Inadvertently Opened SSH Remote Access
In my network, I created an alias for all of the ports I have open on my server so that I can create firewall rules to allow several of my VLANs to access the services hosted on my server. The benefit of creating an alias is that I do not need to create 4 separate firewall rules to open 4 different ports to my server and then repeat this process for each VLAN I need to allow access (yes, you could use floating rules or rule groups depending on the order you need rules to be processed). The convenience of writing a single rule using an alias can also be dangerous if you are not careful. This is a cautionary tale of what happens when you are not being careful…
When I was accessing my server from the outside world via SSH, I changed the default port from 22 to another port number to help reduce scanning and attacks that occur more frequently on the default port. I had included that non-default port number included in the alias that I used for internal VLANs to access my server as well as for my external NAT port forward rule.
Later, I set up an OpenVPN server in OPNsense which I use to access my home network. I changed the alias for the firewall rules to remove the SSH server port from being accessed from the outside world. I now only use the SSH server internally between VLANs to access my server (you should not assume your internal network is secure). Because of this change, I had to add an additional rule to the VLANs to allow SSH access since I did not want to include it in the alias that is also used for external access.
Fast forward again – I decided to switch back to the default SSH port on my server since it is no longer being accessed from the outside. It is nice having a slightly shorter command that does not need to specify the port number every time. When I changed back to port 22, I had to update the firewall rules. At the time, I thought it would be a good idea to add port 22 to the alias used both internally and externally so that I can get rid of some extra firewall rules. I had forgotten about the external use of that alias… When I was writing the review about the Zenarmor (formerly Sensei) plugin, I noticed external access to port 22 on my server so I immediate looked further into it and realized my mistake. It was getting a lot of attention by IP addresses associated with other nations that have been known to commit cyber espionage.
Since I use keys that are password protected and have disabled password and root logins, I was not too concerned, but I still wanted to close down access to that port. The nice thing about looking at the logs in Sensei is that I could see that the amount of data transmitted was zero or very small (perhaps responses to failed login attempts), and I could see the session time was not longer than a split second. Fortunately, in this case no harm was likely done, but it is a good reminder not to expose anything sensitive. It is also a good reminder to keep things locked down even in your internal network because if it does get exposed somehow, you should still be relatively safe. I say ‘relatively safe’ because zero-day vulnerabilities do occur frequently.
My recommendation would be to create a separate alias for the ports you wish to have accessed externally and do not reuse them internally – perhaps even if they contain the same exact port numbers because if you happen to change it in the future, you will not inadvertently expose ports. When I created a separate alias, I added a “WAN” prefix to the name so that I know it is for external use only. Now, I will have to intentionally change the WAN alias whenever I want to open or close access to any ports on my server.