Security

Secure remote firewall administration via SSH

Most firewall systems contain a Web-based component that allows you to configure the firewall, but it's not very secure. Vincent Danen shows you a method via SSH that has the advantage of authentication and strong encryption.

Most firewall systems contain a Web-based component that allows you to configure the firewall. This holds true for most entry-level firewall systems (Linksys, D-Link, etc.) and also open source firewall systems such as pfSense. These systems tend to provide ways to access the Web interface remotely via the Internet; however, this should not be considered secure at all.

Instead, if there is a system on the inside of the network that you can forward a port to for SSH, you can then SSH into the box and use TCP forwarding to get to the firewall via the inside of the network. This has the advantage of authentication and strong encryption. If the remote firewall has SSH running on it, you do not even need another internal system to SSH into; just SSH into the firewall itself.

On the remote system, edit ~/.ssh/config and add an entry similar to the following:

Host remotefw
  Hostname remotefw.remote.com
  User admin
  Port 522
  LocalForward 8888 192.168.10.1:80

This allows you to execute ssh remotefw on the command-line to connect to the host remotefw.remote.com as the user "admin," on port 522. It will also forward connections on the local system's port 8888 to port 80 on the remote system 192.168.10.1 (the firewall). Note that the user to connect as (admin) is not for the firewall; this is the SSH, or local, user on the remote system.

Now point your browser to connect to http://127.0.0.1:8888 (use https if the firewall requires it). You should be prompted for the credentials to get into the Web-based configuration utility.

Once you are finished working with the firewall configuration, simply close the browser window and exit the SSH session.

If this does not work, chances are the remote SSH server has TCP forwarding disabled. You will need to connect to the remote system and, as root, enable the AllowTcpForwarding keyword and restart sshd.

The advantages to using TCP forwarding over SSH to access remote firewalls, instead of enabling and using remote administration in the firewall itself, should be self-evident. Using SSH, you can restrict access to users able to SSH in, and with the use of key-based authentication, brute password attempts to break in are non-existent. As well, it provides more security due to the SSH encryption.

I use this method of remote firewall configuration quite often. It allows me to configure remote pfSense firewalls for clients, and even the remote Linksys firewall at my mother's house (of course, she is also using Fedora at home, and I can remotely SSH in to access the firewall). The only pre-requisites are that the firewall forwards a port for SSH to a system on the remote network and that you have appropriate credentials to log in.

It also cuts down on unnecessary trips to remote offices or homes to do firewall tweaking or diagnostics, which is always welcome.

Get the PDF version of this tip here.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

4 comments
ianh
ianh

every firewall i've seen recently (i.e. within the last 3 years) utilised https, so this discussion is moot. and if it doesn't provide https? don't touch it...

vdanen
vdanen

Why worry about https when you can do it all over ssh (encryption _and_ authorization)? And in light of recent SSL issues, I'd rather use ssh with keys (no passwords to brute force), perhaps a non-standard port (again, to prevent ssh brute forcing), and then redirect back to the firewall (use https there if you want and don't trust the remote network). SSL doesn't hold a candle to the benefits of SSH, and doing it this way you don't have to worry about anyone even thinking of or attempting brute forcing passwords on the firewall (and why would you want to expose the admin interface to the WAN side of the firewall to begin with?!?)

Editor's Picks