Part of the IPFire Security Hardening Guide
This guide uses two scales:
| Impact (security benefit) | A. MAJOR | B. SIGNIFICANT | C. MINOR |
| Effort (to implement) | 1. LOW | 2. MEDIUM | 3. HIGH |
See the Security Guide introduction for a more detailed explanation of the scale.
| Impact | Effort |
|---|---|
| A. MAJOR | 1. LOW |
The main way to manage IPFire is the web user interface (WebGUI). By default, it is always available on your internal Green network. If you use Secure Shell (SSH) to make changes in a Linux shell, only start the shell as you connect, do not leave it permanently open. This way an attacker cannot conduct a brute-force attack against IPFire using SSH (although the Guardian add-on does also offer some protection).
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 1. LOW |
If you use SSH to administer IPFire, use public key based authentication (using a key with a strong passphrase) instead of password based authentication. Key based authentication prevents an attacker performing a man-in-the middle attacks from using your password to impersonate you as your private key is never sent to the SSH server.
ssh-keygen to generate an RSA key and enter a strong passphrase. If you cannot remember this passphrase, use a Password manager to store it.ssh-copy-id <ipfire hostname>| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 2. MEDIUM |
Hackers usually aim to be stealthy and conceal that they have gained access to a system. To do this they often will remove evidence of a successful attack by removing log entries. If you send your logs to another system inside your network they cannot remove all evidence of their attack.
| Impact | Effort |
|---|---|
| A. MAJOR | 1. LOW |
If your IPFire system has more resources memory free, low CPU usage) than are required during times of peak traffic for example, lunchtime for a business) use the Proxy's URL filter to block advertising (ads) and malware. Malicious advertisements are now a common way that attackers attempt to deliver exploits to users through their browser.
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 3. HIGH |
Although it often takes a large effort to learn and configure and then some effort to maintain, the Suricata Intrusion Prevention System (IPS) built in to IPFire can provide a significant security benefit, depending on the rules enabled and the kind of traffic your IPFire system routes.
Note: If you really want to ensure accurate monitoring, you should consider disabling various network card offload features. These features are excellent for lowering CPU utilization of your IPFire system but can truncate packets, preventing Snort detecting malicious network activity.
| Impact | Effort |
|---|---|
| A. MAJOR | 1. LOW |
After enabling the Intrusion Detection System in IPFire, wait a week or so. Then check the Firewall logs sorted by country. In the WUI, go to Logs > FW-Loggraphs (Country). Depending on where your IPFire system is located and who you need to contact for business or personal reasons, you can block significant amounts of hostile traffic from the internet by simply blocking certain countries. This won't prevent a determined attacker in control of multiple systems (using a botnet for example) but it will significantly reduce noise and allow you to focus on items which actually need investigating.
Note: Using IPFire's Location Block feature is the easiest way to make a massive reduction in the amount of incoming malicious traffic probing your network.
| Impact | Effort |
|---|---|
| A. MAJOR | 3. HIGH |
By default IPFire does not restrict (most) types of network traffic going out to the internet from your network. Creating outgoing firewall rules for all traffic on your network makes it difficult for malware to communicate to external servers. This means that it is less likely most malware will be able to steal your valuable information. It may also reduce the chance of malware like this to spread to other systems on your network.
Note: This requires a high amount of effort and mistakes may prevent devices and PCs from using the internet.
FIXME - Instructions for this procedure are yet to be written
| Impact | Effort |
|---|---|
| C. MINOR | 1. LOW |
It is ideal to use the built-in Squid web proxy to control your internet access, even if you have a low-power system. When doing so, for a very small benefit, install and enable the free ClamAV virus scanner which can scan for viruses in files downloaded through the proxy. Files which are downloaded from an encrypted website (HTTPS) cannot be scanned.
Previously people often wrote viruses (malware) to get attention or in the aim of infecting as many systems as possible. This meant it was likely somebody else will have experienced a virus before you were exposed. This gave an AntiVirus company an opportunity to develop a signature to protect you. Today malware tends to be more stealthy and may be obfuscated or customized for each individual target. ClamAV is sadly one of the least effective virus scanners today (detecting only 15% of Windows malware and 66% of Linux malware according to one study) however if your IPFire system has spare CPU cycles it cannot hurt to enable it.
With more than half of the average internet traffic being encrypted, the advantage of this is reducing every year.
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 2. MEDIUM |
Follow the instructions to force all DNS traffic to use IPFire's built-in DNS proxy server so that you are less vulnerable to DNS hijacking. Use a DNS server which support DNSSEC to avoid DNS manipulation attacks.
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 1. LOW |
If you connect to the internet using a cable or DSL modem, it is highly likely that your modem rarely has patches available for security flaws. At worst, your modem may have a built-in default Administration account which have been hard-coded to allow your ISP to take control of it. Such built-in accounts are often discovered by hackers. Unless you are are extremely familiar with configuring your modem and it is regularly patched (like, for example, current model Fritz!Box modem routers which self-update) it is best to bypass your modem by configuring IPFire to connect to your ISP directly using PPPoE.
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 2. MEDIUM |
A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors the configuration of a system. It can alert an administrator when something has changed when a change was not expected. IPFire has a test add-on which is a modern open-source HIDS. 1
So;
----Next Page: Reducing Attack Surface
Older Revisions • September 27 at 6:51 pm • Jon