How to prevent someone from logging in the opnsense router?

Started by newman87, October 25, 2022, 12:19:59 PM

Previous topic - Next topic
Hi,
I would like to ask, how is this possible to prevent someone to logging in the opnsense router,even better using a tool for 2 factor authentication.for even better protection.
Thanks


Hi,thanks for the answer.
Actually what you mention is for the Web UI of Opnsense,I have already used it.
My question has to do with the network part,how to prevent someone using the command line to log in router,so as NOT to continue to the rest of the network.I hope this is clear

The logging in is by ssh. So you can and should exercise some basics. Create an account for each user and disable root. You need at least one account in the Admin group.
Any user with the /nologin shell will be prevented from logging in.
Everybody else is bruteforcing and usual methods to mitigate should apply.
I'm sorry but your question is still vage.

1. You do not have to open ssh at all.
2. Two factor applies also to ssh user logins.
3. You can control which interfaces or networks ssh access you want to open in the first place - matter-of-fact that is essentially what a firewall does, isn't it?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+

Quote from: newman87 on October 25, 2022, 02:09:11 PM
My question has to do with the network part,how to prevent someone using the command line to log in router,so as NOT to continue to the rest of the network.I hope this is clear
I haven't tested it but if that setting does what it sounds like, that should be what you're looking for:
On the web UI navigate to System > Access > Users and click on the edit button of the specific user. Scroll down to the part that says "Login shell" and in the drop down menu select "/sbin/nologin".

Quote from: newman87 on October 25, 2022, 02:09:11 PM
My question has to do with the network part,how to prevent someone using the command line to log in router
Disable SSH - nobody will be able to log in.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)