SlideShare ist ein Scribd-Unternehmen logo

User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018

Netgate
Netgate

Slides for the January 2018 pfSense Hangout video

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
User Management and Privileges pfSense 2.4 January 2018 Hangout Jim Pingle
About this Hangout ● Project News ● Why use multiple users? ● pfSense Privilege System ● Working with Privileges ● Privilege Gotchas ● Group Management ● Add Privileges Screen ● User Management ● User Management Demo ● SSH Access ● SSH Authentication ● Sudo Package ● SSH Access Demo ● Remote GUI Access ● Remote SSH Access ● Security Best Practices ● External Authentication Servers ● RADIUS and LDAP will be covered next month
Project News ● 2.4.3 will be coming soon – Fixes for Meltdown/Spectre ● For pfSense in its appliance role, these are largely irrelevant as the firewall is not hosting virtual machines or running arbitrary untrusted code ● Do not give untrusted users shell access or allow them to run untrusted binaries – Other bug fixes/features ● QNAP to offer pfSense as a paid virtualized guest on their NAS products – https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html – https://www.qnap.com/en/news/2018/qnap-and-netgate-showcase-nas-with-pfsense-joint-solution-for-network-sec urity-at-ces-2018 ● pfSense is gaining support for ESPRESSObin ARM boards – aarch64 (Armada 3720) – Three gigabit ports, two in a switch setup ● 2018 Training Calendar is up – https://www.netgate.com/training/ ● 349 registered translators and 16 languages complete!
Why utilize multiple users? ● Security – Keeps the number of people with the root/admin password low ● Default admin account cannot be deleted, but may be disabled – Easier to lock out someone if they leave or only need temporary access – User access can be limited to specific pages they need to see – Users can be denied configuration write privileges ● Accountability – Configuration history shows users who made changes – Firewall and NAT rules are tagged with the creator and last person to change ● Non-Administrative Access – OpenVPN, IPsec, Captive Portal, SSH Tunneling, etc. ● Personalization – Users can have different themes, a personalized dashboard, and other GUI behavior settings ● Integration with existing authentication structure
pfSense Privilege System ● Privileges can be set per-user or inherited from a group ● Privileges exist for almost every page ● Special privileges for … – Special pages such as the Dashboard, Notices, Help, and Crash Reporter – Captive Portal access (optional) – VPN Dial-in access (IPsec, L2TP, PPPoE) – XMLRPC Synchronization – Various types of SSH access – Deny Configuration Write – “WebCfg - System: User Password Manager page” allows user to change password ● Most packages do not hook in or are not compatible with privileges, but some do
Working with Privileges ● Using groups speeds up and simplifies the process ● Save a user or group first, then edit to add individual permissions ● If a user does not have Dashboard access, after login they are redirected to the first page in their privilege list – Be wary of the permission order! ● Do not add the “Deny Config Write” privilege to the “All” or “Admins” group (for obvious reasons) ● Do not “select all” on the privilege list, be specific! – If you want to grant all GUI privileges, only give “WebCfg – All Pages” or add to Admins group! – If you select all in the list, you’ll also end up denying write access which will make changes appear to silently fail ● Menus will change to only show pages a user may access
Privilege Gotchas ● Despite the privilege system, pfSense is not intended to be a general purpose unix shell server and should not be treated as such ● Some privileges effectively give the user full administrator access due to the nature of how pfSense works – User - System: Copy files (scp) ● The user could copy or edit files on the firewall, and some files outside of their control have permissions that let all shell users read them, some of which may contain sensitive information – User - System: Shell account access ● In addition to the concerns for scp, the user could also copy and run their own executable code – WebCfg - All pages ● This is the standard privilege to give access to all pages, which gives the user full access in the GUI – WebCfg - Diagnostics: Backup & Restore ● A user could download a backup which contains sensitive information, or upload a new configuration enacting any settings they want – WebCfg - Diagnostics: Command ● A user could run arbitrary commands, make arbitrary changes to the system or configuration, or download any file on the firewall
Privilege Gotchas ● Full access privileges (cont’d) – WebCfg - Diagnostics: Edit File ● A user could read/write any file on the firewall, including the configuration and GUI source code – WebCfg - Diagnostics: Factory defaults ● A user could reset the configuration, leading to a denial of service or permissive outbound access – WebCfg - System: Authentication Servers ● A user could alter authentication parameters for a remote auth server to gain additional privileges – WebCfg - System: Group Manager / WebCfg - System: Group Manager: Add Privileges ● A user can alter groups to gain additional privileges – WebCfg - System: User Manager / WebCfg - System: User Manager: Add Privileges ● A user can alter users to gain additional privileges, add a new administrator user, etc – WebCfg - System: User Manager: Settings ● A user could change where the GUI obtains its authentication to gain additional access
Privilege Gotchas ● Be careful of pages that can execute commands or apply changes – Denying configuration write access does not prevent these actions which can make changes! ● By default, SSH users do not get the menu because they do not have access to the commands – Using sudo can help delegate – Shell users still may have access to files and other parts of the system that are sensitive even if they cannot run commands as root
Group Management ● Groups are the easiest way to manage privileges for multiple users ● Great for single privileges that many, but not all, will have, such as IPsec Xauth Dialin or Captive Portal ● System > User Manager, Groups tab ● Click + Add to create a group, give it a name ● Scope is local for groups that exist on this firewall, remote for groups used with LDAP/RADIUS – Primary difference is that remote scope groups can have longer names and the name may contain spaces ● Users may be assigned here for batch changes, or the group may be added to a user directly for individual changes – Ctrl/shift/cmd to select multiple users depending on operating system/browser – Click Move to “Member of” list to add a user to this group, and the Move to “Not member of” list button to remove them ● Click Save ● Click the pencil icon to edit the group ● Click + Add to add privileges to the group
Add Privileges Screen ● Editing privileges for users and groups works identically ● The user or group being edited is printed at the top of the page ● The Assigned Privileges box lists all privileges the user does not yet have – Privileges already granted to the user/group must be edited on the user/group edit screen – Use shift/ctrl/cmd select to select multiple entries depending on your OS ● The Filter box searches for privileges matching a given string, and the filtered list is shown in the Assigned Privileges box – Type some text and press Enter or click Filter at the bottom of the page to search ● When a privilege is selected, the info box at the bottom of the page shows a description of the privilege ● Click Save when finished and the list of privileges will appear on the group or user
User Management ● System > User Manager, Users tab ● Click + Add to create a new user ● Username, password, confirm password are only required fields ● Account can be disabled or have a set expiration date – Account will be disabled on that day (e.g. expire tomorrow will expire at midnight tonight) – If expired, remember to fix date before re-enabling the account ● Custom Settings allow users to have a different theme, dashboard preferences, and other GUI behavior controls specific to their login ● Group membership can be managed for the user by moving groups over to the Member of side
User Management ● User Certificate can be created if there is a suitable CA+Key available – Process is different during account creation: check the box, enter a name, choose options – Later when editing account, click + Add and then a cert can be created, imported, etc. ● Authorized keys are keys for SSH access, check the box, paste in one or more ssh public keys for the user – Make sure the user also gets a privilege which grants them access to ssh! ● IPsec Pre-Shared Key – Used for PSK-based mobile IPsec access (not xauth, IKEv2, etc) ● Click Save ● Privileges can be added by editing the user again after save
User Management Demo ● Group List, Add/Edit Group, Privileges ● User List, Add/Edit User, Privileges ● User login / logout – Show “default” landing page behavior (Users: sue, alice, bill) – Show what happens when a user has no GUI permissions (User: norm) ● Show menu changes ● Deny Config Write demo ● Show system log entries for redirects and other access info
SSH Access ● Enable under System > Advanced, Admin Access tab ● Several levels of access: – User – System – SSH Tunneling ● Allows user to connect and create SSH forwards, but no shell or SCP – User – System – Copy Files ● Allows user to connect with an SCP client such as scp, Filezilla, WinSCP, etc. to transfer files – User – System – Shell Account Access ● Access to the shell, tunneling, and SCP
