LICOMPGUY
asked on
pfsense - How can I effectively disable all previous remote admin access
Hey there
It looks like I will be managing a small office with pfsense running on a dell computer, we need to without a doubt, lock down remote access, preventing the previous admin from being able to get in to the network. Can anyone tell me what I should be looking for or need to do? I dont know PF Sense and I am tempted to pull it, unless I can secure it 100%.
My intention is to set it up in a test environment, looks pretty straight forward but can't take the chance.
Thanks all - be safe!!!!
It looks like I will be managing a small office with pfsense running on a dell computer, we need to without a doubt, lock down remote access, preventing the previous admin from being able to get in to the network. Can anyone tell me what I should be looking for or need to do? I dont know PF Sense and I am tempted to pull it, unless I can secure it 100%.
My intention is to set it up in a test environment, looks pretty straight forward but can't take the chance.
Thanks all - be safe!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"unless I can secure it 100%. "
I don't think you can ensure that with much of anything connected to other devices, though you can get close.
I don't think you can ensure that with much of anything connected to other devices, though you can get close.
100% digital security CAN be achieved, if you want that; turn ALL devices off. which obviously is a non-starter.
100% secure is impossible, no matter what hardware you setup.
That said:
For any device you setup/inherit/...
- Check useraccounts: Disable unknown, modify passwords, ...
- Check access methods: SSH, VPN Tunnels (IPSEC, OpenVPN, SSL, Wireguard, ...), GRE Tunnels, what is on the other end
- Restrict access methods to where you expect them from
- in case of Radius backends disable accounts there...
In short do Due Diligence like on any hardware. Not only the firewall, als verify systems behind it (routers, servers, workstations, ...).
You also need to do such thing on New hardware delivered out of the box btw. Never assume it is setup in a safe way by any manufacturer.
100% secure is impossible, no matter what hardware you setup.
That said:
For any device you setup/inherit/...
- Check useraccounts: Disable unknown, modify passwords, ...
- Check access methods: SSH, VPN Tunnels (IPSEC, OpenVPN, SSL, Wireguard, ...), GRE Tunnels, what is on the other end
- Restrict access methods to where you expect them from
- in case of Radius backends disable accounts there...
In short do Due Diligence like on any hardware. Not only the firewall, als verify systems behind it (routers, servers, workstations, ...).
You also need to do such thing on New hardware delivered out of the box btw. Never assume it is setup in a safe way by any manufacturer.
ASKER
Hey guys - thanks so very much
I am not clear if there is a way to install this for a test environment, directly to run on a flash drive, on a laptop let's say with a second usb to rj45 just in test? Is there a way to do this?
So by checking and disabling any/all user accounts as suggested or restting all passwords, and if there isn't any port forwarding, basically I should be in the clear? I will also see if VPN is being used at all.
I would think it is or should be pretty vanilla. Sure they have remote accounts such as logmein but will reset all those as well
I would imagine if he enabled ports specifically for RDP I would see that under rules?
Thanks so much Compprovsol!
I am not clear if there is a way to install this for a test environment, directly to run on a flash drive, on a laptop let's say with a second usb to rj45 just in test? Is there a way to do this?
So by checking and disabling any/all user accounts as suggested or restting all passwords, and if there isn't any port forwarding, basically I should be in the clear? I will also see if VPN is being used at all.
I would think it is or should be pretty vanilla. Sure they have remote accounts such as logmein but will reset all those as well
I would imagine if he enabled ports specifically for RDP I would see that under rules?
Thanks so much Compprovsol!
Why only RDP, why not SSH, VNC, telnet is not a secure protocol, it nevertheless does allow access.... and the dozen other methods?
Why not use a proxy as intermediate?, (netcat is simple to use on a backend system to use an innocuous port...)
why not connect the ssh daemon to port 443? there is NO requirement to use HTTPS over port 443 it is the common default.
So ALL access needs to be reviewed. including using reverse access procotols like logmein. (the inside system connects to a logmein ( or other RA service),
and the "potential intruder" tries to gain access that way).
So if you distrust an environment you need to audit it. step by step system by system. (Documenting everything you find on your way). It also gives you a site documentation (maybe) like never before.
Why not use a proxy as intermediate?, (netcat is simple to use on a backend system to use an innocuous port...)
why not connect the ssh daemon to port 443? there is NO requirement to use HTTPS over port 443 it is the common default.
So ALL access needs to be reviewed. including using reverse access procotols like logmein. (the inside system connects to a logmein ( or other RA service),
and the "potential intruder" tries to gain access that way).
So if you distrust an environment you need to audit it. step by step system by system. (Documenting everything you find on your way). It also gives you a site documentation (maybe) like never before.
ASKER
Hey
Good point of course, coffee was not kicking in as of yet. I am thinking if it is basically a standard install, which I have to assess I probably could just redo it with default settings, I have to have access to it first to take a look. Does that make sense? No rules/stealth accounts etc., Out of the box I would think but shouldn't assume it would work as a rudimentary firewall.
I would like to see if I can install it to a flash drive, perhaps then put that in place after I do it in test, and boot from that, taking the prior config out of the equation. Just a thought.
Good point of course, coffee was not kicking in as of yet. I am thinking if it is basically a standard install, which I have to assess I probably could just redo it with default settings, I have to have access to it first to take a look. Does that make sense? No rules/stealth accounts etc., Out of the box I would think but shouldn't assume it would work as a rudimentary firewall.
I would like to see if I can install it to a flash drive, perhaps then put that in place after I do it in test, and boot from that, taking the prior config out of the equation. Just a thought.
yes, for a firewall that make complete sense. You can prepare a configuration by rebuilding it in a VM looking like the real deal. (ip addresses etc).
You would need more VM's to simulate other parts of the environement if you want to verify it aswell though.
And make backups...,
You would need more VM's to simulate other parts of the environement if you want to verify it aswell though.
And make backups...,
ASKER
I am not clear though if I can, or how to install it on a flash drive with the gui - I thought you could....
See then even if I set it up in test, and all looks good, I coudl then move it to the optiplex, change the boot order to usb, then wouldn't the gui allow me to change the nics so I can configure it to work in prod, from the usb, and if any issues simply go back to prod if I lose my outage window.
That way there is always a way back.
See then even if I set it up in test, and all looks good, I coudl then move it to the optiplex, change the boot order to usb, then wouldn't the gui allow me to change the nics so I can configure it to work in prod, from the usb, and if any issues simply go back to prod if I lose my outage window.
That way there is always a way back.
you take a vmsolution like: virtualbox (best) or maybe vmware player.
and create a VM using: https://www.how2shout.com/how-to/install-pfsense-virtualbox-linux-vmware-player.html
Booting from a flash drive might not be the best way. (depending on flash drive obviously and usb port available ).
For reasonable performance you might need USB-3 devices. (in case logging gets substantial).
Oh installing on one system and then moving to another system might not be the best way. Unless both systems have identical hardware.
(then again in Firewalls, the hardware MAC address is sometimes used to identify what device has what funtion.). So replugging the flash drive would yield a non working device.
and create a VM using: https://www.how2shout.com/how-to/install-pfsense-virtualbox-linux-vmware-player.html
Booting from a flash drive might not be the best way. (depending on flash drive obviously and usb port available ).
For reasonable performance you might need USB-3 devices. (in case logging gets substantial).
Oh installing on one system and then moving to another system might not be the best way. Unless both systems have identical hardware.
(then again in Firewalls, the hardware MAC address is sometimes used to identify what device has what funtion.). So replugging the flash drive would yield a non working device.
"I am thinking if it is basically a standard install, which I have to assess I probably could just redo it with default settings "
That may well be your best option if you really want to know how it is configured.
Noci makes a good point about problems with moving it to a different box. I've done it before and it did "break" the installation as the names for the NICs were different. It wasn't too difficult to fix, though. There are similar issues if you have VLANs set up, but you just recreate or re-point those.
You can do this as a VM as suggested above or on a laptop as you wish. Rather than use a flash drive, why not get an inexpensive ($20-30) 120G SSD and temporarily install it in the laptop? Better yet, do you have any PCs around that are not in use? If you are just experimenting, just about anything will work. I pick up used i5 computers for $100-150 (TigerDirect is a good source), add a used Intel 4-port NIC (about $20 on eBay), and add a new, small SSD to make a fairly respectable firewall. Since you don't want this for production (just for testing), just use a PC and an extra NIC. If you use a USB-Ethernet adapter, you'll want to make sure that there are drivers for it in pfSense.
"I would imagine if he enabled ports specifically for RDP I would see that under rules? "
Yes, you'll see rules for it there.
Though you asked specifically about securing access through the router, noci makes an excellent point about logmein and other remote access programs. By default, access to the pfSense firewall from the WAN port is blocked, but if someone gets to a computer on the LAN through a remote access program, they now have the ability to try to connect to the firewall locally. You could set up 2FA to the firewall if you wanted another layer of security.
"I coudl then move it to the optiplex "
Are you using an Optiplex as the firewall? If you have the ability to take the WAN down while you experiment, consider getting an SSD for the Optiplex, replacing the existing storage with it, and set up pfSense on the SSD. That would make it very easy to get back to the original if you just can't get it to work.
Let's start from the beginning, though. What is it you want the firewall to do? How many NIC ports do you need (WAN, LAN, and any others)? Are you doing VLANs? Do you need any VPNs? Do you need port forwarding? Do others need access to management of the firewall? Do you need to be able to access the firewall remotely? Are there any other special considerations?
If this is a "vanilla" installation (just WAN and LAN, no VLANs, no VPNs, no port forwarding, etc.) it shouldn't take long at all to set up from scratch.
That may well be your best option if you really want to know how it is configured.
Noci makes a good point about problems with moving it to a different box. I've done it before and it did "break" the installation as the names for the NICs were different. It wasn't too difficult to fix, though. There are similar issues if you have VLANs set up, but you just recreate or re-point those.
You can do this as a VM as suggested above or on a laptop as you wish. Rather than use a flash drive, why not get an inexpensive ($20-30) 120G SSD and temporarily install it in the laptop? Better yet, do you have any PCs around that are not in use? If you are just experimenting, just about anything will work. I pick up used i5 computers for $100-150 (TigerDirect is a good source), add a used Intel 4-port NIC (about $20 on eBay), and add a new, small SSD to make a fairly respectable firewall. Since you don't want this for production (just for testing), just use a PC and an extra NIC. If you use a USB-Ethernet adapter, you'll want to make sure that there are drivers for it in pfSense.
"I would imagine if he enabled ports specifically for RDP I would see that under rules? "
Yes, you'll see rules for it there.
Though you asked specifically about securing access through the router, noci makes an excellent point about logmein and other remote access programs. By default, access to the pfSense firewall from the WAN port is blocked, but if someone gets to a computer on the LAN through a remote access program, they now have the ability to try to connect to the firewall locally. You could set up 2FA to the firewall if you wanted another layer of security.
"I coudl then move it to the optiplex "
Are you using an Optiplex as the firewall? If you have the ability to take the WAN down while you experiment, consider getting an SSD for the Optiplex, replacing the existing storage with it, and set up pfSense on the SSD. That would make it very easy to get back to the original if you just can't get it to work.
Let's start from the beginning, though. What is it you want the firewall to do? How many NIC ports do you need (WAN, LAN, and any others)? Are you doing VLANs? Do you need any VPNs? Do you need port forwarding? Do others need access to management of the firewall? Do you need to be able to access the firewall remotely? Are there any other special considerations?
If this is a "vanilla" installation (just WAN and LAN, no VLANs, no VPNs, no port forwarding, etc.) it shouldn't take long at all to set up from scratch.
ASKER
Gents:
Thank you so much for taking the time you are so incredibly helpful. I think I was unclear. My intention would have been two fold.
1. Originally on a usb flash drive as a test environmnent (which I will address in a sec)
2. To set it up fresh on flash it is currently running on an internal drive in an older optiplex, my thought was, I could just do a fresh build and run it from the usb flash (configure it for the office), just so I know it is totally secure.
Based on what you are suggesting Here is how I will proceed, kindly let me know if you agree.
I have a laptop, and an SSD - so I can install the drive and install it with the gui for test, as long as I can use the internal NIC and a USB NIC, for the LAN facing side of the test environment.
Based on what you are telling me, I should be able to change all passwords, see what if any rules are in place, I doubt there are vlans, I don't think he is using VPN.
What is being used is a cloud based backup solution, such as ibackup, logmein, (which I may change), and I just want to make sure he has no way in.
I think I will proceed with the test on the laptop if it can work with the usb NIC, because it is looking like I won't have access to the prod pfsense for about 8 days.
So based on what you are saying, check rules/change any accounts on passwords, confirm no VPN, no ports open for direct access - and "should" be secure. Agreed? Am I missing anything else?
Would you guys use Pfsense in Prod - even in an small environment? I have to say, I really like (dont pick on me ;-)), Sonicwall because of what it can do, and even though it is a small environment <10 computers, I like the architecture/support etc. but it may be a little costly!
Thanks for all your imput, going to install the SSD - tonight/tomorrow if it can see the usbtoRJ45.
Thank you so much for taking the time you are so incredibly helpful. I think I was unclear. My intention would have been two fold.
1. Originally on a usb flash drive as a test environmnent (which I will address in a sec)
2. To set it up fresh on flash it is currently running on an internal drive in an older optiplex, my thought was, I could just do a fresh build and run it from the usb flash (configure it for the office), just so I know it is totally secure.
Based on what you are suggesting Here is how I will proceed, kindly let me know if you agree.
I have a laptop, and an SSD - so I can install the drive and install it with the gui for test, as long as I can use the internal NIC and a USB NIC, for the LAN facing side of the test environment.
Based on what you are telling me, I should be able to change all passwords, see what if any rules are in place, I doubt there are vlans, I don't think he is using VPN.
What is being used is a cloud based backup solution, such as ibackup, logmein, (which I may change), and I just want to make sure he has no way in.
I think I will proceed with the test on the laptop if it can work with the usb NIC, because it is looking like I won't have access to the prod pfsense for about 8 days.
So based on what you are saying, check rules/change any accounts on passwords, confirm no VPN, no ports open for direct access - and "should" be secure. Agreed? Am I missing anything else?
Would you guys use Pfsense in Prod - even in an small environment? I have to say, I really like (dont pick on me ;-)), Sonicwall because of what it can do, and even though it is a small environment <10 computers, I like the architecture/support etc. but it may be a little costly!
Thanks for all your imput, going to install the SSD - tonight/tomorrow if it can see the usbtoRJ45.
"Based on what you are telling me, I should be able to change all passwords, see what if any rules are in place, I doubt there are vlans, I don't think he is using VPN. "
Yes, you should be able to do that, but it would be on the existing installation, not the new "test" one. The new one will only have Admin as a user.
Are you able to log in to the GUI (through the LAN) now? If not, can you get to the screen on the Optiplex? You can reset the Admin password from the Optiplex if that isn't also password protected.
"So based on what you are saying, check rules/change any accounts on passwords, confirm no VPN, no ports open for direct access - and "should" be secure. Agreed? Am I missing anything else? "
Again... you would do this on the production system. If you install from scratch (as you are proposing on your laptop), there will be none of this unless you add it.
"Would you guys use Pfsense in Prod - even in an small environment? "
I deal with small networks (typically 30 users or less) and use pfSense whenever someone wants something better than what the ISP provides. I put together hardware for under $200 and it works very well. I've had some dealings with SonicWall, Watchguard, Cisco, and Fortinet and find the pfSense much easier to deal with and it has done whatever I've wanted. I've gotten by without paid support, so the cost is much less than the other solutions.
No objection to the path your proposing with the laptop, but unless your budget is really tight, I'd recommend putting together a different box for pfSense as a test and then you can just use it as the production device. What CPU does the Optiplex have? If you ever intend to do VPNs, it would be very useful to have one that supports AES-NI as it will greatly reduce CPU load during VPN usage. i5s support that as well as a number of other processors. If you throw in a quad-port NIC you can have one or two other physical LANs for other uses (such as internet access only).
Yes, you should be able to do that, but it would be on the existing installation, not the new "test" one. The new one will only have Admin as a user.
Are you able to log in to the GUI (through the LAN) now? If not, can you get to the screen on the Optiplex? You can reset the Admin password from the Optiplex if that isn't also password protected.
"So based on what you are saying, check rules/change any accounts on passwords, confirm no VPN, no ports open for direct access - and "should" be secure. Agreed? Am I missing anything else? "
Again... you would do this on the production system. If you install from scratch (as you are proposing on your laptop), there will be none of this unless you add it.
"Would you guys use Pfsense in Prod - even in an small environment? "
I deal with small networks (typically 30 users or less) and use pfSense whenever someone wants something better than what the ISP provides. I put together hardware for under $200 and it works very well. I've had some dealings with SonicWall, Watchguard, Cisco, and Fortinet and find the pfSense much easier to deal with and it has done whatever I've wanted. I've gotten by without paid support, so the cost is much less than the other solutions.
No objection to the path your proposing with the laptop, but unless your budget is really tight, I'd recommend putting together a different box for pfSense as a test and then you can just use it as the production device. What CPU does the Optiplex have? If you ever intend to do VPNs, it would be very useful to have one that supports AES-NI as it will greatly reduce CPU load during VPN usage. i5s support that as well as a number of other processors. If you throw in a quad-port NIC you can have one or two other physical LANs for other uses (such as internet access only).
ASKER
Thats huge really
Thanks so very much. I realize there wouldn't be any accounts in the test envonment. Basic ports open for internet connectivity out of the box with Pfsense?
What about protection against ransomware, of dpi, deep packet inspection - how sonicwall handles it. VPN solutions - is there a particular client - could/should use? Cross platform support?
Sonicwall offers a ton of services, AV, VPN, Deep packet inspection, sandboxing if you want it, other services (not using where you can point your mx records towards them so they can do spam/malicious mail filtering.
Hell, if Pfsense is that robust, that simple, and that secure. I definitely should use it for other offices.
Do you have a standard install you like using for it Hardware wise?
Thanks so VERY VERY much!
Thanks so very much. I realize there wouldn't be any accounts in the test envonment. Basic ports open for internet connectivity out of the box with Pfsense?
What about protection against ransomware, of dpi, deep packet inspection - how sonicwall handles it. VPN solutions - is there a particular client - could/should use? Cross platform support?
Sonicwall offers a ton of services, AV, VPN, Deep packet inspection, sandboxing if you want it, other services (not using where you can point your mx records towards them so they can do spam/malicious mail filtering.
Hell, if Pfsense is that robust, that simple, and that secure. I definitely should use it for other offices.
Do you have a standard install you like using for it Hardware wise?
Thanks so VERY VERY much!
Basic pfSense will give you basic NAT protection. There are many add-ons that will give you more. Snort is a good example.
Default setup is that no incoming connections are allowed. Connections are allowed when "invited" by a local computer such as browsing to a web site. That's basic NAT protection.
VPN... look at OpenVPN. Pretty straightforward. You can set up a Radius server if you have Active Directory pretty easily.
Hardware wise, my two big standards are something that supports AES-NI (i5 fits the bill) and has a PCIe connector. I can usually find that for $100-150 from TigerDirect.
And... you're welcome!
Default setup is that no incoming connections are allowed. Connections are allowed when "invited" by a local computer such as browsing to a web site. That's basic NAT protection.
VPN... look at OpenVPN. Pretty straightforward. You can set up a Radius server if you have Active Directory pretty easily.
Hardware wise, my two big standards are something that supports AES-NI (i5 fits the bill) and has a PCIe connector. I can usually find that for $100-150 from TigerDirect.
And... you're welcome!
You will have to "open"-up from WAN->LAN if needed.
pfSense has quite some add-ons. if you need IDS Snort is your friend.
VPN Solutions:
- Best: IPSEC as that preserves all basic concepts of IP within it's tunnels.
- Next: Wireguard. (Great for tunnels esp. on lightweight hardware like phones..., it preserved batery time a LOT).
- Next: OpenVPN based on UDP (close to IPSEC)
- Worst: SSL based VPN's (OvpenVPN based on TCP), Various others usingg SSL as encasulation around regular sessions.
The SSL based TCP tunnels can eb a pain if combined with DSL or lines with heavy loss. Dus to the "no loss" nature of TCP connections.
If timeouts happen on f.e. DNS, then all quests + retries will eventually still get delivered. killing other connections in the mean time.
Some are combinations, Cisco VPN (openconnect standard) uses HTTPS to negotiate tunnel setup, and then mostly IPSEC later on.
pfSense has quite some add-ons. if you need IDS Snort is your friend.
VPN Solutions:
- Best: IPSEC as that preserves all basic concepts of IP within it's tunnels.
- Next: Wireguard. (Great for tunnels esp. on lightweight hardware like phones..., it preserved batery time a LOT).
- Next: OpenVPN based on UDP (close to IPSEC)
- Worst: SSL based VPN's (OvpenVPN based on TCP), Various others usingg SSL as encasulation around regular sessions.
The SSL based TCP tunnels can eb a pain if combined with DSL or lines with heavy loss. Dus to the "no loss" nature of TCP connections.
If timeouts happen on f.e. DNS, then all quests + retries will eventually still get delivered. killing other connections in the mean time.
Some are combinations, Cisco VPN (openconnect standard) uses HTTPS to negotiate tunnel setup, and then mostly IPSEC later on.
System, Advanced, Admin Access, Secure Shell and make sure that Enable Secure Shell is unchecked
Firewall, Rules, WAN and see if there are any ports opened up to the outside world
VPN: check all (three?) to see if there are any VPNs set up
If your configuration isn't anything special (no VPNs, no port forwarding, etc.) consider backing up the configuration, resetting to defaults, and reconfigure from scratch. Then you'll know how it is configured.