How to prevent someone from logging in the opnsense router?

[newman87]

Hi,
I would like to ask, how is this possible to prevent someone to logging in the opnsense router,even better using a tool for 2 factor authentication.for even better protection.
Thanks

[phoenix]

How about an internet search and then read the Documentation Page? :)

https://docs.opnsense.org/manual/how-tos/two_factor.html

[newman87]

Hi,thanks for the answer.
Actually what you mention is for the Web UI of Opnsense,I have already used it.
My question has to do with the network part,how to prevent someone using the command line to log in router,so as NOT to continue to the rest of the network.I hope this is clear

[cookiemonster]

The logging in is by ssh. So you can and should exercise some basics. Create an account for each user and disable root. You need at least one account in the Admin group.
Any user with the /nologin shell will be prevented from logging in.
Everybody else is bruteforcing and usual methods to mitigate should apply.
I'm sorry but your question is still vage.

[meyergru]

1. You do not have to open ssh at all.
2. Two factor applies also to ssh user logins.
3. You can control which interfaces or networks ssh access you want to open in the first place - matter-of-fact that is essentially what a firewall does, isn't it?

[Vexz]

My question has to do with the network part,how to prevent someone using the command line to log in router,so as NOT to continue to the rest of the network.I hope this is clear

I haven't tested it but if that setting does what it sounds like, that should be what you're looking for:
On the web UI navigate to System > Access > Users and click on the edit button of the specific user. Scroll down to the part that says "Login shell" and in the drop down menu select "/sbin/nologin".

[Patrick M. Hausen]

My question has to do with the network part,how to prevent someone using the command line to log in router

Disable SSH - nobody will be able to log in.