SSH Access ● Passwords are set in config.xml only, do not use “passwd” in shell! ● Admin and Root share credentials ● Admin is locked to menu for shell and cannot use SCP, only SSH ● Root user works for SCP or SSH access ● Other users may access the shell or SCP, depending on privileges ● Other users who SCP files need to be aware of file and directory permissions ● Other users do not get the menu at login because they do not have sufficient privileges to run all commands on the menu ● Users may be granted more privileges in the shell by using the sudo package ● Just because a user can't run a command doesn't mean they can't necessarily see sensitive files, remember this is a firewall and not intended to be a multi-user UNIX shell server, only give SSH access to trusted administrators!
SSH Authentication ● SSH has several authentication modes, including – Password – least secure – Keyboard-Interactive – Still password-based, extensible – Key-based authentication – Best and most secure, but complicated to setup ● Password-based modes are susceptible to brute force attacks ● Client must create their own public/private key pair using a utility such as ssh- keygen ● Public key is copied to “authorized keys” list for their account on the server ● Private key should be protected with a passphrase and other security measures ● SSH agent/forwarding makes this more convenient
Sudo Package ● Rhymes with voodoo! ● Installed from System > Packages, Available Packages tab ● Once installed, appears as System > sudo ● Default permissions grant full sudo access to members of the admins group, as well as root and admin users ● User/Group column selects who receives the permission ● Run As column selects the user the command will run under, typically root ● No Password checkbox allows the user to run the specified command(s) without supplying their password. Convenient, but potentially dangerous!
Sudo Package ● Command list specifies what commands and parameters may be used by the user or group – Special “ALL” keyword means all commands with any parameters – A command with no parameters set after will allow any parameters: ● /sbin/pfctl – A command with a specific parameter set limits the user to only that one parameter: ● /sbin/pfctl -ss – To restrict a user to run a command without any parameters, use “” after the command name: ● /sbin/ifconfig “” – Separate commands in the list using a comma: ● /sbin/ifconfig, /sbin/pfctl, /sbin/ping, /sbin/ping6 ● Commands run using sudo are logged to the main system log
SSH Access Demo ● SSH as root/admin ● SCP as root ● Login as unprivileged user ● Use of sudo
Remote GUI Access ● Unforgivable: HTTP GUI on WAN ● Worse: HTTPS GUI port open to the world (any port) ● Good: HTTPS GUI port open to select hosts – Can use an alias with dyndns FQDN entries! ● Better: HTTPS GUI on non-standard port open to select hosts ● Best: GUI port closed to the world, access by VPN only
Remote SSH Access ● Worst: SSH port open to the world – Constant brute force attacks ● Meh: SSH port open to the world on an alternate port – Security by obscurity, may protect against some casual scans but not all ● OK: SSH port open to select hosts ● Good: SSH (any port) with key-based authentication ● Better: Key-based authentication, open to only select hosts ● Best: No direct access. Key-based auth + VPN
Security Best Practices ● Only use encrypted protocols (HTTPS, SSH, no HTTP!) – Refer to the ACME/Let’s Encrypt hangout to get a trusted HTTPS GUI Certificate ● Reduce or eliminate use of the “admin” account ● Never leave system passwords at their default value ● Give each person their own account, no sharing or role-based accounts! ● Encourage use of long passwords (bcrypt supports up to 72 character passwords) ● Set an expiration date and/or disable accounts that only need temporary access ● Remove accounts promptly when a user leaves the company ● Do not expose GUI or SSH services to the world ● Use key-based authentication for SSH ● Use remote access VPNs for management where possible ● Don't ignore physical security! – Disabling console access is OK, but not perfect, can be reset/bypassed by someone with physical access and control of the hardware
External Authentication Servers ● LDAP and RADIUS can be used for GUI access – Must have local groups defined to match user group in LDAP/RADIUS ● If a group has a space in it or a long name, set the group scope to “Remote” on pfSense – If the auth server is down, falls back to local auth ● Accessing pages will be slow because each page load must wait for the auth server to timeout ● RADIUS and LDAP can be used for OpenVPN ● RADIUS can be used for IKEv2 IPsec ● Some areas like Captive Portal and L2TP are not connected to these Authentication Servers (yet) ● More detail on LDAP and RADIUS in next hangout!
Other Notes ● XMLRPC Sync on 2.4 can use any user, but that user must have the System – HA node sync privilege ● Resetting the LAN IP address via the console or SSH will offer to reset the authentication source back to Local, if remote authentication is not functional ● Password reset function on the console menu will also re-enable admin account ● Reset a password for other accounts via shell: – pfSsh.php playback changepassword <username> – Will also optionally re-enable and remove expiration
Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc

Empfohlen

Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Netgate
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Netgate
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Netgate
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Netgate
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
Netgate
 
Docker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker Networking: Control plane and Data plane
Docker Networking: Control plane and Data plane
Docker, Inc.
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 
Scaling FreeSWITCH Performance
Scaling FreeSWITCH PerformanceScaling FreeSWITCH Performance
Scaling FreeSWITCH Performance
Moises Silva
 

Empfohlen

Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Netgate
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Netgate
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Netgate
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Netgate
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
Netgate
 
Docker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker Networking: Control plane and Data plane
Docker Networking: Control plane and Data plane
Docker, Inc.
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 
Scaling FreeSWITCH Performance
Scaling FreeSWITCH PerformanceScaling FreeSWITCH Performance
Scaling FreeSWITCH Performance
Moises Silva
 
Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015
Netgate
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functions
mikepfeiffer
 
Unidad 14 - SAMBA, NFS y LDAP
Unidad 14 - SAMBA, NFS y LDAPUnidad 14 - SAMBA, NFS y LDAP
Unidad 14 - SAMBA, NFS y LDAP
vverdu
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
Netgate
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
Gabriella Davis
 
GRE Tunnel Configuration
GRE Tunnel ConfigurationGRE Tunnel Configuration
GRE Tunnel Configuration
NetProtocol Xpert
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
Netgate
 
Module 1: ConfD Technical Introduction
Module 1: ConfD Technical IntroductionModule 1: ConfD Technical Introduction
Module 1: ConfD Technical Introduction
Tail-f Systems
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
Netgate
 
Next Generation Network Automation
Next Generation Network AutomationNext Generation Network Automation
Next Generation Network Automation
Laurent Ciavaglia
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
Netgate
 
IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015
Netgate
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
Linux Run Level
Linux Run LevelLinux Run Level
Linux Run Level
Gaurav Mishra
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
ShapeBlue
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
nussbauml
 
MTCNA
MTCNAMTCNA
MTCNA
gurubelajarmandiri
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
Netgate
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
Devin Olson
 
JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!
NerdGirlJess
 
User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015
Netgate
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
Erdo Deshiant Garnaby
 

Weitere ähnliche Inhalte

Was ist angesagt?

JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!
NerdGirlJess
 

Was ist angesagt? (20)

Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015Bandwidth Monitoring - pfSense Hangout March 2015
Bandwidth Monitoring - pfSense Hangout March 2015
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functions
 
Unidad 14 - SAMBA, NFS y LDAP
Unidad 14 - SAMBA, NFS y LDAPUnidad 14 - SAMBA, NFS y LDAP
Unidad 14 - SAMBA, NFS y LDAP
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
GRE Tunnel Configuration
GRE Tunnel ConfigurationGRE Tunnel Configuration
GRE Tunnel Configuration
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
 
Module 1: ConfD Technical Introduction
Module 1: ConfD Technical IntroductionModule 1: ConfD Technical Introduction
Module 1: ConfD Technical Introduction
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
 
Next Generation Network Automation
Next Generation Network AutomationNext Generation Network Automation
Next Generation Network Automation
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
 
IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
 
Linux Run Level
Linux Run LevelLinux Run Level
Linux Run Level
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
 
MTCNA
MTCNAMTCNA
MTCNA
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
 
JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!JMP105 - "How Stuff Works" - Domino Style!
JMP105 - "How Stuff Works" - Domino Style!
 

Ähnlich wie User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018

access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
jemtallon
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
APSU
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
APSU
 
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
scorlosquet
 

Ähnlich wie User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018 (20)

User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to Exploitation
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
Users and groups in Linux
Users and groups in LinuxUsers and groups in Linux
Users and groups in Linux
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
 
006.itsecurity bcp v1
006.itsecurity bcp v1006.itsecurity bcp v1
006.itsecurity bcp v1
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
 
Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modules
 
Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferences
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!
 
