Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pls help me change SSH settings in Device Console ?

J Thai

Hello everyone,

I am using Sophos XG (Home) v18.5 MR4. I would like to change my SSH listen address to only 192.168.1.1 and port xx (other than 22). According to Sophos XG's CLI guide, I should be disabling connectivity over SSH first, then re-enabling it with a certain local IP address & port, should I not?

I think the steps will be:

console> disableremote

console> enableremote port xx serverip 192.168.1.1

This will be the 1st time I have ever had to modify something on the terminal, I really want to be cautious when interacting with such fundamental stuff. Hence, I have some questions to ask:

  1. Did I get the syntax right? Pls correct me if I was wrong.

  2. Since disabling remote access at first will disconnect all the active SSH sessions, I should not be doing this while on Putty, but rather having to execute these commands via the admin page's Console, should I ?

Thank you very much in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hello ,

    Thank you for reaching out to the community, yes  the syntax is right !! 

    disableremote
    Disables remote connectivity over SSH, if enabled. By default it is not enabled. The appliance will no longer listen on port 22 for new connections, and existing ones will be terminated. Refer to enableremote to allow remote SSH connections.

    https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/index.html

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thanks for your quick reply, buddy. Pls help me with a few more things:

    1. Regarding the enableremote command, did I get it right too ?

    2. In addition, prior to re-enabling ssh, it has been disabled. Thus, should I not execute these commands on PuTTy, but rather via the admin webpage's console instead ? Does the disableremote command also disable the console command prompt on the webadmin page?

    3. The gateway address 192.168.1.1 belongs to te VLAN 1 interface. If later, I modify or delete this interface, will the listen address of SSH at 192.168.1.1 be nullified too ? 

    Thank you again buddy.

  • 0 in reply to J Thai

    Hello ,

    Yup, that was right, I even provided you the command line guide, which will be useful to confirm as well !!

    Sophos Firewall OS uses a graphical user interface (web admin console) to configure and manage Sophos Firewall.

    We support most of the commonly used browsers, such as Chrome, Edge, Firefox, and Safari. We recommend that you use the latest browser version. 

    And whether a web base CLI or third party base CLI like putty the protocol remains the same and i.e. SSH Port 22 
    So, which ever suits for the easy of access it is fine and does not make any difference ! 

    Yup, if you remove the 192.168.1.1 address then you no longer will be able to access that service on that IP.

    See you provide an ssh access to zone, of any IP interface whether it be VLAN, LAG, normal interface or a bridge interface if it is active and fall into the LAN zone and if you have enabled the SSH on the LAN zone then you will be able to access, but let's say if any of these interface becomes inactive or you remove it manually then you no longer be able to access that service on that IP.

    Hope this clears your doubts !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thanks again buddy.

    The XG v18.5 Console manual here (Device console - Sophos Firewall), it says about enableremote command that 'The appliance will listen for SSH connections on the specified port and will allow connections from the specified addresses.' Does that also mean I can assign the listen address to multiple IP addresses at a time ?

    If so, does the command look something like this ('etc.' just means I have to type in all the IP addresses that I want)?

    console> enableremote port xx serverip 192.168.1.1 192.168.2.1 192.168.3.1 etc.

    Thanks again buddy. Much appreciated for your help.

  • 0 in reply to J Thai

    Hey

    Nope, it will not work with that syntax and multiple address can not be mentioned in such a format !! 

    The custom Port will be open for a that specific IP mentioned if you add more than one it will state as "% Error: Unknown Parameter"

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thanks buddy. So I get it that in order to re-enable ssh on as many gateways as I like, I would have to repeat the enableremote command on the same port for that number of times respectively, do I not ?

    For example, I would like to re-enable SSH on port xx for 3 gateways, I repeat the enableremote command on that port xx for thrice.

    Thanks again buddy. 

  • 0 in reply to J Thai

    Yup, that's right !!

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    I have just tried out the console, following the syntax. I attempted to disable SSH first, then re-enable it on 192.168.0.1 at port 33. After that, however, port 22 is still open on other interfaces whilst port 33 at 192.168.0.1 remains closed for ssh. What have I got wrong buddy ?

    Thanks for your enthusiasm buddy.

  • +1 in reply to J Thai

    As far as i know, you cannot change the SSH Port. It will stay on Port 22. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That is a pity then. This feature has been on the wishlist for so long, yet has it been implemented. Changing SSH port also helps a lot in strengthening network security.

Reply Children
  • 0 in reply to J Thai

    Does it actually help? 

    It will increase the time of finding the port. 

    SSH availability is still something, which is present, no matter what port you are using. The only way to increase the security is by disabling SSH. 

    Please do not enable SSH on WAN - no matter what port. 

    Please reduce the exposed Zones for SSH. 

    Those settings increase the security. Not changing the Port. Port scanner will quickly pick up changed ports. 

    __________________________________________________________________________________________________________________

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML