Results 1 to 5 of 5
  1. #1
    Untangler
    Join Date
    Feb 2013
    Posts
    78

    Default Configuring Secure SSH for Remote Support

    Hi all,

    Love the untangle products!! I have a quick question for the community:

    I am working on enabling SSH for remote support in our configuration and have done some research on securing it as for obvious reasons, SSH access from the internet is quite dangerous. I am aware of the ability to create a 'packet filter' rule to allow ssh access only from certain source IP addresses on specified ports.

    My question: Does this filter rule work WITH the option to 'allow SSH on all interfaces' or would I need to create multiple allow rules (one for each external interface)? I would like to keep SSH access open and available on the internet side but only allow it from our office IP.

    Thanks!

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    All interfaces have ssh port listening if ssh is started. By default ssh is not running. Just configure one packet rule to allow ssh from your IP and another rule after it to block all ssh on External.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    User packet filter rules are processed before system rules, as far as I know. This means any block rules in the user section will override the system rule.

    I'm not sure why you'd use that rule. Because if you don't accept in the system rule, you don't have to worry about blocking anything, just turn that rule off and create a limited pass rule for the places you need to allow connectivity. Just don't forget to use some port scans to test your rules, you don't want that service exposed, especially to the public interfaces.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Feb 2013
    Posts
    78

    Default

    Quote Originally Posted by jcoffin View Post
    All interfaces have ssh port listening if ssh is started. By default ssh is not running. Just configure one packet rule to allow ssh from your IP and another rule after it to block all ssh on External.
    Thanks - That answer my question, wasn't sure if SSH traffic was subject to these rules.

    Quote Originally Posted by sky-knight View Post
    I'm not sure why you'd use that rule.
    The reason being that should we need remote SSH access to this box for logfiles viewing, recovery, etc., it would be remotely and not from internal network. We need to restrict SSH access to our office for administration purposes but didn't want to expose SSH to the WWW. Thanks again!

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    Yes, but again that doesn't describe why you'd use the blanket "open the door" rule present.

    You have two options to do this securely.

    1.) Create specific pass rules to only allow SSH from trusted locations.
    2.) Use one of the VPN modules to authenticate, and allow connections from the now more trusted VPN linked client.

    In neither case are you ever going to use that system packet filter rule to just allow SSH all the time.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2