wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


optimization:start:security_hardening

IPFire Security hardening

Introduction

IPFire is designed to be secure by default, however it can be further hardened so that it is even more difficult to attack. Hardening includes;

  • good security practice
  • some additional configuration
  • and reducing the attack surface by disabling features which are not in use.

Implementation Scale

As a guide for new readers, this page uses two scales:

Security benefit (impact)A. MAJORB. SIGNIFICANTC. MINOR
Effort to implement1. LOW2. MEDIUM3. HIGH

This scale is subjective. It will differ based on the value of your data to an attacker as well as your technical skill or previous experience. It aims give an indication of both the benefit of doing an item and the approximate effort required.

Scale examples

For example, items which are categorised

ImpactEffort
A. MAJOR 1. LOW

are highly recommended, as they are both easy to implement and have a high security benefit.

While items which are

ImpactEffort
C. MINOR3. HIGH

will be helpful, but need only done for a high-risk environment or if you are a bit paranoid!


1. Good Security Practice

Strong Passwords, stored securely

ImpactEffort
A. MAJOR 2. MEDIUM
  • Use strong passwords for the “admin” web user interface (WUI) and “root” console accounts
    • Do not use the same password for “admin” and “root”
    • Do not re-use a password which has been used elsewhere
    • These passwords should be at least 15 characters long, contain all character types (uppercase, lowercase, numbers and symbols) and avoid using words.
  • Store passwords in a Password Manager so that they can be longer and more complex than you can remember
    • Ideally your Password Manager should be Open Source software which has been inspected for security flaws (such as KeePass)
  • Do not save passwords for the IPFire WUI in your browser
  • Avoid creating additional accounts on your IPFire system, unless specifically required

Patch!

ImpactEffort
A. MAJOR 1. LOW
  • Always use the latest stable version of IPFire. Old versions have known security flaws.
  • When an update is available, the WUI will display a red note at the bottom of each screen. Arrange an outage and apply updates as soon as possible - most updates require a reboot.
  • You might want to subscribe to the IPFire-Announce mailing list. That way, you will receive an e-mail in case of a new available update.
Go with security expert's advice. Source Google Security Blog

Check logs regularly

ImpactEffort
A. MAJOR1. LOW

Most IPFire features create logs which are visible from the WUI. Without regularly checking logs it can be very difficult to know if your system is under attack, or at worst an intruder already has access to it.

Depending on your preference, you may prefer to configure some logs to be emailed to you. It would be best if this is to an internal email server and not an internet-based server as logs can contain sensitive information about your IPFire system and it's configuration.

Aim to check at least these logs regularly:

  • The WUI Status > Services page, to ensure services are still running and you don't suddenly have a high number of processes or high memory usage
  • The Log Summary page
  • IDS Logs (if your IDS is configured, otherwise it will be of little value)
  • Firewall log (Country) to note which countries most attacks come from.
    • After you have enabled the GeoIP Block (highly recommended, below) to see the number of hits against your firewall from countries which you are blocking:
      1. In the WUI open the “Firewall” menu and click “iptables”
      2. In the first “iptables” section, select “GEOIPBLOCK” from the drop down list
      3. Click Update
      4. A list of the countries you block will be displayed along with a packet and byte count for the number of hits those countries have had against your firewall and the volume of traffic blocked

Generous capacity for logs

ImpactEffort
B. SIGNIFICANT 1. HIGH

When installing IPFire, ensure there is a large amount of space available for logs. Ideally IPFire will allow users to create a separate /var/log filesystem in future as this will prevent denial of service attacks created by thousands of deliberate log entries.

  • When installing IPFire, ensure there is a generous capacity available for logs
  • If possible, create a separate partition and remount /var/log on it

To check space availability go to menu Status > Media. Scroll down to Disk usage and search for Mounted on “/var”.

Use the 64 bit version of IPFire

ImpactEffort
B. SIGNIFICANT2. MEDIUM

In the past IPFire only ran on 32 bit systems but now the majority of people use the 64 bit version. The 64 bit version has Linux kernel security mitigations (for "Meltdown", "Spectre" and the like) which are not as well tested in the 32 bit version.

