How to SSH into pfSense
In this post, I will show you how to login to your pfSense device using SSH. If you are not familiar with the term SSH, it is a secure network protocol that allows text-based access and communication between two different systems. In order for an SSH session to take place, both computers must support the protocol and have their ports open.
What is SSH?
SSH is a network protocol that provides secure access to the command-line interface of your pfSense box. It also allows you to transfer files between two different systems without having them exposed over the internet or LAN for everyone else to see. In order for an SSH session to take place, both computers must support the protocol and have their ports open.
How to Enable SSH?
Before you can login via SSH, the service needs to be enabled. This is a simple two-step process:
- Login to your pfSense admin webpage
- Navigate over to System -> Advanced and scroll down until you find the option for SSH. Simply check the box and click Save to save the changes.
How to SSH into pfSense?
Now that SSH is enabled, you can login to your pfSense device using the following steps. This process must be completed on another system (laptop/PC) other than the one running pfSense:
- Open up your favorite terminal program, such as HyperTerminal on Windows or the built in Terminal application for Mac OS X
- In order to login with a username and password combination, you will need to know what these are. If you have not changed them from their default values then it is most likely: admin and pfsense . This can be confirmed by logging into pfSense via its web interface and checking System -> General
- The username is pfsense and the password is what you set it to
- Once logged in, you should be presented with a terminal prompt such as: PFSENSE_CONSOLE login: . This means that we have successfully connected via SSH! Now we can begin running commands on this device.
How do I Exit my SSH Session?
If you are done with your pfSense box then it is best practice to simply logout. If that does not seem appropriate at the moment or you get lost in this process then there are three ways to end an SSH session:
- Type Exit into the terminal application and press enter to close out of any commands/processes started during this session. This will also terminate all active connections (SOCKS proxy etc…) if active on this client computer
- When logged in via PuTTY , click on XTerm in the top left corner and select Restart session to end this PuTTY connection without closing your pfSense login
- If you are logged in via Windows Command Prompt , pressing Ctrl+C will terminate that SSH session. This is also true for Mac OS X Terminal by pressing Cmd+C
The SSH service in pfSense is extremely powerful, and can be customized to meet many different needs. Some options that you may want to configure are:
- Allow root login with password instead of public key authentication (WARNING! This option should only be used when the admin console has good physical security controls in place)
- Disable weak encryption algorithms such as MD516, RC4045, ZLIB etc…
- Configure SSH access using firewall rules (allows specific IPs or networks to login)
- Limit the number of users logged in at any given time (this helps prevent brute force attacks and resource starvation problems with weak authentication methods such as password only).
- Limit the number of login sessions (helps prevent brute force attacks, someone could still use a command such as top to view your system resources)
pfSense SSH Connection Refused How to Fix?
When trying to connect via SSH, you may get a message like this: Connection Refused . This means that your device is not accepting connections on port 22. There are several reasons why this could be occurring:
- The most common cause for this error is if pfSense’s built in firewall service has blocked the incoming traffic from reaching the SSH daemon. You can check what rule might be blocking it by navigating over to Firewall -> Rules and checking the built in “WAN” tab. If you are unable to find where it is being blocked, try temporarily disabling all rules and see if that fixes your issue
- You may have accidentally configured pfSense to only allow connections from certain IPs/networks using SSH. This can be checked by navigating over System -> Advanced and looking for a section called Local SSH . Make sure that this box is not checked! By default, anyone should be able to connect via SSH without having any restrictions enabled.
- Another reason could be related to how DNS works on your network. To make things simple, let’s assume your router obtains its WAN address via DHCP (most do). This means that every time your router connects to the internet it receives a new IP. If pfSense gets assigned an address that is not within the same subnet then it won’t be able to talk with any other devices on its local network (this includes SSH access).