OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: Ragai on August 04, 2022, 02:08:58 am
-
Hi,
I know that port knocking is not preferable but, at the same time, I don't want a windows computer I RDP to it exposed on the Internet 24x7.
Is there a way to enable port forwarding to this computer through CLI/SSH then disable this port forwarding again.
The idea is to have a script (I'm using a Debian LXQT desktop) that will login using SSH (or https), enable the port forward rule, initiate the RDP then disable the port forward.
Thanks,
-
Instead of doing this... Please please please look at setting up a VPN...
I would suggest one of the newer de-centralized options like Zerotier or Tailscale (especially if you do not have a static IP or have CGNAT)... But at minimal use Wireguard or OpenVPN with a dynamicDNS service. There will be clients for all platforms to connect, and you wont have to worry about having RDP open to the internet.
-
Instead of doing this... Please please please look at setting up a VPN...
I would suggest one of the newer de-centralized options like Zerotier or Tailscale (especially if you do not have a static IP or have CGNAT)... But at minimal use Wireguard or OpenVPN with a dynamicDNS service. There will be clients for all platforms to connect, and you wont have to worry about having RDP open to the internet.
Here's my setup; I have about 50 OPNsense installations in different locations. I'm very familiar with OpenVPN and have it setup for the users who login to these Windows computers on a regular basis.
Some of these networks use the same subnet 192.168.2.x because of a special device that I can not change its default subnet (pharmacy robot, dentist x-ray, etc...)
I need to login infrequently to 3, 4 or 5 of these computers and only to fix something. Using OpenVPN in this scenario is, some times, problematic. Using RDP is easier and causes no conflicts.
-
Something like TeamViewer sounds like a fit here
-
If your in healthcare then you know DONT OPEN RDP to the world... Its a HUGE attack surface.. You wont be able to pass any kind of accreditation/HIPPA security audit with an RDP port open, and I doubt you could even pass PCI... There is literally NO NEED FOR IT... Please use a VPN or some sort of de-centralized entry point.
-
If your in healthcare then you know DONT OPEN RDP to the world... Its a HUGE attack surface.. You wont be able to pass any kind of accreditation/HIPPA security audit with an RDP port open, and I doubt you could even pass PCI... There is literally NO NEED FOR IT... Please use a VPN or some sort of de-centralized entry point.
Actually, I, sort of, am. These computers are, mainly, in pharmacies and clinics. But that is why I don't have the port forward enabled all the time. What I do is enable port forwarding, RDP, then disabled port forward. Total time <5 seconds. I was told that this is acceptable because it's just for a few seconds and that these port forwardings are on non standard ports (I'm not using the standard 3389 port).
I would have setup a properly protected point of entry if they were all in 1 or 2 locations.
I guess for now I'll have to work on only one location at a time using OpenVPN. Not efficient but definitely safer.
-
Something like TeamViewer sounds like a fit here
I prefer to stay under the radar and use my own solutions specially after many big systems got hacked. The SolarWinds incident is one recent example. For me, no centralized system. More work but less nerve wrecking.
-
SSH can actually port forward using -L or act as a SOCKS proxy.