QUESTION/SUGGESTION
Hi, I notice that by default the SSH service (port 22) in enabled in the external
Zone in FreedomBox’s firewall, Firewalld, configuration. I have done a bit of testing and it seems that this means that by default SSH access is available from the big bad internet, rather than just from machines on the local/home network. Is this an unnecessary security risk?
I have configured my home modem/router to set Freedombox in the DMZ, so I suppose my set up might not be a typical set up. I guess, typically, FreedomBox might be set up behind a home modem/router’s firewall and thus it this would required that the user explicitly forward port 22 in the home router’s admin settings. Thus mitigating the fact that port 22 on the FreedomBox is open to the internet by default.
However, SSH is a possible vector of attack for port scanning crackers on the internet, and because, typically SSH access is only required by FreedomBox for admin purposes, usually from the local/home network, from a security point of view, would it make sense to have external
access to the SSH service disabled by default in Firewalld? Possibly with an explicit option in Plinth to enable external
SSH access if required?
BACKGROUND
The following are the steps that I took to change FreedomBox’s firewall, Firewalld, configuration and test SSH access…
To view Firewalld’s Zones and associated enabled Services:
sudo firewall-cmd --list-all-zones
The command above reveals that FreedomBox’s default Firewalld setup has SSH service enabled in the following Zones: dmz
, external
and internal
.
I was able to gain SSH access via my public IP running the following command and then entering my password:
ssh://username@my-public-IP:22
Having disabled SSH access for the external
and dmz
Zones, with the following commands, attempts to establish an SSH connection, using the previous command, now fail with the message: “no route to host”:
sudo firewall-cmd --permanent --zone=external --remove-service=ssh
sudo firewall-cmd --permanent --zone=dmz --remove-service=ssh
sudo systemctl restart firewalld
After disabling SSH access in the external
and dmz
Zones I can still establish an SSH connection to the FreedomBox from the local/home network connecting to it’s local IP.
I feel more comfortable knowing that I have to explicitly enable external
SSH access if I require it.
Should this be the default set up?
My setup: Rasbian Buster on Raspberry Pi3B+ with Freedombox v2.7 installed from the repos.