[Sophos XG] How to execute command by ssh in firewall ?

In addition to Ian, you can log in to SSH.  select #7 on the option for shutdown

My previous answer was flagged as abuse because of empty command as example...

"  select #7 on the option for shutdown"

I dont want manually CLICK/Select. I would like to pass command through ssh command - directly.
#ssh adress + shutdown command (or any other command). Thats all - How to do that when this menu is active after being logged?

In my case - the convenience. Very often i have to turn off firewall gracefully (as it should be). Im tired doing it by webpage while it could be done by one click.  I can also imagine many administrators would welcome this (fw maintenance).

I do this all the time our devices in the lab and it works fine.  However I don't know if customer boxes are deployed differently.

Note that when doing this you don't have a bash shell (which in SFOS is busybox), so you also don't have things like a path.

ssh admin@10.0.0.1 '/bin/ls /etc/'

ssh admin@10.0.0.1 '/bin/poweroff'


You can add your ssh key for passwordless access in Administraton > Device access.

EDIT: Seems this is not possible on customer devices.  Internal sophos labs works differently.

It looks like the ability to do this was deliberately removed in order to harden Sophos Firewall boxes from external attacks, likely in the 19.0 timeframe.  Sorry to get your hopes up.

"in order to harden Sophos Firewall boxes from external attacks"
Im wondering also what was point to remove that (if i remember well on Sophos UTM i used ssh normally just like on every other linux - hardened-server).

I dont get point with hardening in this way. If unprivileged person can login as admin - this is over and  text menu dont stop him :p. Its problem on security network level and how he/she got privilege and private key - not problem with hardnening of sophos in such odd manner.

@emmosophos could you explain why you voted me down when i wrote its much more convenient to reboot/shutdown firewall by one click  sending ssh command and managing firewall (any set of commands, automation etc.) in such way would be welcomed by many administrators? Such text menu is an obstacle in many situations.

It makes me sad, because if you are part of sophos team and have time to vote down, you could also write why Sophos make ssh things unnecessary more difficult.

https://www.bleepingcomputer.com/news/security/sophos-reveals-5-year-battle-with-chinese-hackers-attacking-network-devices/

Sophos has been in a multi year battle with hacker groups who were attempting to gain and leverage access.  We did a lot of hardening, some of it was due to specific ways we were being attacked and some of it was more generic best practices.  No Sophos feature required this access, so it was safe to disable it.  I do not know the specifics.

I think emmosophos simply did not want to downvote here. 

Additionally to the part of Michael Dunn - Our general approach towards SSH is, we want to harden SSH and move in a midterm goal the configuration towards APIs instead. 

As API are more adapted than SSH commands and more secure, this is our next goal, to work towards refined APIs and make it more accessible. 

We started and enhance the Central APIs every month and will work on Firewall APIs as well.  
Central: https://developer.sophos.com/docs/firewall-v1/1/overview

Firewall direct:  Management APIs 

Hello,

Actually, I didn't mean to downvote; I accidentally downvoted your answer while I was scrolling down. Thank you for noticing. If you click upvote, that would remove my downvote.

Regards,

"we want to harden SSH"

Thats great, but I still dont understand what ssh hardening have to do with this text menu AFTER being logged!!

If someone is able to login as admin  its over - potential hacker only what have to do is pressing two numbers keys on keyboard   to get full access to console! DO YOU CALL THIS "HARDENING" ? Are you kidding me ? :p

Do you also suggest that thousands of heavily hardened linux servers but which dont have such text menu after being logged are LESS secure? Your solution only makes management of firewall more difficult  -  please dont decide what is better for admins and how they manage their devices when ssh is still in many cases best option to do common task. Give at least option to turn this text menu off or on. Eventually after logging into firewall by ssh there can be visible  typical text info how to run text menu.

Nobody claims this is the only thing Sophos is doing to harden a system. 

Again: The context menu is there since V15.0 (since the beginning). We simply removed the capabilities to run directly scripts / commands within one command, after the pacific Rim situation - See above. Also: At that time, after removal of the this command, a LOT of users had SSH open to the Internet. By now, most is restricted by the changes Sophos did. Open SSH, you could potentially run a command directly on the system was a big thing, which we removed by not letting somebody directly run it. Yes - People could do workarounds, but this was an easy "improvement" for a lot of customers to secure them.

By now, we could potentially think about other ways: An approach would be to allow direct advanced shell access via SSH Key only.  

Lets get back on track here: I am assuming, you as a power user are doing a lot on the Shell: Could you give us some context "what you are doing" on the advanced Shell? 

Nobody claims this is the only thing Sophos is doing to harden a system. 

Again: The context menu is there since V15.0 (since the beginning). We simply removed the capabilities to run directly scripts / commands within one command, after the pacific Rim situation - See above. Also: At that time, after removal of the this command, a LOT of users had SSH open to the Internet. By now, most is restricted by the changes Sophos did. Open SSH, you could potentially run a command directly on the system was a big thing, which we removed by not letting somebody directly run it. Yes - People could do workarounds, but this was an easy "improvement" for a lot of customers to secure them.

By now, we could potentially think about other ways: An approach would be to allow direct advanced shell access via SSH Key only.  

Lets get back on track here: I am assuming, you as a power user are doing a lot on the Shell: Could you give us some context "what you are doing" on the advanced Shell?