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
 
Ch11
Ch11Ch11
Ch11
 
e-DMZ Products Overview
e-DMZ Products Overviewe-DMZ Products Overview
e-DMZ Products Overview
 
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
(ATS4-PLAT02) Security Enhancements in Accelrys Enterprise Platform 9.0
 
Lecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdfLecture_02_System_Structures.ppt.pdf
Lecture_02_System_Structures.ppt.pdf
 

Mehr von Netgate

Mehr von Netgate (18)

Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
 
High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
 
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
 
pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018

  • 1. User Management and Privileges pfSense 2.4 January 2018 Hangout Jim Pingle
  • 2. About this Hangout ● Project News ● Why use multiple users? ● pfSense Privilege System ● Working with Privileges ● Privilege Gotchas ● Group Management ● Add Privileges Screen ● User Management ● User Management Demo ● SSH Access ● SSH Authentication ● Sudo Package ● SSH Access Demo ● Remote GUI Access ● Remote SSH Access ● Security Best Practices ● External Authentication Servers ● RADIUS and LDAP will be covered next month
  • 3. Project News ● 2.4.3 will be coming soon – Fixes for Meltdown/Spectre ● For pfSense in its appliance role, these are largely irrelevant as the firewall is not hosting virtual machines or running arbitrary untrusted code ● Do not give untrusted users shell access or allow them to run untrusted binaries – Other bug fixes/features ● QNAP to offer pfSense as a paid virtualized guest on their NAS products – https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html – https://www.qnap.com/en/news/2018/qnap-and-netgate-showcase-nas-with-pfsense-joint-solution-for-network-sec urity-at-ces-2018 ● pfSense is gaining support for ESPRESSObin ARM boards – aarch64 (Armada 3720) – Three gigabit ports, two in a switch setup ● 2018 Training Calendar is up – https://www.netgate.com/training/ ● 349 registered translators and 16 languages complete!
  • 4. Why utilize multiple users? ● Security – Keeps the number of people with the root/admin password low ● Default admin account cannot be deleted, but may be disabled – Easier to lock out someone if they leave or only need temporary access – User access can be limited to specific pages they need to see – Users can be denied configuration write privileges ● Accountability – Configuration history shows users who made changes – Firewall and NAT rules are tagged with the creator and last person to change ● Non-Administrative Access – OpenVPN, IPsec, Captive Portal, SSH Tunneling, etc. ● Personalization – Users can have different themes, a personalized dashboard, and other GUI behavior settings ● Integration with existing authentication structure
  • 5. pfSense Privilege System ● Privileges can be set per-user or inherited from a group ● Privileges exist for almost every page ● Special privileges for … – Special pages such as the Dashboard, Notices, Help, and Crash Reporter – Captive Portal access (optional) – VPN Dial-in access (IPsec, L2TP, PPPoE) – XMLRPC Synchronization – Various types of SSH access – Deny Configuration Write – “WebCfg - System: User Password Manager page” allows user to change password ● Most packages do not hook in or are not compatible with privileges, but some do
  • 6. Working with Privileges ● Using groups speeds up and simplifies the process ● Save a user or group first, then edit to add individual permissions ● If a user does not have Dashboard access, after login they are redirected to the first page in their privilege list – Be wary of the permission order! ● Do not add the “Deny Config Write” privilege to the “All” or “Admins” group (for obvious reasons) ● Do not “select all” on the privilege list, be specific! – If you want to grant all GUI privileges, only give “WebCfg – All Pages” or add to Admins group! – If you select all in the list, you’ll also end up denying write access which will make changes appear to silently fail ● Menus will change to only show pages a user may access
  • 7. Privilege Gotchas ● Despite the privilege system, pfSense is not intended to be a general purpose unix shell server and should not be treated as such ● Some privileges effectively give the user full administrator access due to the nature of how pfSense works – User - System: Copy files (scp) ● The user could copy or edit files on the firewall, and some files outside of their control have permissions that let all shell users read them, some of which may contain sensitive information – User - System: Shell account access ● In addition to the concerns for scp, the user could also copy and run their own executable code – WebCfg - All pages ● This is the standard privilege to give access to all pages, which gives the user full access in the GUI – WebCfg - Diagnostics: Backup & Restore ● A user could download a backup which contains sensitive information, or upload a new configuration enacting any settings they want – WebCfg - Diagnostics: Command ● A user could run arbitrary commands, make arbitrary changes to the system or configuration, or download any file on the firewall
  • 8. Privilege Gotchas ● Full access privileges (cont’d) – WebCfg - Diagnostics: Edit File ● A user could read/write any file on the firewall, including the configuration and GUI source code – WebCfg - Diagnostics: Factory defaults ● A user could reset the configuration, leading to a denial of service or permissive outbound access – WebCfg - System: Authentication Servers ● A user could alter authentication parameters for a remote auth server to gain additional privileges – WebCfg - System: Group Manager / WebCfg - System: Group Manager: Add Privileges ● A user can alter groups to gain additional privileges – WebCfg - System: User Manager / WebCfg - System: User Manager: Add Privileges ● A user can alter users to gain additional privileges, add a new administrator user, etc – WebCfg - System: User Manager: Settings ● A user could change where the GUI obtains its authentication to gain additional access
  • 9. Privilege Gotchas ● Be careful of pages that can execute commands or apply changes – Denying configuration write access does not prevent these actions which can make changes! ● By default, SSH users do not get the menu because they do not have access to the commands – Using sudo can help delegate – Shell users still may have access to files and other parts of the system that are sensitive even if they cannot run commands as root
  • 10. Group Management ● Groups are the easiest way to manage privileges for multiple users ● Great for single privileges that many, but not all, will have, such as IPsec Xauth Dialin or Captive Portal ● System > User Manager, Groups tab ● Click + Add to create a group, give it a name ● Scope is local for groups that exist on this firewall, remote for groups used with LDAP/RADIUS – Primary difference is that remote scope groups can have longer names and the name may contain spaces ● Users may be assigned here for batch changes, or the group may be added to a user directly for individual changes – Ctrl/shift/cmd to select multiple users depending on operating system/browser – Click Move to “Member of” list to add a user to this group, and the Move to “Not member of” list button to remove them ● Click Save ● Click the pencil icon to edit the group ● Click + Add to add privileges to the group
  • 11. Add Privileges Screen ● Editing privileges for users and groups works identically ● The user or group being edited is printed at the top of the page ● The Assigned Privileges box lists all privileges the user does not yet have – Privileges already granted to the user/group must be edited on the user/group edit screen – Use shift/ctrl/cmd select to select multiple entries depending on your OS ● The Filter box searches for privileges matching a given string, and the filtered list is shown in the Assigned Privileges box – Type some text and press Enter or click Filter at the bottom of the page to search ● When a privilege is selected, the info box at the bottom of the page shows a description of the privilege ● Click Save when finished and the list of privileges will appear on the group or user
  • 12. User Management ● System > User Manager, Users tab ● Click + Add to create a new user ● Username, password, confirm password are only required fields ● Account can be disabled or have a set expiration date – Account will be disabled on that day (e.g. expire tomorrow will expire at midnight tonight) – If expired, remember to fix date before re-enabling the account ● Custom Settings allow users to have a different theme, dashboard preferences, and other GUI behavior controls specific to their login ● Group membership can be managed for the user by moving groups over to the Member of side
  • 13. User Management ● User Certificate can be created if there is a suitable CA+Key available – Process is different during account creation: check the box, enter a name, choose options – Later when editing account, click + Add and then a cert can be created, imported, etc. ● Authorized keys are keys for SSH access, check the box, paste in one or more ssh public keys for the user – Make sure the user also gets a privilege which grants them access to ssh! ● IPsec Pre-Shared Key – Used for PSK-based mobile IPsec access (not xauth, IKEv2, etc) ● Click Save ● Privileges can be added by editing the user again after save
  • 14. User Management Demo ● Group List, Add/Edit Group, Privileges ● User List, Add/Edit User, Privileges ● User login / logout – Show “default” landing page behavior (Users: sue, alice, bill) – Show what happens when a user has no GUI permissions (User: norm) ● Show menu changes ● Deny Config Write demo ● Show system log entries for redirects and other access info
  • 15. SSH Access ● Enable under System > Advanced, Admin Access tab ● Several levels of access: – User – System – SSH Tunneling ● Allows user to connect and create SSH forwards, but no shell or SCP – User – System – Copy Files ● Allows user to connect with an SCP client such as scp, Filezilla, WinSCP, etc. to transfer files – User – System – Shell Account Access ● Access to the shell, tunneling, and SCP
