Level Up Your Firewall Security: Implementing MFA on OPNsense

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

one of the great security features of open sense is the fact that it supports multiactor authentification for the web interface directly out of the box and in this video I'm going to walk through and show you exactly how to set it up from start to finish now there are a couple of caveats that you need to consider because when you enable uh top for the web interface it will also affect the console so you need to make sure you don't work yourself out of the console as well and I'm going to walk through and show you exactly how to do that right now [Music] so log in um okay so before we can enable uh one time passwords we basically need to set the server up so in order to do that go into system access and servers and you'll notice that we only have local database so what we need to do is to add a new server for the top authentication so we're going to go add um give it a name so top the type we need to set this to local time based onetime password the token length if I recall correctly um if you're using Google Authenticator it only supports um six characters now you can use eight if you're using a different type of authenticator um I'm going to do this demo with Google so we're going to leave it at 6 um the other option you might be interested in is the reverse reverse token order um typically TP works on any system where you log in put your username in your password in and then you're prompted for the top password um or the code from your authenticator now on open sense it doesn't work that way how it does work is when you put your username in the code and your password are combined so you'll put your six-digit code in and then you'll put your password in if this box is ticked you'll put your password in and then you'll put your six-digit code in all eight whichever You' got it set to and it does tell you that under the help we're just going to leave this as default and click save with that let's uh go and create the user so for security reasons I normally don't use the root user I usually disable it um we'll go ahead and we'll create a new user so add username YT user password password will do for now um name YouTube demo don't need email or comment or any of this stuff now the login shell this is important if you're creating a replacement user for rout if it's set to no login and you try and log in through the console it won't let you in so you need to actually set an active shell so we'll set this to um CSH leave the expiration day admins want to be a member of um I'm going to leave the certificate for the user I'll cover that in something else the one time seed we need to generate that so let's go ahead and it save now with that we have our one time password see generate so we can copy that and paste it into our app or we can click unhide and then scan this QR code with the app just while we're um in the user section it's generally a good idea to paste a you public SSH key in here so that you can SSH into the system without any password requirements um we're just going to leave that but for now I'm going to go ahead and scan this with the app so if I go into the delete that that's the previous one trash that remove account so I'm going to add a new account I'm going to scan a QR code and I want that so now we've got the account added we can go ahead and do that so that works once we've uh done that the next stage obviously we need to make sure that the OTP code actually works so we're going to go into servers sorry tester and we're going to test the top um now if you do local database and I put YT user and then I stick the password of password in that will obviously pass but we're not going to be using the local database we're going to change it to our top server and now if I try that it fails because we need the TTP code so in order to do this we're going to do 409 930 forward by password hit test and now that's successful and that's really important because we really don't want to lock oursel out at this stage okay with that set um let me just change it back to this uh with that set we can now set our system to to authenticate against a TTP database so in order to do that we're going to settings Administration um look for authentication and it's set to local database so what we're going to do is change that to top and disable the local database um now with that we can click save um and if we log out and then try and log back in if I try and log back in as the uh root User it's not going to let me in because there's no TTP set up for it so fails so we need to log in as our YouTube user and again we need to put our one time password in and just L that one time out so 66 532 log in sorry followed by password and log in we're now back in the system something to keep in mind when you're doing this is the console access uh obviously don't want to lock yourself out um so if we go to console umide that so if we go to the console uh and now we try and log in uh if we try and log in as y user with our password it's not going to work so yeah we need to uh go ahead and enter our authentication code which we're going to do with um YT user followed by 834 853 password and now we're in um the problem you may have at this stage is that um if we try and access anything we're not going to be able to even sticking the password password in uh1 2 655 password so YT users is not in the sudos file so that could be an issue um so to fix that we're going to make a couple of changes uh under system administration again um what we're going to want to do is enable a secure shell which allows to ssh in the system if you want you'll need to do that if you're have to going to SSH into it as opposed to access the console um loging group wheel and admins that's fine so both wheel and admins can log in uh root login if you can leave that disabled if you're not using the root password if you are if you're not using the root user sorry you can leave it disabled if you are using it obviously take it authentication method I generally don't suggest that you use passwords use um SSH Keys which was the field that I mentioned earlier um um I'm not going to go into this right now but say if there is a need leave a comment below and you know I might consider looking at it so obviously got your SSH Port um now back down here under off oh sorry password protect the console menu uh if you trust the device and no one's going to jump on the console from the device itself you can obviously untick that there's another measure not to lock you out I generally tend to leave it protected anyway um so this was the section that we're looking at pseudo so pseudo is disallowed and if we the options we have is ask for password um if you set it to ask for password again it's going to take into the into consideration the one- time password so you'd put your code in and then the password or you can do no password so if I set it to no password and then I click save now if we go back to the console I do pseudo LS we now have um route access to the system but what if you want the menu that appears when you log in as route well if we let me just switch this back again we go under access users route and just look at the root user we can see the shell is set to open sense shell so you can refer to that if you ever forget so we can do pseudo open sense shell and now we've got the menu up as we'd expect if we get off that um you can always do pseudo Su and that'll do the same thing so there's a couple ways of getting back to the menu um I just wanted you to keep um in mind that activating top will also affect the console settings so really need to make sure you don't lock yourself out at this stage if you do lock yourself out unfortunately the only recourse is going to be to completely wipe the system and reinstall open sensor start all over again I hope that you found this video useful if you was looking to enable multiactor authentication for the web interface of open sense if you did please give it a thumbs up to allow other people to find the same video uh consider subscribing to the channel and hit the notifications icon to receive notifications of any new videos that are released if you'd like to hire us for any commercial projects feel free head across to our website and click on that hire us button

Info

Channel: Sheridan Computers

Views: 2,370

Rating: undefined out of 5

Keywords: Sheridan computers, hardening opnsense, home lab, homelab, how to, network security, opnsense, opnsense config, opnsense configuration, opnsense configuration guide, opnsense firewall, opnsense firewall configuration step by step, opnsense firewall setup, opnsense firewall tutorial, opnsense guide, opnsense install guide, opnsense mfa, opnsense mfa google authenticator, opnsense multi factor authentication, opnsense security, opnsense setup, opnsense totp, opnsense tutorial

Id: ZXiip_-6a9o

Channel Id: undefined

Length: 11min 44sec (704 seconds)

Published: Thu Nov 23 2023