Inadvertently Opened SSH Remote Access

Be careful when using aliases because you could expose unnecessary services to the world...

Inadvertently Opened SSH Remote Access Photo by KRiemer from Pixabay

Introduction

In my network, I created an alias for all of the ports I have open on my server so that I can create firewall rules to allow several of my VLANs to access the services hosted on my server. The benefit of creating an alias is that I do not need to create 4 separate firewall rules to open 4 different ports to my server and then repeat this process for each VLAN I need to allow access (yes, you could use floating rules or rule groups depending on the order you need rules to be processed). The convenience of writing a single rule using an alias can also be dangerous if you are not careful. This is a cautionary tale of what happens when you are not being careful…

Inadvertent Exposure

When I was accessing my server from the outside world via SSH, I changed the default port from 22 to another port number to help reduce scanning and attacks that occur more frequently on the default port. I had included that non-default port number included in the alias that I used for internal VLANs to access my server as well as for my external NAT port forward rule.

Later, I set up an OpenVPN server in OPNsense which I use to access my home network. I changed the alias for the firewall rules to remove the SSH server port from being accessed from the outside world. I now only use the SSH server internally between VLANs to access my server (you should not assume your internal network is secure). Because of this change, I had to add an additional rule to the VLANs to allow SSH access since I did not want to include it in the alias that is also used for external access.

Fast forward again – I decided to switch back to the default SSH port on my server since it is no longer being accessed from the outside. It is nice having a slightly shorter command that does not need to specify the port number every time. When I changed back to port 22, I had to update the firewall rules. At the time, I thought it would be a good idea to add port 22 to the alias used both internally and externally so that I can get rid of some extra firewall rules. I had forgotten about the external use of that alias… When I was writing the review about the Sensei plugin, I noticed external access to port 22 on my server so I immediate looked further into it and realized my mistake. It was getting a lot of attention by IP addresses associated with other nations that have been known to commit cyber espionage.

Since I use keys that are password protected and have disabled password and root logins, I was not too concerned, but I still wanted to close down access to that port. The nice thing about looking at the logs in Sensei is that I could see that the amount of data transmitted was zero or very small (perhaps responses to failed login attempts), and I could see the session time was not longer than a split second. Fortunately, in this case no harm was likely done, but it is a good reminder not to expose anything sensitive. It is also a good reminder to keep things locked down even in your internal network because if it does get exposed somehow, you should still be relatively safe. I say ‘relatively safe’ because zero-day vulnerabilities do occur frequently.

A Recommendation

My recommendation would be to create a separate alias for the ports you wish to have accessed externally and do not reuse them internally – perhaps even if they contain the same exact port numbers because if you happen to change it in the future, you will not inadvertently expose ports. When I created a separate alias, I added a “WAN” prefix to the name so that I know it is for external use only. Now, I will have to intentionally change the WAN alias whenever I want to open or close access to any ports on my server.