  • 16. SSH Access ● Passwords are set in config.xml only, do not use “passwd” in shell! ● Admin and Root share credentials ● Admin is locked to menu for shell and cannot use SCP, only SSH ● Root user works for SCP or SSH access ● Other users may access the shell or SCP, depending on privileges ● Other users who SCP files need to be aware of file and directory permissions ● Other users do not get the menu at login because they do not have sufficient privileges to run all commands on the menu ● Users may be granted more privileges in the shell by using the sudo package ● Just because a user can't run a command doesn't mean they can't necessarily see sensitive files, remember this is a firewall and not intended to be a multi-user UNIX shell server, only give SSH access to trusted administrators!
  • 17. SSH Authentication ● SSH has several authentication modes, including – Password – least secure – Keyboard-Interactive – Still password-based, extensible – Key-based authentication – Best and most secure, but complicated to setup ● Password-based modes are susceptible to brute force attacks ● Client must create their own public/private key pair using a utility such as ssh- keygen ● Public key is copied to “authorized keys” list for their account on the server ● Private key should be protected with a passphrase and other security measures ● SSH agent/forwarding makes this more convenient
  • 18. Sudo Package ● Rhymes with voodoo! ● Installed from System > Packages, Available Packages tab ● Once installed, appears as System > sudo ● Default permissions grant full sudo access to members of the admins group, as well as root and admin users ● User/Group column selects who receives the permission ● Run As column selects the user the command will run under, typically root ● No Password checkbox allows the user to run the specified command(s) without supplying their password. Convenient, but potentially dangerous!
  • 19. Sudo Package ● Command list specifies what commands and parameters may be used by the user or group – Special “ALL” keyword means all commands with any parameters – A command with no parameters set after will allow any parameters: ● /sbin/pfctl – A command with a specific parameter set limits the user to only that one parameter: ● /sbin/pfctl -ss – To restrict a user to run a command without any parameters, use “” after the command name: ● /sbin/ifconfig “” – Separate commands in the list using a comma: ● /sbin/ifconfig, /sbin/pfctl, /sbin/ping, /sbin/ping6 ● Commands run using sudo are logged to the main system log
  • 20. SSH Access Demo ● SSH as root/admin ● SCP as root ● Login as unprivileged user ● Use of sudo
  • 21. Remote GUI Access ● Unforgivable: HTTP GUI on WAN ● Worse: HTTPS GUI port open to the world (any port) ● Good: HTTPS GUI port open to select hosts – Can use an alias with dyndns FQDN entries! ● Better: HTTPS GUI on non-standard port open to select hosts ● Best: GUI port closed to the world, access by VPN only
  • 22. Remote SSH Access ● Worst: SSH port open to the world – Constant brute force attacks ● Meh: SSH port open to the world on an alternate port – Security by obscurity, may protect against some casual scans but not all ● OK: SSH port open to select hosts ● Good: SSH (any port) with key-based authentication ● Better: Key-based authentication, open to only select hosts ● Best: No direct access. Key-based auth + VPN
  • 23. Security Best Practices ● Only use encrypted protocols (HTTPS, SSH, no HTTP!) – Refer to the ACME/Let’s Encrypt hangout to get a trusted HTTPS GUI Certificate ● Reduce or eliminate use of the “admin” account ● Never leave system passwords at their default value ● Give each person their own account, no sharing or role-based accounts! ● Encourage use of long passwords (bcrypt supports up to 72 character passwords) ● Set an expiration date and/or disable accounts that only need temporary access ● Remove accounts promptly when a user leaves the company ● Do not expose GUI or SSH services to the world ● Use key-based authentication for SSH ● Use remote access VPNs for management where possible ● Don't ignore physical security! – Disabling console access is OK, but not perfect, can be reset/bypassed by someone with physical access and control of the hardware
  • 24. External Authentication Servers ● LDAP and RADIUS can be used for GUI access – Must have local groups defined to match user group in LDAP/RADIUS ● If a group has a space in it or a long name, set the group scope to “Remote” on pfSense – If the auth server is down, falls back to local auth ● Accessing pages will be slow because each page load must wait for the auth server to timeout ● RADIUS and LDAP can be used for OpenVPN ● RADIUS can be used for IKEv2 IPsec ● Some areas like Captive Portal and L2TP are not connected to these Authentication Servers (yet) ● More detail on LDAP and RADIUS in next hangout!
  • 25. Other Notes ● XMLRPC Sync on 2.4 can use any user, but that user must have the System – HA node sync privilege ● Resetting the LAN IP address via the console or SSH will offer to reset the authentication source back to Local, if remote authentication is not functional ● Password reset function on the console menu will also re-enable admin account ● Reset a password for other accounts via shell: – pfSsh.php playback changepassword <username> – Will also optionally re-enable and remove expiration
  • 26. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc