Configuring Secure SSH for Remote Support

**MattyD** · 07-22-2013, 08:38 AM

Hi all,

Love the untangle products!! I have a quick question for the community:

I am working on enabling SSH for remote support in our configuration and have done some research on securing it as for obvious reasons, SSH access from the internet is quite dangerous. I am aware of the ability to create a 'packet filter' rule to allow ssh access only from certain source IP addresses on specified ports.

My question: Does this filter rule work WITH the option to 'allow SSH on all interfaces' or would I need to create multiple allow rules (one for each external interface)? I would like to keep SSH access open and available on the internet side but only allow it from our office IP.

Thanks!

**jcoffin** · 07-22-2013, 08:57 AM

All interfaces have ssh port listening if ssh is started. By default ssh is not running. Just configure one packet rule to allow ssh from your IP and another rule after it to block all ssh on External.

**sky-knight** · 07-22-2013, 09:47 AM

User packet filter rules are processed before system rules, as far as I know. This means any block rules in the user section will override the system rule.

I'm not sure why you'd use that rule. Because if you don't accept in the system rule, you don't have to worry about blocking anything, just turn that rule off and create a limited pass rule for the places you need to allow connectivity. Just don't forget to use some port scans to test your rules, you don't want that service exposed, especially to the public interfaces.

**MattyD** · 07-25-2013, 08:53 AM

Originally Posted by jcoffin

All interfaces have ssh port listening if ssh is started. By default ssh is not running. Just configure one packet rule to allow ssh from your IP and another rule after it to block all ssh on External.

Thanks - That answer my question, wasn't sure if SSH traffic was subject to these rules.

Originally Posted by sky-knight

I'm not sure why you'd use that rule.

The reason being that should we need remote SSH access to this box for logfiles viewing, recovery, etc., it would be remotely and not from internal network. We need to restrict SSH access to our office for administration purposes but didn't want to expose SSH to the WWW. Thanks again!

**sky-knight** · 07-25-2013, 01:29 PM

Yes, but again that doesn't describe why you'd use the blanket "open the door" rule present.

You have two options to do this securely.

1.) Create specific pass rules to only allow SSH from trusted locations.
2.) Use one of the VPN modules to authenticate, and allow connections from the now more trusted VPN linked client.

In neither case are you ever going to use that system packet filter rule to just allow SSH all the time.

Thread: Configuring Secure SSH for Remote Support

LinkBack

Thread Tools

Configuring Secure SSH for Remote Support

Posting Permissions