  • Backup a 32 bit IPFire system and reinstall with the 64 bit release

Change default login details

ImpactEffort
A. MAJOR3. HIGH

It is ideal to change the login details of accounts used to administer any system. This adds another step for a potential attacker who now has to guess your login as well as attempt to break (or brute-force) your password.

Note: Currently this requires a high amount of effort for an inexperienced user. Hopefully in future IPFire will ask new users for accounts they would like in the installation process

  • Change the default “admin” account in IPFire to a different username which will not be obvious to an attacker
  • Add another account to Linux on your IPFire system with a different username to the one you chose above. Allow this user the ability to start a shell and use it to login and switch user (su) to root.
  • Then disable root access from SSH by adding an entry to the /etc/ssh/sshd_config configuration file
PermitRootLogin no
  • If you have a major outage, use a graphical console to login directly as root or remove your storage and mount it on another Linux system

Use a VPN to manage IPFire from the internet

ImpactEffort
A. MAJOR3. HIGH

If you really need to manage an IPFire system from the internet (or any “hostile” network) do not open the WUI (tcp port 444) or SSH (tcp port 22) directly to the internet. Instead research how to configure a secure VPN and use VPN access to administer IPFire using the WUI as if you were connected to on the local network.

  • If you need to manage IPFire from the internet, configure and use a VPN to administer IPFire systems over the internet
    • Two different VPNs are supported in IPFire: IPSec and OpenVPN although you could use a separate VPN appliance.

2. Additional Configuration

Disable SSH Access - enable only when connecting

ImpactEffort
A. MAJOR1. LOW

The main way to manage IPFire is the web user interface (WUI). By default, it is always available on your internal Green network. If you use Secure Shell (SSH) to make changes in a Linux shell, only start the shell as you connect, do not leave it permanently open. This way an attacker cannot conduct a brute-force attack against IPFire using SSH (although the Guardian addon does also offer some protection).

  • Only enable SSH access in the WUI using the “Stop SSH demon in 15 minutes” button on the occasions you need a secure shell.
    • Any sessions established during the 15 minutes following do not get disconnected after that time, but all new attempts to connect after 15 minutes will fail.
  • If for you cannot disable IPFire from permanently running SSH (perhaps you may use a SSH-based monitoring software) then ensure that access is restricted to a specific set of IP addresses allocated to administrators only, by configuring a custom Firewall rule.

Use public key authentication for SSH

ImpactEffort
B. SIGNIFICANT1. LOW

If you use SSH to administer IPFire, use public key based authentication (using a key with a strong passphrase) instead of password based authentication. Key based authentication prevents an attacker performing a man-in-the middle attacks from using your password to impersonate you as your private key is never sent to the SSH server.

  • Configure IPFire to only allow public key based authentication
  • Use an SSH key with a strong passphrase, so that if somebody gets access to your account (or discovers your password) they cannot connect to IPFire
  1. From a Linux system, run
    ssh-keygen

    to generate an RSA key and enter a strong passphrase. If you cannot remember this passphrase, use a Password manager to store it.

  2. Then run
    ssh-copy-id <ipfire hostname>

Send syslogs to another server

ImpactEffort
B. SIGNIFICANT2. MEDIUM

Hackers usually aim to be stealthy and conceal that they have gained access to a system. To do this they will often will remove evidence of a successful attack by removing log entries. If you send your logs to another system inside your network they cannot remove all evidence of their attack.

Use the URL filter

ImpactEffort
A. MAJOR1. LOW

If your IPFire system has more resources (memory free, low CPU usage) than are required during times of peak traffic (for example, lunchtime for a business) use the Proxy's URL filter to block advertising (ads) and malware. Malicious advertisements are now a common way that attackers attempt to deliver exploits to users through their browser.

