From 39187fbf03f61e057e47cd3cd1ebc93a3cba3d87 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 28 Mar 2023 16:48:45 +0200 Subject: [PATCH] System/Settings/Administration - reorganise settings a bit and add missing options. Also explain the risks of using "listen interfaces" and how to properly use them. Loopbacks are intended to create the environment needed to reliably bind a service in a changing world. --- source/manual/how-tos/user-local.rst | 21 --- source/manual/settingsmenu.rst | 263 +++++++++++++++++---------- 2 files changed, 167 insertions(+), 117 deletions(-) diff --git a/source/manual/how-tos/user-local.rst b/source/manual/how-tos/user-local.rst index ce99cda3..92d600dd 100644 --- a/source/manual/how-tos/user-local.rst +++ b/source/manual/how-tos/user-local.rst @@ -34,24 +34,3 @@ corner of the form. Enter a **Group name** and a **Description** and add users to the group. -SSH and console login ---------------------- - -User accounts can be used for logging in to the web frontend, as well as for logging in to the console (via VGA, -serial or SSH). The latter will only work if the user shell is not set to ``/sbin/nologin``. - -In order to access OPNsense via SSH, SSH access will need to be configured via :menuselection:`System --> Settings --> Administration`. -Under the "Secure Shell" heading, the following options are available: - -============================ ========================================================================== - **Enable secure shell** Global on/off switch. - **Login Group** Which user groups can access OPNsense via SSH. - **Permit root user login** Normally, only non-root accounts are allowed for security reasons. - This option enables root login. - **Permit password login** The recommended login method is using SSH keys as it's more secure, - but this option will also enable password logins. - **SSH Port** Defaults to 22, but can be changed to make port scanning less effective. - **Listen interfaces** By default, SSH listens on all interfaces. You can limit this - (to just the LAN, for example) for additional security - at the cost of availability. -============================ ========================================================================== diff --git a/source/manual/settingsmenu.rst b/source/manual/settingsmenu.rst index 99c9c586..e08b3951 100644 --- a/source/manual/settingsmenu.rst +++ b/source/manual/settingsmenu.rst @@ -12,87 +12,157 @@ Administration The settings on this page concerns logging into OPNsense. The “Secure Shell” settings are described under :doc:`Creating Users & Groups`. -+----------------------------------------------+-----------------------------------------------------------------------+ -| Setting | Explanation | -+==============================================+=======================================================================+ -| **Web GUI** | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Protocol | It is strongly recommended to leave this on “HTTPS” | -+----------------------------------------------+-----------------------------------------------------------------------+ -| SSL Certificate | By default, a self-signed certificate is used. Certificates can be | -| | added via :menuselection:`System --> Trust --> Certificates`. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| SSL Ciphers | Can be used to limit SSL cipher selection in case the system defaults | -| | are undesired. Note that restrictive use may lead to an inaccessible | -| | web GUI. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Enable HTTP Strict Transport Security | Enforces loading the web GUI over HTTPS, even when the connection | -| | is hijacked (man-in-the-middle attack), and do not allow the user to | -| | trust an invalid certificate for the web GUI. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| TCP port | Can be useful if there are other services that are reachable via port | -| | 80/443 of the external IP, for example. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Disable web GUI redirect rule | If you change the port, a redirect rule from port 80/443 will be | -| | created. Check this to disable creating this rule. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Disable logging of web GUI successful logins | | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Session Timeout | Time in minutes to expire idle management sessions. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Disable DNS Rebinding Checks | OPNsense contains protection against | -| | `DNS rebinding `__ by | -| | filtering out DNS replies with local IPs. Check this box to disable | -| | this protection if it interferes with web GUI access or name | -| | resolution in your environment. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Alternate Hostnames | Alternate, valid hostnames (to avoid false positives in | -| | referrer/DNS rebinding protection). | -+----------------------------------------------+-----------------------------------------------------------------------+ -| HTTP Compression | Reduces size of transfer, at the cost of slightly higher CPU usage. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Enable access log | Log all access to the Web GUI (for debugging/analysis) | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Listen interfaces | Can be used to limit interfaces on which the Web GUI can be accessed. | -| | This allows freeing the interface for other services, such as HAProxy.| -+----------------------------------------------+-----------------------------------------------------------------------+ -| Disable HTTP_REFERER enforcement check | The origins of requests are checked in order to provide some | -| | protection against CSRF. You can turn this off of it interferes with | -| | external scripts that interact with the Web GUI. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| **Console** | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Use the virtual terminal driver (vt) | When unchecked, OPNsense will use the older sc driver. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Primary Console | The primary console will show boot script output. All consoles display| -| | OS boot messages, console messages, and the console menu. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Secondary Console | See above. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Serial Speed | Allows adjusting the baud rate. 115200 is the most common. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Use USB-based serial ports | Listen on ``/dev/ttyU0``, ``/dev/ttyU1``, … instead of ``/dev/ttyu0``.| -+----------------------------------------------+-----------------------------------------------------------------------+ -| Password protect the console menu | Can be unchecked to allow physical console access without password. | -| | This can avoid lock-out, but at the cost of attackers being able to | -| | do anything if they gain physical access to your system. