Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Additional Security Configuration

Part of the IPFire Security Hardening Guide


Implementation Scale

This guide uses two scales:

Impact (security benefit) A. MAJOR B. SIGNIFICANT C. MINOR
Effort (to implement) 1. LOW 2. MEDIUM 3. HIGH

See the Security Guide introduction for a more detailed explanation of the scale.


Disable SSH Access - enable only when connecting

Impact Effort
A. MAJOR 1. LOW

The main way to manage IPFire is the web user interface (WUI). By default, it is always available on your internal Green network. If you use Secure Shell (SSH) to make changes in a Linux shell, only start the shell as you connect, do not leave it permanently open. This way an attacker cannot conduct a brute-force attack against IPFire using SSH (although the Guardian addon does also offer some protection).

  • Only enable SSH access in the WUI using the "Stop SSH demon in 15 minutes" button on the occasions you need a secure shell.
    • Any sessions established during the 15 minutes following do not get disconnected after that time, but all new attempts to connect after 15 minutes will fail.
  • If for you cannot disable IPFire from permanently running SSH (perhaps you may use a SSH-based monitoring software) then ensure that access is restricted to a specific set of IP addresses allocated to administrators only, by configuring a custom Firewall rule.

Use public key authentication for SSH

Impact Effort
B. SIGNIFICANT 1. LOW

If you use SSH to administer IPFire, use public key based authentication (using a key with a strong passphrase) instead of password based authentication. Key based authentication prevents an attacker performing a man-in-the middle attacks from using your password to impersonate you as your private key is never sent to the SSH server.

  • Configure IPFire to only allow public key based authentication
  • Use an SSH key with a strong passphrase, so that if somebody gets access to your account (or discovers your password) they cannot connect to IPFire
  • From a Linux system, run ssh-keygen to generate an RSA key and enter a strong passphrase. If you cannot remember this passphrase, use a Password manager to store it.
    - Then runssh-copy-id ``

Send syslogs to another server

Impact Effort
B. SIGNIFICANT 2. MEDIUM

Hackers usually aim to be stealthy and conceal that they have gained access to a system. To do this they will often will remove evidence of a successful attack by removing log entries. If you send your logs to another system inside your network they cannot remove all evidence of their attack.

Use the URL filter

Impact Effort
A. MAJOR 1. LOW

If your IPFire system has more resources memory free, low CPU usage) than are required during times of peak traffic for example, lunchtime for a business) use the Proxy's URL filter to block advertising (ads) and malware. Malicious advertisements are now a common way that attackers attempt to deliver exploits to users through their browser.

  • Configure the URL filter to block "ads" and "malware"
  • Remember to enable the "URL Filter" check box in the "Number of filter processes" section of the Advanced web proxy configuration page in the WUI.
  • Make sure to filter HTTPS traffic. This is only possible if your clients use the squid proxy directly (and not in transparent mode). However, only the basic server name (e.g. example.com) can be blocked, since paths (e.g. example.com/file1) are encrypted. Filtering contents is also impossible.

Use the Intrusion Prevention System

Impact Effort
B. SIGNIFICANT 3. HIGH

Although it often takes a large effort to learn and configure and then some effort to maintain, the Suricata Intrusion Prevention System (IPS) built in to IPFire can provide a significant security benefit, depending on the rules enabled and the kind of traffic your IPFire system routes.

Note: If you really want to ensure accurate monitoring, you should consider disabling various network card offload features. These features are excellent for lowering CPU utilisation of your IPFire system but can truncate packets, preventing Snort detecting malicious network activity.

Use GeoIP Block

Impact Effort
A. MAJOR 1. LOW

After enabling the Intrusion Detection System in IPFire, wait a week or so. Then check the Firewall logs sorted by country [ In the WUI, go to Logs > FW-Loggraphs (Country) ]. Depending on where your IPFire system is located and who you need to contact for business or personal reasons, you can block significant amounts of hostile traffic from the internet by simply blocking certain countries. This won't prevent a determined attacker in control of multiple systems (using a botnet for example) but it will significantly reduce noise and allow you to focus on items which actually need investigating.

