 Remote management with PF Sense. This question pops up all the time. What's an easy way to manage PF Sense remotely? And you may have noticed right away, there's says down here at the bottom, no open VPN instances defined. And I know someone's gonna say, well, you could just manage them all with open VPN. That's true, but that also becomes a lot more work to keep on file, so to speak, a lot of different VPNs and stuff like that. Easier way to manage it with opening up the web interface right to the world, right? I've seen a lot of people do this. I don't think this is always the best idea and let me tell you why. There was an update recently because there was a flaw found in Nginx that may have allowed it a potential vulnerability to get in by hammering away at Nginx with a couple well-crafted packets. There's a patch for it and things like that. And I made a video about this. But one of the things I mentioned as well was, well, as long as you don't have your management interface wide open, exposed to the world, you should be fine. Now, there's a few ways you can help mitigate that. And we'll talk about that real quick here. We're gonna go here to the rules. We have the management phase of this particular PF instance in my lab set to 5555. That is the management interface change we made. You just make that really simple under here. Here's the port we chose for it. 5555, four fives, sorry. So leaving it at default port is bad for a couple of reasons. One, it's at 4043, which means lots of things look there, but security through obscurity is never great. Second, you may have to forward something through the firewall that has a web server on it. So you don't wanna have to deal with any conflicts if you do have to open this up. So moving it to a different port number also will reduce the number of entries in the logs if you ever wanna look at those to see who's hammering at the system cause they don't hammer it odd port numbers as much. So logs are a little quieter. So we have this firewall opened but we have it filter opened. What I mean by that is we have filtered it so it only accepts from my IP address. This is the IP address of my local computer we're doing here which means it allows me to access it. This could just as easily be a public IP address or list of created in an alias public IP addresses to say only these computers are allowed to access this management interface. Now, this is good still because you're filtering it and it's reasonable on security but there's another way you can manage it. So if you wanna go a step further and a little more secure there is SSH management. We go over here to advanced and scroll down to SSH. Now, by default it's not enabled. Secure shell is not turned on. So just check the box. It'll pause, it's gotta generate some new keys depending on speed of your machine. It takes a few seconds, no big deal at air. Public key or password, that's bad. You do not want it so people can just hammer away guessing usernames and passwords on your server because there are bots out there that will spend a lot of time doing that. Public key only, pretty secure. Public key encryption's been around for a long time and if they find a flaw in public key encryption we're all in trouble. We'll just say your firewall will be the least of the worries because so many things are managed simply by public key encryption. So it's a pretty safe way to set this up with public key only. Now, I'm not gonna get in depth on this particular video as it goes out of scope but I will leave you a couple links here. There is a great write up on digital ocean of how to set up your public keys. You could do this with Putty. I prefer to do this with inside of a bash shell and I'm running Linux, which means it's really easy but don't worry if you're running Windows you still don't have to use Putty unless you feel like it because Windows 10, this is actually something I really like that they included the Windows subsystem for Linux. We have tested this methodology because a couple of my staff do run Windows 10. It works, you can SSH manage things with the port forwarding that I'm gonna show you how to do. It works perfectly fine inside of Windows as well. Now, public key authentication means having a public key. Actually, this is my public key. If you go to github in github.com slash flipsidecreations.keys that is my public RSA key. The important part is always keeping your private key secret. So that's my key and let's show you where that is on the computer when you generate keys. And when you go through key generation you'll kind of get the gist of this while it works. This is my private key ID RSA, ID RSA.pub. So we're gonna go ahead and say.pub. Dump it to the screen here and you'll see it's a short key just like this. So we can actually take this right here, copy it, we're gonna go back over to PF Sense. Got this all set up. See it's on public key only which means you can't type a password in. You could change it to public key, both require a password and a public key. For now with demonstration here we'll just do it with a public key. Let's save. That's enabled over here to the user manager. Now, root on PF Sense is the same username as admin. They're tied together essentially. When you use admin on the interface it's the same as root. I don't recommend though, leaving that enabled ever. First thing we do is disable and create management accounts on the system. And then we disable the admin one. It is one less thing because they didn't have whoever's trying to get in always has to have the username and password. We're gonna go ahead and edit this user and then I already had the key and never did you get idea. I just pasted the key in like this. It's okay that it wraps. Go ahead and hit save. Now that SSH key is in there and now we can log into PF Sense which is the first step making sure we can log into it. So we're gonna SSH port 222 because we changed the default port from 22222 and just to reiterate that real quick. You can see where we changed the port there. And then we went over here to firewall rules. We'll add the rule and walk through it real quick. We allow source any probably you should filter it for at least your IP addresses if they're public and static. If not you open it to any's not the hugest risk. You know SSH is like I said, well vetted solid protocol or 222 222 where is the destination this firewall? So it's not adding behind anything. You're saying allow access to the SSH server on this firewall and hit save. So that rule is applied. And then we just log in SSH dash P 222 report com at 172 168, oh, type that wrong. 172 1669 112. We're in. They say in every hacker movie. That's it. It used the public key authentication and get in. So let's walk you through a little bit what's going on here and give you an idea dash V. And you can just see it ran down the list, found key home hosts. It's found the key, da da da da da. Give me an idea what's going on here. So in once it's all done, it's logged in. That's it. We are logged into the system, but then how do you manage it from here? Well, that's where we're gonna talk about that. That's a little, that's the stuff that's actually pretty easy and it's only one more command from this. We're gonna add a dash L this. And we're gonna say colon. Now that's all we have to do is add this command 555 localhost 5555. I got one, too many fives now, there's only four fives. What this allows us to do is wrap the ports from localhost of the PF sense. So the management interface on the PF sense to localhost on my computer. Now, if I were to do this and try to use a port below 1024, I would have to put sudo in front of it. As long as the ports are non-privileged or above 1024, then I can simply wrap the ports like this. Done. I'm in, but didn't seem to do anything different. Well, that's where it gets kinda cool. We're gonna go over here. HTTPS, localhost, you spell localhost properly and make sure you have the L in there. And RIN, that's it. That one liner is all I needed to get in. It's really simple. You're just taking localhost as in the localhost of the machine you're connecting to. You're taking that port and I could make it a different port and actually I'll show you here. So log out, close that, exit. Let's just make this 10443. So L10443 localhost that. We're wrapping that to mine and we'll go here. And you can see I've used that port before. Is it auto-completed? Simple passwords, cause it's a demo machine and we're in. It's really that easy. There's not much else to it. You just wrap the first part is where the destination is on your computer. Second part is the destination on the other one. P222, com, at and away we go. We're into the system and now we're able to remotely manage it. But I will note something if you go over here to advanced and let's change it to require both password and public key. I'll actually show you what happens here. So we're logged in. We'll scroll down the bottom, hit save. It actually saves it, but second here. Connection closed and of course it's fails. No worries, we can up arrow and just reconnect again. Now because I changed it this time, I'll show you the change we made. The system advanced. We said require both password and public key. So now when I logged in, as you noticed, exit out, log back in. It's now requiring me a password instead of logging back in. But you get the idea here that it's easiest way to manage it, at least in my opinion. And like I said, this is cross platform works in both Windows and Linux. Well, of course I'm using Linux here. Is just SSH, capital L, capitalization matters. Not just in grammar, but especially in commands. 10443, local host 555, choose the port number if you didn't use the default port number, and here. Now a few other ways you can do this, you can actually go further. You can learn about SSH port forwarding, which is the function I'm using here. You could actually log into other machines on the network by bridging and proxying it through this. So there's a lot more expanded things you could do with this. But this is an easy way to get started with it. For the scope of this talk is just how to get into PF sense remotely and be able to go into system. I'll show you real quick that it works across the internet perfectly fine. I'm gonna go to SSH to my house. And yes, I had to blur that out. So I'm logging into my home computer. Not that if you had my public IDS for home, you'd be able to do much other than probably annoy me with some type of denial of service, but whatever, I'm gonna blur it. But now I'm logged into my home and I can probably guess that, well, there's not much traffic. Maybe no one's watching Netflix at my house right now. But you get the idea. Then yes, I am running an SG-1100 at home. That's one of the places that these landed. Actually, I got one for all of my staff as well. Anyways, hopefully this helps. It's like it's an easy way to remotely manage PF sense via SSH, just wrap the management port and tunnel it, and you're done. It's that easy to do. I will do some further videos on what else you can do with SSH forwarding, including doing it with PF sense to remotely access networks via proxy over SSH. But that's a future video. Look for that coming soon. Thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you wanna subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you wanna hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you wanna throw at us. Also, if you wanna carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you wanna help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.