OPNSense – Security and Hardening – Episode 2


In the current age of digital communication, cybersecurity has become a major concern for individuals and organizations alike. OpenSSH, a widely-used tool for remote login and secure file transfer, plays a critical role in securing communication between devices. This article aims to provide a comprehensive understanding of the significance of OpenSSH security. It will cover the key features of OpenSSH, its benefits, and the potential security risks associated with it. Additionally, the article will highlight best practices for configuring and managing OpenSSH to ensure maximum security for user data.

Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

SSH hardening guide for OPNsense 20.7 and newer

This article is based on the SSH Hardening Guides from Positron Security and SSH hardening guide for OPNsense 20.7 and newer by Mathieu Simon. Credit goes to the original authors.

1. Enable Secure Shell (SSH)

  • Navigate to System ‣ Settings ‣ Administration, select Enable Secure Shell.
  • Select wheel, admins from the Login Group
  • Do not permit root user login
  • Do not permit password login
  • The SSH password authentication method is vulnerable to brute force attacks, which involve systematically trying out all combinations of characters until the correct password is found. This attack can be successful if the password is weak or easily guessable. To prevent such attacks, it is recommended to use a strong and complex password and implement additional security measures such as two-factor authentication or public key authentication. Monitoring the system for suspicious activity and regularly updating the software to ensure any known vulnerabilities are patched is also important. By taking these precautions, the system’s security can be greatly improved.
  • Changing the default port number of your system from its default value to a random, unused port like 2222 is a simple yet effective way of improving your system’s security. Hackers often use automated tools to scan networks and identify vulnerable systems. Such tools scan for open ports on a system, and if they find a well-known port like 22 (the default port for SSH), they will try to exploit any vulnerabilities to gain unauthorized access. By changing the default port number to a random, unused port, you can reduce the number of probes and lower the chances of a successful compromise. While this may not make your system completely invulnerable, it will significantly increase the work an attacker requires to compromise your system and may discourage them from attempting. Furthermore, changing the port number reduces the number of log files generated by attempted access on the default port 22. This can make it easier to identify suspicious activity, as you will not have to sift through many log files generated by automated scans. Changing the default port number is a simple yet effective step to improve your system’s security posture.

2. Choose the Strongest Algorithms That Are Supported on Both Ends of the Connection

Matthieu Simon states, “A good starting point is to select the following options for maximum compatibility with the probability that your client won’t use the strongest/fastest option. As the algorithms may differ in computation speed or in the provided level of security, and their applied order in the OPNsense SSH server’s config is nondeterministic (limitation of the current UI kit, it can’t take into account the order of the selection), what you’d preferably want is to choose the strongest algorithms that are supported on both ends of the connection; otherwise, you won’t be able to SSH into OPNsense until you find the middle ground.”

  • Key exchange algorithms
  • Ciphers
  • MACs
  • Host key algorithms
  • Public key signature algorithms
  • Select Save when done.

Matthieu Simon states, “The ordering of the above algorithms represents the best-choice-first mentality, so if you select only the *25519* options for KEX and HostKey, and the first ones for the others, it’s the best trade-off between speed and security while forcing the SSH client only to use these. Otherwise, choose your preferred algorithms depending on your use case or threat model.”

Generating Public/Private Key Pair from the Client side
  • MacOS/Linux
    • Open Terminal and run the below command
    • Change ed25519 to the algorithms that you selected under Public key signature algorithms.
mkdir ssh_keys
cd ssh_keys
ssh-keygen -t ed25519
cat *.pub
  • Windows
    • Open Command Prompt and run the below command
    • Change ed25519 to the algorithms that you selected under Public key signature algorithms.
mkdir ssh_keys
cd ssh_keys
ssh-keygen -t ed25519
type *.pub
Insert the generated Public Key into the Authorized keys for the System Administrator
  • Navigate to System ‣ Access ‣ Users, select Edit.
  • Copy the text from *.pub file and insert it into the Authorized keys section.
  • Select Save or Save and go back when done.
Established SSH connection from the Client side
  • Change the directory where the keys are stored.
  • Run the below command to establish an SSH connection. If you change the SSH default port (port 22), specify the port number using the -p option. Skip the -p if you use the default port.
ssh -i ssh_key_name opnsense_user_name@FQDN/IP -p 2222
  • MacOS
  • Linux
  • Windows
Ways to support my channel

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »