FEATURE REQUEST: SSH password guessing handling

Comments

5 comments

  • Avatar
    Angel Wash

    I would like to request the same feature. How can we block SSH access to Firewalla Gold from specific network segment or specific devices?

     

     

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    First, ssh password guessing can also be people typing in the wrong password ... Anyway, the best way to resolve this is not expose SSH directly to the internet and use VPN.

    You can turn off firewalla SSH settings->advanced->configurations->ssh

    And if you want to block, then use rules to block local network see https://help.firewalla.com/hc/en-us/articles/4408644783123-Building-Network-Segments

    0
    Comment actions Permalink
  • Avatar
    Angel Wash

    You can turn off firewalla SSH settings->advanced->configurations->ssh

    There is no ssh section. There is "SSH Console" section and in that section there is no turn off option. The comment in that sections says that SSH service is always on, and can't be turned off. I never generated a password so far. But there are people who are trying to guess the password on the local network.

     

    I have Segmented Network already. 2 separate LANs. I just want to block SSH access to Firewalla router on a specific network/LAN only.

    The network is 192.168.50.1/24 but I can't block "192.168.50.1:22"

    I get error message saying I can't block Firewalla box.

    What is the right way to do this?

     

    0
    Comment actions Permalink
  • Avatar
    Angel Wash

    @Firewalla

    I found that the turn off buttons/switches appears in the SSH Console section when you create a password which is great.

    I have two requests:

    1. Can you please let users decide the length of the password? For example: Min 10, max: 30 etc.

    2. Can you please enable one of the following use cases for users? Ideally both of them would be great!

    • Users can use turn off switches in non-password created state as well.
    • Users can add a rule manually to block port 22 for router IP address. In case we decide to use that port for something else.

    I believe these are reasonable requests.

     

    0
    Comment actions Permalink
  • Avatar
    Mark W Abbott

    This is important.  I have a flow setup and allows me to manually block the IP's that the router identifies are guessing the SSH password.  I add a couple every day.  Firewalla would benefit from an automatic routine to block these, rather than making me manually block them every 8 or 10 hours.

    0
    Comment actions Permalink

Please sign in to leave a comment.