port closed to the world, access by VPN only
  • 22. Remote SSH Access ● Worst: SSH port open to the world – Constant brute force attacks ● Meh: SSH port open to the world on an alternate port – Security by obscurity, may protect against some casual scans but not all ● OK: SSH port open to select hosts ● Good: SSH (any port) with key-based authentication ● Better: Key-based authentication, open to only select hosts ● Best: No direct access. Key-based auth + VPN
  • 23. Security Best Practices ● Only use encrypted protocols (HTTPS, SSH, no HTTP!) – Refer to the ACME/Let’s Encrypt hangout to get a trusted HTTPS GUI Certificate ● Reduce or eliminate use of the “admin” account ● Never leave system passwords at their default value ● Give each person their own account, no sharing or role-based accounts! ● Encourage use of long passwords (bcrypt supports up to 72 character passwords) ● Set an expiration date and/or disable accounts that only need temporary access ● Remove accounts promptly when a user leaves the company ● Do not expose GUI or SSH services to the world ● Use key-based authentication for SSH ● Use remote access VPNs for management where possible ● Don't ignore physical security! – Disabling console access is OK, but not perfect, can be reset/bypassed by someone with physical access and control of the hardware
  • 24. External Authentication Servers ● LDAP and RADIUS can be used for GUI access – Must have local groups defined to match user group in LDAP/RADIUS ● If a group has a space in it or a long name, set the group scope to “Remote” on pfSense – If the auth server is down, falls back to local auth ● Accessing pages will be slow because each page load must wait for the auth server to timeout ● RADIUS and LDAP can be used for OpenVPN ● RADIUS can be used for IKEv2 IPsec ● Some areas like Captive Portal and L2TP are not connected to these Authentication Servers (yet) ● More detail on LDAP and RADIUS in next hangout!
  • 25. Other Notes ● XMLRPC Sync on 2.4 can use any user, but that user must have the System – HA node sync privilege ● Resetting the LAN IP address via the console or SSH will offer to reset the authentication source back to Local, if remote authentication is not functional ● Password reset function on the console menu will also re-enable admin account ● Reset a password for other accounts via shell: – pfSsh.php playback changepassword <username> – Will also optionally re-enable and remove expiration
  • 26. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc