This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!
Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.
Part of the IPFire Security Hardening Guide
This guide uses two scales:
Impact (security benefit) | A. MAJOR | B. SIGNIFICANT | C. MINOR |
Effort (to implement) | 1. LOW | 2. MEDIUM | 3. HIGH |
See the Security Guide introduction for a more detailed explanation of the scale.
Impact | Effort |
---|---|
A. MAJOR | 2. MEDIUM |
Impact | Effort |
---|---|
A. MAJOR | 1. LOW |
item | |
---|---|
![]() |
|
Go with security expert's advice. Source Google Security Blog |
Impact | Effort |
---|---|
A. MAJOR | 1. LOW |
Most IPFire features create logs which are visible from the WUI. Without regularly checking logs it can be very difficult to know if your system is under attack, or at worst an intruder already has access to it.
Depending on your preference, you may prefer to configure some logs to be emailed to you. It would be best if this is to an internal email server and not an internet-based server as logs can contain sensitive information about your IPFire system and it's configuration.
Aim to checkat least these logs regularly:
Impact | Effort |
---|---|
B. SIGNIFICANT | 1. HIGH |
When installing IPFire, ensure there is a large amount of space available for logs. Ideally IPFire will allow users to create a separate /var/log filesystem in future as this will prevent denial of service attacks created by thousands of deliberate log entries.
To check space availability go to menu Status > Media. Scroll down to Disk usage and search for Mounted on "/var".
Impact | Effort |
---|---|
B. SIGNIFICANT | 2. MEDIUM |
In the past IPFire only ran on 32 bit systems but now the majority of people use the 64 bit version. The 64 bit version has Linux kernel security mitigations (for "Meltdown", "Spectre" and the like) which are not as well tested in the 32 bit version.
Impact | Effort |
---|---|
A. MAJOR | 3. HIGH |
It is ideal to change the login details of accounts used to administer any system. This adds another step for a potential attacker who now has to guess your login as well as attempt to break (or brute-force) your password.
Note: Currently this requires a high amount of effort for an inexperienced user. Hopefully in future IPFire will ask new users for accounts they would like in the installation process
PermitRootLogin no
Impact | Effort |
---|---|
A. MAJOR | 3. HIGH |
If you really need to manage an IPFire system from the internet (or any "hostile" network) do not open the WUI (tcp port 444) or SSH (tcp port 22) directly to the internet. Instead research how to configure a secure VPN and use VPN access to administer IPFire using the WUI as if you were connected to on the local network.
--Next Page: Additional Security Configuration
Older Revisions • August 27 at 10:33 pm • Jon