Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: Additional Security Configuration

Older Revision
August 12 at 4:47 pm
Newer Revision
August 12 at 4:50 pm
fix links
# Additional Security Configuration
*Part of the [IPFire Security Hardening Guide](optimization/start/security_hardening)*
*Part of the [IPFire Security Hardening Guide](/optimization/start/security_hardening)*
## Implementation Scale
This guide uses two scales:
| | | | |
| **Impact** (security benefit) |**<span style="color:lime">A. MAJOR</span>**|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:darkseagreen">C. MINOR</span>**|
| **Effort** (to implement) |**<span style="color:orangered">1. LOW</span>**|**<span style="color:coral">2. MEDIUM</span>**|**<span style="color:crimson">3. HIGH</span>**|
See [the Security Guide introduction](optimization/start/security_hardening) for a more detailed explanation of the scale.
See [the Security Guide introduction](/optimization/start/security_hardening) for a more detailed explanation of the scale.
### Disable SSH Access - enable only when connecting
| Impact | Effort |
|**<span style="color:lime">A. MAJOR</span>**|**<span style="color:orangered">1. LOW</span>**|
The main way to manage IPFire is the [web user interface (WUI)](/configuration). By default, it is always available on your internal Green network. If you use [Secure Shell (SSH)](https://en.wikipedia.org/wiki/SSH) to make changes in a Linux shell, only start the shell as you connect, do not leave it permanently open. This way an attacker cannot conduct a [brute-force attack](https://en.wikipedia.org/wiki/brute-force attack) against IPFire using SSH (although the [Guardian addon](/addons/guardian) does also offer some protection).
* Only [enable SSH access in the WUI](/configuration/system/ssh) using the "Stop SSH demon in 15 minutes" button on the occasions you need a secure shell.
* Any sessions established during the 15 minutes following do not get disconnected after that time, but all new attempts to connect after 15 minutes will fail.
* If for you cannot disable IPFire from permanently running SSH (perhaps you may use a SSH-based monitoring software) then ensure that access is restricted to a specific set of IP addresses allocated to administrators only, by configuring a custom Firewall rule.
### Use public key authentication for SSH
| Impact | Effort |
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:orangered">1. LOW</span>**|
If you use [SSH](https://en.wikipedia.org/wiki/SSH) to administer IPFire, use public key based authentication (using a key with a strong passphrase) instead of password based authentication. Key based authentication prevents an attacker performing a [man-in-the middle attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) from using your password to impersonate you as your private key is never sent to the SSH server.
* [Configure IPFire](/configuration/system/ssh) to only allow public key based authentication
* Use an SSH key with a strong passphrase, so that if somebody gets access to your account (or discovers your password) they cannot connect to IPFire
- From a Linux system, run `ssh-keygen` to generate an RSA key and enter a strong passphrase. If you cannot remember this passphrase, [use a Password manager](#strong_passwords_stored_securely) to store it.
` - Then run `ssh-copy-id <ipfire hostname>``
### Send syslogs to another server
| Impact | Effort |
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:coral">2. MEDIUM</span>**|
Hackers usually aim to be stealthy and conceal that they have gained access to a system. To do this they will often will remove evidence of a successful attack by removing log entries. If you send your logs to another system inside your network they cannot remove all evidence of their attack.
* If you have another server within your network, which doesn't offer any services to the internet, [configure remote logging to it using syslog](/configuration/logs/logsettings)
### Use the URL filter
| Impact | Effort |
|**<span style="color:lime">A. MAJOR</span>**|**<span style="color:orangered">1. LOW</span>**|
If your IPFire system has more resources *memory free, low CPU usage*) than are required during times of peak traffic *for example, lunchtime for a business*) use the Proxy's URL filter to block advertising (ads) and malware. [Malicious advertisements](https://en.wikipedia.org/wiki/malvertising) are now a common way that attackers attempt to deliver [exploits](https://en.wikipedia.org/wiki/Exploit (computer security)) to users through their browser.
* Configure the [URL filter](/configuration/network/url-filter) to block ["ads" and "malware"](/configuration/network/proxy/url-filter)
* Remember to enable the "URL Filter" check box in the "[Number of filter processes](/configuration/network/proxy/wui_conf/redirect)" section of the Advanced web proxy configuration page in the WUI.
* Make sure to filter HTTPS traffic. This is only possible if your clients use the squid proxy directly (and not in transparent mode). However, only the basic server name (e.g. example.com) can be blocked, since paths (e.g. example.com/file1) are encrypted. Filtering contents is also impossible.
### Use the Intrusion Prevention System
| Impact | Effort |
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:crimson">3. HIGH</span>**|
Although it often takes a large effort to learn and configure and then some effort to maintain, the [Suricata](https://en.wikipedia.org/wiki/Suricata_(software)) [Intrusion Prevention System](https://en.wikipedia.org/wiki/Intrusion Prevention System) (IPS) built in to IPFire can provide a significant security benefit, depending on the rules enabled and the kind of traffic your IPFire system routes.
* Enable the [Intrusion Prevention System](/configuration/firewall/ips)
* Spend time configuring [appropriate rules for your network](configuration/firewall/ips/rule-selection)
* Spend time configuring [appropriate rules for your network](/configuration/firewall/ips/rule-selection)
* Ensure the rules are kept up to date. The IPS should do this automatically.