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| **Authentication** | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Server | Select one or more authentication servers to validate user | -| | credentials against. Multiple servers can make sense with remote | -| | authentication methods to provide a fallback during connectivity | -| | issues. When nothing is specified the default of "Local Database" | -| | is used. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Disable integrated authentication | When set, console login, SSH, and other system services can only use | -| | standard UNIX account authentication. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| Sudo | Permit sudo usage for administrators with shell access. | -+----------------------------------------------+-----------------------------------------------------------------------+ -| User OTP seed | Select groups which are allowed to generate their own OTP seed on the | -| | password page. | -+----------------------------------------------+-----------------------------------------------------------------------+ + +............................... +Listen interfaces +............................... + +.. Warning:: + Before considering the use of manual selected interfaces, make sure to read this chapter so you are aware + of the pitfalls upfront. Misconfigurations likely lead to a non accesible web interface and or missing ssh access. + + +Both the WebUI and the Secure Shell server support the option to only listen on specific interfaces, the use of this option +however comes with clear warnings which you do need to be aware of before deciding to use this option. + +By default (our recommended settings), these services listen on all addresses (interfaces). + +If for whatever reason, you do need to listen only on specific interfaces, the following rules apply: + +* The interface must always be available, so do not try to bind to vpn instances of any kind (OpenVPN, Wireguard, ...) +* The addressing must be fully static, so no IPv6 tracking configured for example + +As the webgui is not able to predict with 100% certainty that these rules do apply, it is possible to select interfaces +that don't support binding for these services. + +.. Note:: + When facing issues with the webgui (and or ssh) and the above rules are not met, please do not bother to open a ticket + as these are unsupported scenario's. + + +.. Tip:: + In case (**for any service**) one would like to prevent binding on all interfaces, it is possible to add a + loopback interface (:menuselection:`Interfaces->Other Types->Loopback`), assign an ip address and bind to that. + If traffic is being routed through the firewall, the "loopback ip" (some private addres, not in the loopback range) + should be directly accessible from the network behind it. For example use an address like :code:`192.192.192.192/32` + to access the web interface while your own network is using :code:`192.168.1.0/24`. + + Technologies like Network Address Translation can also be combined if the other end is not aware of the route to + this single address. + + +............................... +Web GUI +............................... + +============================================== ======================================================================== +Protocol It is strongly recommended to leave this on “HTTPS” +SSL Certificate By default, a self-signed certificate is used. Certificates can be + added via :menuselection:`System --> Trust --> Certificates`. +SSL Ciphers Can be used to limit SSL cipher selection in case the system defaults + are undesired. Note that restrictive use may lead to an inaccessible + web GUI. +HTTP Strict Transport Security Enforces loading the web GUI over HTTPS, even when the connection + is hijacked (man-in-the-middle attack), and do not allow the user to + trust an invalid certificate for the web GUI. +TCP port Can be useful if there are other services that are reachable via port + 80/443 of the external IP, for example. +Disable web GUI redirect rule If you change the port, a redirect rule from port 80/443 will be + created. Check this to disable creating this rule. +Session Timeout Time in minutes to expire idle management sessions. +DNS Rebind Check OPNsense contains protection against + `DNS rebinding `__ by + filtering out DNS replies with local IPs. Check this box to disable + this protection if it interferes with web GUI access or name + resolution in your environment. +Alternate Hostnames Alternate, valid hostnames (to avoid false positives in + referrer/DNS rebinding protection). +HTTP Compression Reduces size of transfer, at the cost of slightly higher CPU usage. +Enable access log Log all access to the Web GUI (for debugging/analysis) +Listen interfaces Can be used to limit interfaces on which the Web GUI can be accessed. + This allows freeing the interface for other services, such as HAProxy. +HTTP_REFERER enforcement check The origins of requests are checked in order to provide some + protection against CSRF. You can turn this off of it interferes with + external scripts that interact with the Web GUI. +============================================== ======================================================================== + +............................... +Secure Shell +............................... + +User accounts can be used for logging in to the web frontend, as well as for logging in to the console (via VGA, +serial or SSH). The latter will only work if the user shell is not set to ``/sbin/nologin``. + +In order to access OPNsense via SSH, SSH access will need to be configured via :menuselection:`System --> Settings --> Administration`. +Under the "Secure Shell" heading, the following options are available: + +============================================== ======================================================================== +Secure Shell Server Enable a secure shell service +Login Group Select the allowed groups for remote login. The "wheel" group is + always set for recovery purposes and an additional local group can be + selected at will. Do not yield remote access to non-administrators + as every user can access system files using SSH or SFTP. +Permit Root Login Root login is generally discouraged. It is advised to log in via + another user and switch to root afterwards. +Permit password login When disabled, authorized keys need to be configured for each User + that has been granted secure shell access. +SSH port Port to listen on, default is 22 +Listen Interfaces Only accept connections from the selected interfaces. + Leave empty to listen globally. Use with extreme care. +Key exchange algorithms The key exchange methods that are used to generate per-connection + keys +Ciphers The ciphers to encrypt the connection +MACs The message authentication codes used to detect traffic modification +Host key algorithms Specifies the host key algorithms that the server offers +Public key signature algorithms The signature algorithms that are used for public key authentication +============================================== ======================================================================== + + + +............................... +Console +............................... + +In case of an emergency, it's always practical to make sure to configure a console to be able to access the firewall +when network connectivity is not possible. + +.. Tip:: + After initial installation, always make sure to test if the console actually works. When concluding the console + is not functional when you need it can be very unpractical. + + +============================================== ======================================================================== +Use the virtual terminal driver (vt) When unchecked, OPNsense will use the older sc driver. | +Primary Console The primary console will show boot script output. All consoles display| + OS boot messages, console messages, and the console menu. | +Secondary Console See above. | +Serial Speed Allows adjusting the baud rate. 115200 is the most common. | +Use USB-based serial ports Listen on ``/dev/ttyU0``, ``/dev/ttyU1``, … instead of ``/dev/ttyu0``.| +Password protect the console menu Can be unchecked to allow physical console access without password. | + This can avoid lock-out, but at the cost of attackers being able to | + do anything if they gain physical access to your system. | +============================================== ======================================================================== + + +............................... +Authentication +............................... + +The authentication section of the Administrationm settings offers general security settings for users logging into the +firewall. + +============================================== ======================================================================== +Server Select one or more authentication servers to validate user | + credentials against. Multiple servers can make sense with remote | + authentication methods to provide a fallback during connectivity | + issues. When nothing is specified the default of "Local Database" | + is used. | +Disable integrated authentication When set, console login, SSH, and other system services can only use | + standard UNIX account authentication. | +Sudo Permit sudo usage for administrators with shell access. | +User OTP seed Select groups which are allowed to generate their own OTP seed on the | + password page. | +============================================== ======================================================================== ---- @@ -119,50 +189,51 @@ of restart and reload is subject to their respective services as not all softwar The most common core commands are as follows: -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ + ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Command in GUI | Command in shell | Supported parameters | Background information | -+==============================================================================================================================================================+ ++=============================================+========================================+=========================+=============================================+ | Update and reload firewall aliases | configctl filter refresh_aliases | No parameters | Updates IP aliases for DNS entries and MAC | | | | | addresses as well as URL tables. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Firmware update check | configctl firmware poll | No parameters | Refresh current update status from firmware | | | | | mirror for e.g. remote status check via | | | | | API. Note this utilizes a skew interval of | | | | | 25 minutes. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Firmware changelog update | configctl firmware changelog cron | No parameters | Refresh current changelog status from | | | | | authoritative firmware location to preview | | | | | changelogs for new versions. Note this | | | | | utilizes a skew interval of 25 minutes and | | | | | is also performed by the firmware update | | | | | check. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Automatic firmware update | configctl firmware auto-update | No parameters | Perform a minor update if applicable. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Update and reload intrusion detection rules | configctl ids update | No parameters | Fetches remote rules and reloads the IDS | | | | | instance to make use of newly fetched rules.| -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Periodic interface reset | configctl interface reconfigure | identifier: Internal | Cycle through an interface reset that | | | [identifier] | name of the interface | removes all connectivity and reactivates | | | | as shown in assignments | it cleanly. | | | | or overview page, e.g. | | | | | "lan", "wan", "optX". | | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Download and reload external proxy ACLs | configctl proxy fetchacls | No parameters | Fetch and activate the external ACL files | | | | | for configured blocklists. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Remote backup | configctl system remote backup | No parameters | Trigger the remote backup at the specified | | | | | time as opposed to its nightly default. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Issue a reboot | configctl system reboot | No parameters | Perform a reboot at the specified time. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | HA update and reconfigure backup | configctl system ha_reconfigure_backup | No parameters | Synchronize the configuration to the backup | | | | | firewall and restart its services to apply | | | | | the changes. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | Update Unbound DNSBLs | configctl unbound dnsbl | No parameters | Update the the DNS blocklists and apply the | | | | | changes to Unbound. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | ZFS pool trim | configctl zfs trim [pool] | pool: ZFS pool name to | Initiates an immediate on-demand TRIM | | | | perform the action on | operation for all of the free space in a | | | | | pool. This operation informs the underlying | @@ -170,14 +241,14 @@ The most common core commands are as follows: | | | | which are no longer allocated and allows | | | | | thinly provisioned devices to reclaim the | | | | | space. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ | ZFS pool scrub | configctl zfs scrub [pool] | pool: ZFS pool name to | Begins a scrub or resumes a paused scrub. | | | | perform the action on | The scrub examines all data in the specified| | | | | pools to verify that it checksums correctly.| | | | | For replicated (mirror, raidz, or draid) | | | | | devices, ZFS automatically repairs any | | | | | damage discovered during the scrub. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------+----------------------------------------+-------------------------+---------------------------------------------+ ------- General