2. About this Hangout
● Project News
● Why use multiple users?
● pfSense Privilege System
●
Working with Privileges
● Privilege Gotchas
● Group Management
● Add Privileges Screen
● User Management
● User Management Demo
● SSH Access
● SSH Authentication
● Sudo Package
●
SSH Access Demo
● Remote GUI Access
●
Remote SSH Access
● Security Best Practices
●
External Authentication Servers
● RADIUS and LDAP will be covered next
month
3. Project News
●
2.4.3 will be coming soon
– Fixes for Meltdown/Spectre
●
For pfSense in its appliance role, these are largely irrelevant as the firewall is not hosting virtual machines or running arbitrary
untrusted code
●
Do not give untrusted users shell access or allow them to run untrusted binaries
– Other bug fixes/features
● QNAP to offer pfSense as a paid virtualized guest on their NAS products
– https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html
– https://www.qnap.com/en/news/2018/qnap-and-netgate-showcase-nas-with-pfsense-joint-solution-for-network-sec
urity-at-ces-2018
●
pfSense is gaining support for ESPRESSObin ARM boards
– aarch64 (Armada 3720)
– Three gigabit ports, two in a switch setup
●
2018 Training Calendar is up
– https://www.netgate.com/training/
●
349 registered translators and 16 languages complete!
4. Why utilize multiple users?
● Security
– Keeps the number of people with the root/admin password low
● Default admin account cannot be deleted, but may be disabled
– Easier to lock out someone if they leave or only need temporary access
– User access can be limited to specific pages they need to see
– Users can be denied configuration write privileges
● Accountability
– Configuration history shows users who made changes
– Firewall and NAT rules are tagged with the creator and last person to change
● Non-Administrative Access
– OpenVPN, IPsec, Captive Portal, SSH Tunneling, etc.
● Personalization
– Users can have different themes, a personalized dashboard, and other GUI behavior settings
● Integration with existing authentication structure
5. pfSense Privilege System
● Privileges can be set per-user or inherited from a group
●
Privileges exist for almost every page
● Special privileges for …
– Special pages such as the Dashboard, Notices, Help, and Crash Reporter
– Captive Portal access (optional)
– VPN Dial-in access (IPsec, L2TP, PPPoE)
– XMLRPC Synchronization
– Various types of SSH access
– Deny Configuration Write
– “WebCfg - System: User Password Manager page” allows user to change password
● Most packages do not hook in or are not compatible with privileges, but some do
6. Working with Privileges
● Using groups speeds up and simplifies the process
● Save a user or group first, then edit to add individual permissions
● If a user does not have Dashboard access, after login they are redirected to the first page in
their privilege list
– Be wary of the permission order!
● Do not add the “Deny Config Write” privilege to the “All” or “Admins” group (for obvious
reasons)
● Do not “select all” on the privilege list, be specific!
– If you want to grant all GUI privileges, only give “WebCfg – All Pages” or add to Admins group!
– If you select all in the list, you’ll also end up denying write access which will make changes appear to
silently fail
● Menus will change to only show pages a user may access
7. Privilege Gotchas
● Despite the privilege system, pfSense is not intended to be a general purpose unix shell server and should
not be treated as such
● Some privileges effectively give the user full administrator access due to the nature of how pfSense works
– User - System: Copy files (scp)
●
The user could copy or edit files on the firewall, and some files outside of their control have permissions that let all shell users read
them, some of which may contain sensitive information
– User - System: Shell account access
●
In addition to the concerns for scp, the user could also copy and run their own executable code
– WebCfg - All pages
● This is the standard privilege to give access to all pages, which gives the user full access in the GUI
– WebCfg - Diagnostics: Backup & Restore
●
A user could download a backup which contains sensitive information, or upload a new configuration enacting any settings they want
– WebCfg - Diagnostics: Command
● A user could run arbitrary commands, make arbitrary changes to the system or configuration, or download any file on the firewall
8. Privilege Gotchas
● Full access privileges (cont’d)
– WebCfg - Diagnostics: Edit File
● A user could read/write any file on the firewall, including the configuration and GUI source code
– WebCfg - Diagnostics: Factory defaults
● A user could reset the configuration, leading to a denial of service or permissive outbound access
– WebCfg - System: Authentication Servers
● A user could alter authentication parameters for a remote auth server to gain additional privileges
– WebCfg - System: Group Manager / WebCfg - System: Group Manager: Add Privileges
● A user can alter groups to gain additional privileges
– WebCfg - System: User Manager / WebCfg - System: User Manager: Add Privileges
● A user can alter users to gain additional privileges, add a new administrator user, etc
– WebCfg - System: User Manager: Settings
● A user could change where the GUI obtains its authentication to gain additional access
9. Privilege Gotchas
● Be careful of pages that can execute commands or apply
changes
– Denying configuration write access does not prevent these actions
which can make changes!
● By default, SSH users do not get the menu because they do not
have access to the commands
– Using sudo can help delegate
– Shell users still may have access to files and other parts of the
system that are sensitive even if they cannot run commands as root
10. Group Management
● Groups are the easiest way to manage privileges for multiple users
●
Great for single privileges that many, but not all, will have, such as IPsec Xauth Dialin or Captive Portal
●
System > User Manager, Groups tab
● Click + Add to create a group, give it a name
●
Scope is local for groups that exist on this firewall, remote for groups used with LDAP/RADIUS
– Primary difference is that remote scope groups can have longer names and the name may contain spaces
●
Users may be assigned here for batch changes, or the group may be added to a user directly for individual
changes
– Ctrl/shift/cmd to select multiple users depending on operating system/browser
– Click Move to “Member of” list to add a user to this group, and the Move to “Not member of” list button to remove them
●
Click Save
●
Click the pencil icon to edit the group
● Click + Add to add privileges to the group
11. Add Privileges Screen
● Editing privileges for users and groups works identically
●
The user or group being edited is printed at the top of the page
● The Assigned Privileges box lists all privileges the user does not yet have
– Privileges already granted to the user/group must be edited on the user/group edit screen
– Use shift/ctrl/cmd select to select multiple entries depending on your OS
●
The Filter box searches for privileges matching a given string, and the filtered list is
shown in the Assigned Privileges box
– Type some text and press Enter or click Filter at the bottom of the page to search
●
When a privilege is selected, the info box at the bottom of the page shows a description of
the privilege
● Click Save when finished and the list of privileges will appear on the group or user
12. User Management
● System > User Manager, Users tab
● Click + Add to create a new user
● Username, password, confirm password are only required fields
● Account can be disabled or have a set expiration date
– Account will be disabled on that day (e.g. expire tomorrow will expire at midnight
tonight)
– If expired, remember to fix date before re-enabling the account
● Custom Settings allow users to have a different theme, dashboard
preferences, and other GUI behavior controls specific to their login
● Group membership can be managed for the user by moving groups over to
the Member of side
13. User Management
● User Certificate can be created if there is a suitable CA+Key available
– Process is different during account creation: check the box, enter a name, choose
options
– Later when editing account, click + Add and then a cert can be created, imported, etc.
● Authorized keys are keys for SSH access, check the box, paste in one or more
ssh public keys for the user
– Make sure the user also gets a privilege which grants them access to ssh!
● IPsec Pre-Shared Key
– Used for PSK-based mobile IPsec access (not xauth, IKEv2, etc)
● Click Save
● Privileges can be added by editing the user again after save
14. User Management Demo
● Group List, Add/Edit Group, Privileges
● User List, Add/Edit User, Privileges
● User login / logout
– Show “default” landing page behavior (Users: sue, alice, bill)
– Show what happens when a user has no GUI permissions (User: norm)
● Show menu changes
● Deny Config Write demo
● Show system log entries for redirects and other access info
15. SSH Access
● Enable under System > Advanced, Admin Access tab
● Several levels of access:
– User – System – SSH Tunneling
● Allows user to connect and create SSH forwards, but no shell or SCP
– User – System – Copy Files
● Allows user to connect with an SCP client such as scp, Filezilla, WinSCP, etc.
to transfer files
– User – System – Shell Account Access
● Access to the shell, tunneling, and SCP
16. SSH Access
●
Passwords are set in config.xml only, do not use “passwd” in shell!
● Admin and Root share credentials
●
Admin is locked to menu for shell and cannot use SCP, only SSH
● Root user works for SCP or SSH access
●
Other users may access the shell or SCP, depending on privileges
●
Other users who SCP files need to be aware of file and directory permissions
● Other users do not get the menu at login because they do not have sufficient privileges to
run all commands on the menu
●
Users may be granted more privileges in the shell by using the sudo package
● Just because a user can't run a command doesn't mean they can't necessarily see
sensitive files, remember this is a firewall and not intended to be a multi-user UNIX shell
server, only give SSH access to trusted administrators!
17. SSH Authentication
● SSH has several authentication modes, including
– Password – least secure
– Keyboard-Interactive – Still password-based, extensible
– Key-based authentication – Best and most secure, but complicated to setup
● Password-based modes are susceptible to brute force attacks
● Client must create their own public/private key pair using a utility such as ssh-
keygen
● Public key is copied to “authorized keys” list for their account on the server
● Private key should be protected with a passphrase and other security measures
● SSH agent/forwarding makes this more convenient
18. Sudo Package
● Rhymes with voodoo!
● Installed from System > Packages, Available Packages tab
● Once installed, appears as System > sudo
● Default permissions grant full sudo access to members of the admins group, as
well as root and admin users
● User/Group column selects who receives the permission
● Run As column selects the user the command will run under, typically root
● No Password checkbox allows the user to run the specified command(s)
without supplying their password. Convenient, but potentially dangerous!
19. Sudo Package
● Command list specifies what commands and parameters may be used by the user
or group
– Special “ALL” keyword means all commands with any parameters
– A command with no parameters set after will allow any parameters:
●
/sbin/pfctl
– A command with a specific parameter set limits the user to only that one parameter:
●
/sbin/pfctl -ss
– To restrict a user to run a command without any parameters, use “” after the command name:
●
/sbin/ifconfig “”
– Separate commands in the list using a comma:
●
/sbin/ifconfig, /sbin/pfctl, /sbin/ping, /sbin/ping6
● Commands run using sudo are logged to the main system log
20. SSH Access Demo
● SSH as root/admin
● SCP as root
● Login as unprivileged user
● Use of sudo
21. Remote GUI Access
● Unforgivable: HTTP GUI on WAN
● Worse: HTTPS GUI port open to the world (any port)
● Good: HTTPS GUI port open to select hosts
– Can use an alias with dyndns FQDN entries!
● Better: HTTPS GUI on non-standard port open to select hosts
● Best: GUI port closed to the world, access by VPN only
22. Remote SSH Access
● Worst: SSH port open to the world
– Constant brute force attacks
● Meh: SSH port open to the world on an alternate port
– Security by obscurity, may protect against some casual scans but not all
● OK: SSH port open to select hosts
● Good: SSH (any port) with key-based authentication
● Better: Key-based authentication, open to only select hosts
● Best: No direct access. Key-based auth + VPN
23. Security Best Practices
●
Only use encrypted protocols (HTTPS, SSH, no HTTP!)
– Refer to the ACME/Let’s Encrypt hangout to get a trusted HTTPS GUI Certificate
●
Reduce or eliminate use of the “admin” account
●
Never leave system passwords at their default value
● Give each person their own account, no sharing or role-based accounts!
●
Encourage use of long passwords (bcrypt supports up to 72 character passwords)
● Set an expiration date and/or disable accounts that only need temporary access
● Remove accounts promptly when a user leaves the company
●
Do not expose GUI or SSH services to the world
●
Use key-based authentication for SSH
● Use remote access VPNs for management where possible
●
Don't ignore physical security!
– Disabling console access is OK, but not perfect, can be reset/bypassed by someone with physical access and control of
the hardware
24. External Authentication Servers
● LDAP and RADIUS can be used for GUI access
– Must have local groups defined to match user group in LDAP/RADIUS
● If a group has a space in it or a long name, set the group scope to “Remote” on pfSense
– If the auth server is down, falls back to local auth
● Accessing pages will be slow because each page load must wait for the auth server to timeout
● RADIUS and LDAP can be used for OpenVPN
● RADIUS can be used for IKEv2 IPsec
● Some areas like Captive Portal and L2TP are not connected to these
Authentication Servers (yet)
● More detail on LDAP and RADIUS in next hangout!
25. Other Notes
● XMLRPC Sync on 2.4 can use any user, but that user must have the System
– HA node sync privilege
● Resetting the LAN IP address via the console or SSH will offer to reset the
authentication source back to Local, if remote authentication is not functional
● Password reset function on the console menu will also re-enable admin
account
● Reset a password for other accounts via shell:
– pfSsh.php playback changepassword <username>
– Will also optionally re-enable and remove expiration