<sub>Note: If you really want to ensure accurate monitoring, you should consider [disabling various network card offload features](http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html). These features are excellent for [lowering CPU utilisation of your IPFire system](/hardware/passivenics) but can truncate packets, preventing Snort detecting malicious network activity.</sub>
### Use GeoIP Block
| Impact | Effort |
| **<span style="color:lime">A. MAJOR</span>** | **<span style="color:orangered">1. LOW</span>** |
After enabling the Intrusion Detection System in IPFire, wait a week or so. Then check the Firewall logs sorted by country [ In the WUI, go to Logs > [FW-Loggraphs (Country)](/configuration/logs/firewall-country) ]. Depending on where your IPFire system is located and who you need to contact for business or personal reasons, you can block significant amounts of hostile traffic from the internet by simply blocking certain countries. This won't prevent a determined attacker in control of multiple systems (using a botnet for example) but it will significantly reduce noise and allow you to focus on items which actually need investigating.
* Do some research and block countries with a high percentage of malicious traffic using the [GeoIP block feature](/configuration/firewall/geoip-block)
Using IPFire's GeoIP feature is the easiest way to make a massive reduction in the amount of malicious traffic probing your network.
### Configure Outgoing Firewall Rules
| Impact | Effort |
|**<span style="color:lime">A. MAJOR</span>**|**<span style="color:crimson">3. HIGH</span>**|
By default IPFire does not restrict (most) types of network traffic going out to the internet from your network. Creating outgoing firewall rules for all traffic on your network makes it difficult for malware to communicate to external servers. This means that it is less likely most malware will be able to steal your valuable information. It may also reduce the chance of malware like this to spread to other systems on your network.
*Note: This requires a high amount of effort and mistakes may prevent devices and PCs from using the internet.*
( FIXME - Instructions for this procedure are yet to be written)
* Follow this procedure to monitor all your internet traffic over a period of time (to establish a baseline)
* Based on what was recorded, create outgoing firewall rules to allow normal traffic
* Deny all other traffic
### Install Rootkit Hunter
| Impact | Effort |
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:coral">2. MEDIUM</span>**|
[RootKit Hunter](https://en.wikipedia.org/wiki/rkhunter) (or rkhunter) is a UNIX shell utility which scans Linux systems for [rootkits](https://en.wikipedia.org/wiki/Rootkit), [backdoors](https://en.wikipedia.org/wiki/Backdoor_(computing)) and possible local [exploits](https://en.wikipedia.org/wiki/Exploit_(computer_security)). Although it is not currently packaged in as an IPFire Addon, it can be [](manually installed (instructions coming!)) and used to perform a scan on a nightly basis, sending the results to an administrator's email account.
* Install [](rkhunter ( FIXME instructions coming!)) for IPFire
* Configure to run from a daily fcron script and to send email results to an administrator
### Use SquidClamAV
| Impact | Effort |
|**<span style="color:darkseagreen">C. MINOR</span>**|**<span style="color:orangered">1. LOW</span>**|
It is ideal to use the built-in Squid web proxy to control your internet access, even if you have a low-power system. When doing so, for a very small benefit, install and enable the free ClamAV virus scanner which can scan for viruses in files downloaded through the proxy. Files which are downloaded from an encrypted website (HTTPS) cannot be scanned.
Previously people often wrote viruses (malware) to get attention or in the aim of infecting as many systems as possible. This meant it was likely somebody else will have experienced a virus before you were exposed. This gave an AntiVirus company an opportunity to develop a signature to protect you. Today malware tends to be more stealthy and may be obfuscated or customised for each individual target. [ClamAV is sadly one of the least effective virus scanners today](https://www.av-test.org/en/news/news-single-view/linux-16-security-packages-against-windows-and-linux-malware-put-to-the-test/) (detecting only 15% of Windows malware and 66% of Linux malware according to one study) however if your IPFire system has spare CPU cycles it cannot hurt to enable it.
With more than half of the average internet traffic being encrypted, the advantage of this is reducing every year.
* Use the built-in [Squid web proxy](/configuration/network/proxy/general) and install the [ClamAV virus scanner Addon](/addons/clamav).
**It may not be highly effective, but it will prevent very common malware from being downloaded from a web connection.*
### Protect your network against DNS hijacking
| Impact | Effort |
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:coral">2. MEDIUM</span>**|
Follow the instructions to [force all DNS traffic to use IPFire's built-in DNS proxy server](/configuration/firewall/dns) so that you are less vulnerable to [DNS hijacking](https://en.wikipedia.org/wiki/DNS hijacking). Use a DNS server which support DNSSEC to avoid DNS manipulation attacks.
* [Enforce usage of IPFire's DNS server]([[/configuration/firewall/dns) for all devices on your network
### Configure PPPoE from IPFire
| Impact | Effort |
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:orangered">1. LOW</span>**|
If you connect to the internet using a cable or DSL modem, it is highly likely that your modem rarely has patches available for security flaws. At worst, your modem may have a built-in default Administration account which have been hard-coded to allow your ISP to take control of it. Such built-in accounts are often discovered by hackers. Unless you are are extremely familiar with configuring your modem and it is regularly patched (like, for example, current model Fritz!Box modem routers which self-update) it is best to bypass your modem by configuring IPFire to connect to your ISP directly using PPPoE.
* Configure IPFire to connect directly to your ISP by [bridging your modem with PPPoE](/configuration/system/dial)
### Use a Host-Based Intrusion Detection System
| Impact | Effort |
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:coral">2. MEDIUM</span>**|
A host-based intrusion detection system ([HIDS](https://en.wikipedia.org/wiki/HIDS)) is an intrusion detection system that monitors the configuration of a system. It can alert an administrator when something has changed when a change was not expected. IPFire has a [test addon](http://forum.ipfire.org/viewtopic.php?t=15597), [OSSEC](https://en.wikipedia.org/wiki/OSSEC), which is a modern open-source HIDS.
* Configure and enable [OSSEC](https://forum.ipfire.org/viewtopic.php?f=4&t=4924#p80449) (English posts in a German thread).
* Maintain the database of either HIDS each time you make changes to IPFire
----*Next Page: [](optimization/start/security_hardening/reducing_attack_surface|)*