OPNSense – Security and Hardening – Episode 1


This article aims to illuminate the significance of adhering to security best practices when managing Administrator Access for OPNSense. It will provide valuable insights into the potential risks and vulnerabilities associated with mishandling administrator privileges and offer recommendations on implementing effective security measures to ensure the safety and confidentiality of sensitive data.

Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

Always Change the Default Password.

A recent study conducted by Comparitech has revealed that approximately one in sixteen home Wi-Fi routers connected to the Internet can be remotely accessed by attackers using the default administrative password provided by the manufacturer. Such unauthorized access can leave victims susceptible to a wide range of cyber attacks, including eavesdropping, malware, and hijacking. Notably, tech writer Paul Bischoff @comparitech has emphasized the implications of these findings.

I will not cover how to change the default password for OPNSense since Zenarmor has already provided a step-by-step guide. Check it out: OPNsense Security and Hardening Best Practice Guide

Create a Non-root Administrator Account and Disable the Root User

Similar to a router, using the root account on a firewall router can also pose serious security risks. The root account has complete access and control over the device, which means that any malicious activity can have devastating consequences. If an attacker gains access to the root account, they can modify the firewall’s settings, bypass security measures, steal sensitive information, and even launch attacks against other devices on the network. It is highly recommended to use a separate non-root account with limited privileges for day-to-day tasks on the firewall router, and only use the root account when absolutely necessary and with extreme caution. This can help reduce the risk of unauthorized access and keep the network and its devices secure. Follow the below steps to create a non-root administrator account and to disable Root User:

1. Create a Non-root Administrator Account

  • Navigate to System ‣ Access ‣ Users, select the plug icon to add a new user.
  • Create a unique username.
  • Creating a strong password is important to keep your accounts and personal information safe. Make sure your password is difficult to guess and includes a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using common words or phrases; never reuse the same password for multiple accounts. Using a password manager like 1Password is highly recommended to generate and save your password securely.
  • Select a Login shell (only required if you intend to use SSH with this user later).
  • Select admins under Group Memberships, then select Add groups.
  • OTP Seed: Optional, but highly recommended for use with a 2-Factor Authentication TOTP Server.
  • Select Save or Save and go back when done.

2. Disable the Root Account

  • Navigate to System ‣ Access ‣ Users, select the pencil icon to edit the root user.
  • Select Disabled.
  • Select Save or Save and go back when done.

3. 2FA Authentication Timebased One Time Password (TOTP) Server

Time-based One-Time Password (TOTP) is a type of two-factor authentication (2FA) that is commonly used to secure online accounts and transactions. It works by generating a unique password that is valid for a short period of time, typically 30 seconds, based on a secret key and current time. This password is then used in addition to the regular password to provide an extra layer of security. TOTP servers are responsible for generating and validating these one-time passwords and are commonly used by popular security systems and websites to ensure secure access to user accounts.

Check out my tutorial on how to enable a TOTP Server on your OPNSense:

Ways to support my channel

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »