Part of the IPFire Security Hardening Guide
Implementation Scale
This guide uses two scales:
| Impact (security benefit) | A. MAJOR | B. SIGNIFICANT | C. MINOR |
| Effort (to implement) | 1. LOW | 2. MEDIUM | 3. HIGH |
See the Security Guide introduction for a more detailed explanation of the scale.
Disable SSH Access - enable only when connecting
| Impact | Effort |
|---|---|
| A. MAJOR | 1. LOW |
The main way to manage IPFire is the web user interface (WebGUI). By default, it is always available on your internal Green network. If you use Secure Shell (SSH) to make changes in a Linux shell, only start the shell as you connect, do not leave it permanently open. This way an attacker cannot conduct a brute-force attack against IPFire using SSH (although the Guardian add-on does also offer some protection).
- Only enable SSH access in the WUI using the "Stop SSH daemon in 15 minutes" button on the occasions you need a secure shell.
- Any sessions established during the 15 minutes following do not get disconnected after that time, but all new attempts to connect after 15 minutes will fail.
- If for you cannot disable IPFire from permanently running SSH (perhaps you may use a SSH-based monitoring software) then ensure that access is restricted to a specific set of IP addresses allocated to administrators only, by configuring a custom Firewall rule.
Use public key authentication for SSH
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 1. LOW |
If you use SSH to administer IPFire, use public key based authentication (using a key with a strong passphrase) instead of password based authentication. Key based authentication prevents an attacker performing a man-in-the middle attacks from using your password to impersonate you as your private key is never sent to the SSH server.
- Configure IPFire to only allow public key based authentication
- Use an SSH key with a strong passphrase, so that if somebody gets access to your account (or discovers your password) they cannot connect to IPFire
- From a Linux system, run
ssh-keygento generate an RSA key and enter a strong passphrase. If you cannot remember this passphrase, use a Password manager to store it. - Then run
ssh-copy-id <ipfire hostname>
Send syslogs to another server
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 2. MEDIUM |
Hackers usually aim to be stealthy and conceal that they have gained access to a system. To do this they often will remove evidence of a successful attack by removing log entries. If you send your logs to another system inside your network they cannot remove all evidence of their attack.
- If you have another server within your network, which doesn't offer any services to the internet, configure remote logging to it using syslog
Use the URL filter
| Impact | Effort |
|---|---|
| A. MAJOR | 1. LOW |
If your IPFire system has more resources memory free, low CPU usage) than are required during times of peak traffic for example, lunchtime for a business) use the Proxy's URL filter to block advertising (ads) and malware. Malicious advertisements are now a common way that attackers attempt to deliver exploits to users through their browser.
- Configure the URL filter to block "ads" and "malware"
- Remember to enable the "URL Filter" check box in the Enable redirector section of the Advanced web proxy configuration page in the WebGUI.
- Make sure to filter HTTPS traffic. This is only possible if your clients use the squid proxy directly (and not in transparent mode). However, only the basic server name (e.g. example.com) can be blocked, since paths (e.g. example.com/file1) are encrypted. Filtering contents is also impossible.
Use the Intrusion Prevention System
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 3. HIGH |
Although it often takes a large effort to learn and configure and then some effort to maintain, the Suricata Intrusion Prevention System (IPS) built in to IPFire can provide a significant security benefit, depending on the rules enabled and the kind of traffic your IPFire system routes.
- Enable the Intrusion Prevention System
- Spend time configuring appropriate rules for your network
- Ensure the rules are kept up to date. The IPS should do this automatically.
Note: If you really want to ensure accurate monitoring, you should consider disabling various network card offload features. These features are excellent for lowering CPU utilization of your IPFire system but can truncate packets, preventing Snort detecting malicious network activity.
Use Location Block
| Impact | Effort |
|---|---|
| A. MAJOR | 1. LOW |
After enabling the Intrusion Detection System in IPFire, wait a week or so. Then check the Firewall logs sorted by country. In the WUI, go to Logs > FW-Loggraphs (Country). Depending on where your IPFire system is located and who you need to contact for business or personal reasons, you can block significant amounts of hostile traffic from the internet by simply blocking certain countries. This won't prevent a determined attacker in control of multiple systems (using a botnet for example) but it will significantly reduce noise and allow you to focus on items which actually need investigating.
- Do some research and block countries with a high percentage of malicious traffic using the Location Block feature.
Note: Using IPFire's Location Block feature is the easiest way to make a massive reduction in the amount of incoming malicious traffic probing your network.
Configure Outgoing Firewall Rules
| Impact | Effort |
|---|---|
| A. MAJOR | 3. HIGH |
By default IPFire does not restrict (most) types of network traffic going out to the internet from your network. Creating outgoing firewall rules for all traffic on your network makes it difficult for malware to communicate to external servers. This means that it is less likely most malware will be able to steal your valuable information. It may also reduce the chance of malware like this to spread to other systems on your network.
Note: This requires a high amount of effort and mistakes may prevent devices and PCs from using the internet.
FIXME - Instructions for this procedure are yet to be written
- Follow this procedure to monitor all your internet traffic over a period of time (to establish a baseline)
- Based on what was recorded, create outgoing firewall rules to allow normal traffic
- Deny all other traffic
Protect your network against DNS hijacking
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 2. MEDIUM |
Follow the instructions to force all DNS traffic to use IPFire's built-in DNS proxy server so that you are less vulnerable to DNS hijacking. Use a DNS server which support DNSSEC to avoid DNS manipulation attacks.
- Enforce usage of IPFire's DNS server for all devices on your network
Configure PPPoE from IPFire
| Impact | Effort |
|---|---|
| B. SIGNIFICANT | 1. LOW |
If you connect to the internet using a cable or DSL modem, it is highly likely that your modem rarely has patches available for security flaws. At worst, your modem may have a built-in default Administration account which have been hard-coded to allow your ISP to take control of it. Such built-in accounts are often discovered by hackers. Unless you are are extremely familiar with configuring your modem and it is regularly patched (like, for example, current model Fritz!Box modem routers which self-update) it is best to bypass your modem by configuring IPFire to connect to your ISP directly using PPPoE.
- Configure IPFire to connect directly to your ISP by bridging your modem with PPPoE
----Next Page: Reducing Attack Surface