Skip to content.

A Note About Website Navigation

Skip to main menu.

For users of screen readers, depending on the screen resolution, the two checkboxes are for opening and closing the side menus that appear to the left and right side of the screen. This is designed both for large screens and for mobile devices with a touch screen. Checking either the main menu or sidebar checkboxes causes the menu to open from the left or right side of the screen, respectively. Clearing the checkox in either the main menu or sidebar closes the menu. The checkboxes are visible to screen readers such as JAWS and NVDA for Windows, Voiceover for Mac, and Orca screen reader for Linux. When a screen reader says "clickable" for both main menu and sidebar, that is for the respective checkboxes. End of explaination.

Viewing Single Blog Post

How To Create a New User in pfSense and VyOS?

When you setup your new router, it's always a good idea to create a new user other than admin for pfSense and vyos for VyOS in order to reduce the chance that bots and miscreants will gain access to your router.

VyOS

Here's the completed configuration of my VyOS router and I will show you the commands.

Configuration
service {
    # ...
    ssh {
        access-control {
            allow {
                user <username>
                user vyos
            }
        }
        listen-address 10.249.0.1
    }
}
system {
    # ...
    login {
        banner {
            pre-login "Unauthorized access is strictly prohibited."
        }
        user <username> {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "First and last name goes here."
            home-directory /home/<username>
        }
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
# ...
}
Commands
ssh vyos@10.249.0.1
configure
edit system login user <username>
set authentication plaintext-password <your-password-goes-here>
set full-name "First and last name goes here."
set home-directory /home/<username>
exit
edit service ssh access-control
set allow user <username>
set allow user vyos
commit
save

You want to allow vyos access using SSH to make sure it works. Also, there is encrypted-password in VyOS but VyOS gave me an error telling me that the encrypted password is invalid. I did try to discard, but VyOS told me there are not changes to be discarded, so I saved, started a new terminal window, and once I SSH into my VyOS router for 10.249.1.1, everything works fine.

Now don't exit out of VyOS session just yet. You want to make sure SSH is working properly for a user you want to log into. Because otherwise editing and viewing the configuration will have to be done either through the use of a console cable or a monitor and keyboard hooked up to a monitor. SSH using your new username and password you've created. If you can successfully login to VyOS with a different username, you can simply remove the vyos user from the access control list in configuration mode.

delete service ssh access-control allow user vyos

Again, stay logged in to VyOS and use a different terminal to test and make sure you can log into VyOS through SSH. If everything is working as intended, you can safely log out of VyOS from all the terminals you've opened.

Also, you can configure a banner. Examine the configuration above and see if you can add a login banner. The pre-login is for when a user attempts to access the VyOS router using SSH. This will print out a banner before a user gets prompted for a password. After a user logs into VyOS, if the post-login is set, VyOS will print out the banner once the user logs in. This concludes the commands used for securing VyOS.

pfSense

The same can be done for pfSense. Open the web browser, point your browser to pfSense (in my case, http://10.249.2.1), and login to your pfSense web interface. Once you get to the main interface, follow instructions as follows.
  1. In the System menu, open the User Manager.
  2. Click in the + Add button below the list of users.
  3. Enter the Username, Password, and Full Name. No spaces in the username.
  4. In the Group Membership area, select admins and click in Move to "member of" list. This will move the admins group to the "member of" list.
  5. Save the changes, log out, and log back in as the new admin user you have created in step 4.
  6. In the user manager, click in the pencil icon (Edit) to edit the admin user.
  7. Check the checkbox for Disabled. An admin user cannot login once the checkbox is selected.
  8. When done, Save the changes.

Try to login as admin. If successful, you should not be able to log in as an admin user but instead log in as a new user. This concludes the step-by-step instructions for pfSense.

Conclusion

Preventing a root or admin user from logging into a router is one of the security's best practices. You can help ensure that bots and miscreants won't be able to gain access to your router without the correct username and password. Even when bots are performing a brute-force attack. Still, it's important to restrict access to the router through the use of a management subnet and if using pfSense, setup a root and server certificate in the Cert. Manager within the System menu and add a root certificate to your web browser of your choice. Use a management subnet for any devices that have SSH access or a web interface and do not allow managers, sales, web developers, or any other non-IT departments access to the critical network infrastructure.

Update: I just hit "c" twice in my keyboard (ccode instead of code) even though I only typed "c" just once. Ugh... Maybe I just need a different keyboard that prevents double-types regardless of the operating system I'm using... (And yes, I'm using Arch Linux.)


Article published: 2021-02-25 21:04

Categories: The World of Computers, Networking,

About Grayson Peddie

Hello! I am a web developer and I have a passion for the world of Information Technology. I currently hold 4 CompTIA certificates (A+, Network+, Security+, and CySA+) including Cisco's CCNA (Cisco Certified Network Associate) certificate. Speaking of web development, I am a web accessibility enthusiast. I make sure that users of screen readers and keyboard users who cannot use a mouse can be able to access my website with just only the keyboard. Plus, I have learned a whole lot about Web Content Accessibility Guidelines.

So what are my hobbies? Aside from web development, I watch Star Trek: The Next Generation from time to time during the nights. I listen to music from the likes of David Arkenstone, Yanni, Checkfield, Cucso, Looreena McKennitt, Clannad, 2002, Enya, and even soundtrack from EPCOT Center (1982-1994), Tomorrowland, WALL-E, and TRON: Legacy. Oh, yes! Tomorrowland, TRON: Legacy, and WALL-E are the three movies I watch during Friday nights and every Friday night is my pizza night. I'm an optimist who likes to see what kind of future the world would look like. That's why I follow The Venus Project on Twitter (here's the website to The Venus Project. I do have a lot to cover in my introductory article in my website, so if you want to go in-depth and know more about me, that is the article to visit.