  • Do some research and block countries with a high percentage of malicious traffic using the GeoIP block feature

Note!
Using IPFire's GeoIP feature is the easiest way to make a massive reduction in the amount of malicious traffic probing your network.


Configure Outgoing Firewall Rules

Impact Effort
A. MAJOR 3. HIGH

By default IPFire does not restrict (most) types of network traffic going out to the internet from your network. Creating outgoing firewall rules for all traffic on your network makes it difficult for malware to communicate to external servers. This means that it is less likely most malware will be able to steal your valuable information. It may also reduce the chance of malware like this to spread to other systems on your network.

Note: This requires a high amount of effort and mistakes may prevent devices and PCs from using the internet.

( FIXME - Instructions for this procedure are yet to be written)

  • Follow this procedure to monitor all your internet traffic over a period of time (to establish a baseline)
  • Based on what was recorded, create outgoing firewall rules to allow normal traffic
  • Deny all other traffic

Install Rootkit Hunter

Impact Effort
B. SIGNIFICANT 2. MEDIUM

RootKit Hunter (or rkhunter) is a UNIX shell utility which scans Linux systems for rootkits, backdoors and possible local exploits. Although it is not currently packaged in as an IPFire Addon, it can be manually installed (instructions coming!) and used to perform a scan on a nightly basis, sending the results to an administrator's email account.

Use SquidClamAV

Impact Effort
C. MINOR 1. LOW

It is ideal to use the built-in Squid web proxy to control your internet access, even if you have a low-power system. When doing so, for a very small benefit, install and enable the free ClamAV virus scanner which can scan for viruses in files downloaded through the proxy. Files which are downloaded from an encrypted website (HTTPS) cannot be scanned.

Previously people often wrote viruses (malware) to get attention or in the aim of infecting as many systems as possible. This meant it was likely somebody else will have experienced a virus before you were exposed. This gave an AntiVirus company an opportunity to develop a signature to protect you. Today malware tends to be more stealthy and may be obfuscated or customised for each individual target. ClamAV is sadly one of the least effective virus scanners today (detecting only 15% of Windows malware and 66% of Linux malware according to one study) however if your IPFire system has spare CPU cycles it cannot hurt to enable it.
With more than half of the average internet traffic being encrypted, the advantage of this is reducing every year.

Protect your network against DNS hijacking

Impact Effort
B. SIGNIFICANT 2. MEDIUM

Follow the instructions to force all DNS traffic to use IPFire's built-in DNS proxy server so that you are less vulnerable to DNS hijacking. Use a DNS server which support DNSSEC to avoid DNS manipulation attacks.

Configure PPPoE from IPFire

Impact Effort
B. SIGNIFICANT 1. LOW

If you connect to the internet using a cable or DSL modem, it is highly likely that your modem rarely has patches available for security flaws. At worst, your modem may have a built-in default Administration account which have been hard-coded to allow your ISP to take control of it. Such built-in accounts are often discovered by hackers. Unless you are are extremely familiar with configuring your modem and it is regularly patched (like, for example, current model Fritz!Box modem routers which self-update) it is best to bypass your modem by configuring IPFire to connect to your ISP directly using PPPoE.

Use a Host-Based Intrusion Detection System

Impact Effort
B. SIGNIFICANT 2. MEDIUM

A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors the configuration of a system. It can alert an administrator when something has changed when a change was not expected. IPFire has a test addon, OSSEC, which is a modern open-source HIDS.

So;

  • Configure and enable OSSEC (English posts in a German thread).
  • Maintain the database of either HIDS each time you make changes to IPFire

----Next Page: Reducing Attack Surface

Edit Page ‐ Yes, you can edit!

Older Revisions • August 12 at 5:05 pm • Jon Murphy