Be careful not to enable more than a few “block categories” in the 'URL filter' or you may significantly slow down your proxy server and give users a poor web browsing experience.

  • Configure the URL filter to block "ads" and "malware"
  • Remember to enable the “URL Filter” check box in the “Number of filter processes” section of the Advanced web proxy configuration page in the WUI.
  • Make sure to filter HTTPS traffic. This is only possible if your clients use the squid proxy directly (and not in transparent mode). However, only the basic server name (e.g. example.com) can be blocked, since paths (e.g. example.com/file1) are encrypted. Filtering contents is also impossible.

Use the Intrusion Detection System

ImpactEffort
B. SIGNIFICANT3. HIGH

Although it often takes a large effort to learn and configure and then some effort to maintain, the Snort Intrusion Detection System (IDS) built in to IPFire can provide a significant security benefit, depending on the rules enabled and the kind of traffic your IPFire system routes.

Note: If you really want to ensure accurate monitoring, you should consider disabling various network card offload features. These features are excellent for lowering CPU utilisation of your IPFire system but can truncate packets, preventing Snort detecting malicious network activity.

Use GeoIP Block

ImpactEffort
A. MAJOR 1. LOW

After enabling the Intrusion Detection System in IPFire, wait a week or so. Then check the Firewall logs sorted by country [ In the WUI, go to Logs > FW-Loggraphs (Country) ]. Depending on where your IPFire system is located and who you need to contact for business or personal reasons, you can block significant amounts of hostile traffic from the internet by simply blocking certain countries.

  • Do some research and block countries with a high percentage of malicious traffic using the GeoIP block feature

Using IPFire's GeoIP feature is the easiest way to make a massive reduction in the amount of malicious traffic probing your network.

Configure Outgoing Firewall Rules

ImpactEffort
A. MAJOR3. HIGH

By default IPFire does not restrict (most) types of network traffic going out to the internet from your network. Creating outgoing firewall rules for all traffic on your network makes it difficult for malware to communicate to external servers. This means that it is less likely most malware will be able to steal your valuable information. It may also reduce the chance of malware like this to spread to other systems on your network.

Note: This requires a high amount of effort and mistakes may prevent devices and PCs from using the internet.

( FIXME - Instructions for this procedure are yet to be written)

  • Follow this procedure to monitor all your internet traffic over a period of time (to establish a baseline)
  • Based on what was recorded, create outgoing firewall rules to allow normal traffic
  • Deny all other traffic

Install Rootkit Hunter

ImpactEffort
B. SIGNIFICANT2. MEDIUM

RootKit Hunter (or rkhunter) is a UNIX shell utility which scans Linux systems for rootkits, backdoors and possible local exploits. Although it is not currently packaged in as an IPFire Addon, it can be manually installed (instructions coming!) and used to perform a scan on a nightly basis, sending the results to an administrator's email account.

Use SquidClamAV

ImpactEffort
C. MINOR1. LOW

It is ideal to use the built-in Squid web proxy to control your internet access, even if you have a low-power system. When doing so, for a very small benefit, install and enable the free ClamAV virus scanner which can scan for viruses in files downloaded through the proxy. Files which are downloaded from an encrypted website (HTTPS) cannot be scanned.

It may surprise you to learn that Anti-Virus software is not very effective today!

Previously people often wrote viruses (malware) to get attention or in the aim of infecting as many systems as possible. This meant it was likely somebody else will have experienced a virus before you were exposed. This gave an AntiVirus company an opportunity to develop a signature to protect you. Today malware tends to be more stealthy and may be obfuscated or customised for each individual target. ClamAV is sadly one of the least effective virus scanners today (detecting only 15% of Windows malware and 66% of Linux malware according to one study) however if your IPFire system has spare CPU cycles it cannot hurt to enable it. With more than half of the average internet traffic being encrypted, the advantage of this is reducing every year.

  • Use the built-in [n:configuration:network:proxy:general|Squid web proxy]] and install the ClamAV virus scanner Addon.
    • It may not be highly effective, but it will prevent very common malware from being downloaded from a web connection.

Protect your network against DNS hijacking

ImpactEffort
B. SIGNIFICANT2. MEDIUM

Follow the instructions to force all DNS traffic to use IPFire's built-in DNS proxy server so that you are less vulnerable to DNS hijacking. Use a DNS server which support DNSSEC to avoid DNS manipulation attacks.

Configure PPPoE from IPFire

ImpactEffort
B. SIGNIFICANT1. LOW

If you connect to the internet using a cable or DSL modem, it is highly likely that your modem rarely has patches available for security flaws. At worst, your modem may have a built-in default Administration account which have been hard-coded to allow your ISP to take control of it. Such built-in accounts are often discovered by hackers. Unless you are are extremely familiar with configuring your modem and it is regularly patched (like, for example, current model Fritz!Box modem routers which self-update) it is best to bypass your modem by configuring IPFire to connect to your ISP directly using PPPoE.

Use a Host-Based Intrusion Detection System

ImpactEffort
B. SIGNIFICANT2. MEDIUM

A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors the configuration of a system. It can alert an administrator when something has changed when a change was not expected. IPFire has a test addon, OSSEC, which is a modern open-source HIDS.

So;

  • Configure and enable Tripwire or OSSEC (English posts in a German thread).
  • Maintain the database of either HIDS each time you make changes to IPFire

3. Reduce Attack Surface

Remove unused IPFire Addons

ImpactEffort
B. SIGNIFICANT1. LOW

If you have installed any Addons in IPFire which you no longer use, remove them. This will reduce the attack surface of your IPFire system.

  • Uninstall Addons which you are not using with PakFire in the WUI

Do not enable IPv6

ImpactEffort
B. SIGNIFICANT1. LOW

IPv6 is disabled by default in IPFire. For security reasons it is recommended that you do not enable it.

Although IPv6 may be the future of addressing on the internet, today most fixed-internet ISPs still provide an IPv4 address. IPv6 allows all devices on your network to be visible from the internet. It was long thought that searching for devices in your network wasn't viable, due to the high number of possible addresses. However it has recently been shown that there are smart ways around this.

  • Do not enable IPv6, unless you understand the full implications of using it
  • Avoid using “dual-stack” IPv4 and IPv6 at the same time. This exposes your system to the potential of more security bugs than if you just used one of the two IP versions.

Don't host services from your network

ImpactEffort
B. SIGNIFICANT2. MEDIUM

Host services like email and web servers in a cloud environment and not on your internet connection. This will avoid making your network a target (as there won't be any interesting services visible) and significantly reduces the opportunities for an attack to be successful.

  • Make your network a smaller, less interesting, target by not hosting any services on it.
  • If you really need to host services from your network, ensure you follow best-practice by using a DMZ and setting up DMZ pinholes.

Do not run IPFire in a virtual machine

ImpactEffort
B. SIGNIFICANTN/A

Although IPFire will run effectively in a virtual machine, it is ideal to run any security software (such as a firewall router) on a separate physical machine. Running IPFire on a physical machine removes the possibility that another VM or the virtualization environment could become compromised and in turn compromise your IPFire firewall or cause a denial of service by consuming resources (network, disk, CPU or memory).

  • Where possible, for security purposes run IPFire on a physical computer

This is particularly important if IPFire is operating as your primary firewall while other VMs on the same system are providing internet services, perhaps through an Orange DMZ.

IPFire is usually used in a position of trust as your internet gateway and if it is compromised it will be difficult to defend the rest of your network.

Block Tor

If you don't use it, block tor traffic as malware can use it for command and control purposes.

Block P2P

As with Tor, block all P2P protocols which are not used on your network.


Suggestions for the future

  • Make it easy for new users to set up different login accounts during installation - replacements for 'admin' and an alternate user for SSH, so that root cannot connect via SSH.
  • Discussion about improvements for this page is in the forum.
optimization/start/security_hardening.txt · Last modified: 2018/12/17 10:12 by dnl