Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Differences in Revisions: Good Security Practice

Older Revision
August 12 at 5:04 pm
»
Newer Revision
August 12 at 5:22 pm
update
# Good Security Practice
*Part of the [IPFire Security Hardening Guide](/optimization/start/security_hardening)*
 
----
 
## Implementation Scale
This guide uses two scales:
 
| | | | |
|---|---|---|---|
| **Impact** (security benefit) |**<span style="color:lime">A. MAJOR</span>**|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:darkseagreen">C. MINOR</span>**|
| **Effort** (to implement) | **<span style="color:orangered">1. LOW</span>** | **<span style="color:coral">2. MEDIUM</span>** | **<span style="color:crimson">3. HIGH</span>** |
 
See [the Security Guide introduction](/optimization/start/security_hardening) for a more detailed explanation of the scale.
 
----
 
## Good Security Practice
 
### Strong Passwords, stored securely
 
| Impact | Effort |
|---|---|
| **<span style="color:lime">A. MAJOR</span>** | **<span style="color:coral">2. MEDIUM</span>** |
 
* Use [strong passwords](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html) for the "admin" [web user interface (WUI)](/configuration) and "root" console accounts
* Do not use the same password for "admin" and "root"
* Do not re-use a password which has been used elsewhere
* These passwords should be at least 15 characters long, contain all character types (uppercase, lowercase, numbers and symbols) and avoid using words.
* Store passwords in a [Password Manager](https://en.wikipedia.org/wiki/Password Manager) so that they can be longer and more complex than you can remember
* Ideally your Password Manager should be Open Source software which has been inspected for security flaws (such as [KeePassXC](https://keepassxc.org/))
* Do not save passwords for the IPFire WUI in your browser
* Avoid creating additional accounts on your IPFire system, unless specifically required
 
### Patch!
 
| Impact | Effort |
|---|---|
| **<span style="color:lime">A. MAJOR</span>** | **<span style="color:orangered">1. LOW</span>** |
 
* **Always** use the latest stable version of IPFire. Old versions have known security flaws.
* When an update is available, the [WUI](/configuration/system/startpage#notifications) will display a red note at the bottom of each screen. Arrange an outage and apply updates as soon as possible - most updates require a reboot.
* You might want to subscribe to the [IPFire-Announce mailing list](http://lists.ipfire.org/mailman/listinfo/ipfire-announce). That way, you will receive an e-mail in case of a new available update.
 
| item | |
|---|---|
| ![](/optimization/start/beutler_google_security-practices-v6.png) |
| <sup>Go with security expert's advice. Source [Google Security Blog](https://googleonlinesecurity.blogspot.com.au/2015/07/new-research-comparing-how-security.html)</sup> |
 
### Check logs regularly
 
| Impact | Effort |
|---|---|
|**<span style="color:lime">A. MAJOR</span>**|**<span style="color:orangered">1. LOW</span>**|
 
Most IPFire features create logs which are visible from the [WUI](/configuration). Without regularly checking logs it can be very difficult to know if your system is under attack, or at worst an intruder already has access to it.
 
*Depending on your preference, you may prefer to configure some logs to be emailed to you. It would be best if this is to an internal email server and not an internet-based server as logs can contain sensitive information about your IPFire system and it's configuration.*
 
Aim to check*at least* these logs regularly:
 
* The WUI [Status > Services](/configuration/status/services) page, to ensure services are still running and you don't suddenly have a high number of processes or high memory usage
* The [Log Summary](/configuration/logs/summary) page
* IDS Logs (if your IDS is configured, otherwise it will be of little value)
* [Firewall log (Port)](/configuration/logs/firewall-port)
* [Firewall log (Country)](/configuration/logs/firewall-country) to note which countries most attacks come from.
* After you have enabled the [GeoIP Block](/configuration/firewall/geoip-block) [(highly recommended, below)](/optimization/start/security_hardening#use_geoip_block) to see the number of hits against your firewall from countries which you are blocking:
- In the WUI open the "Firewall" menu and click "iptables":
- In the first "iptables" section, select "GEOIPBLOCK" from the drop down list
- Click Update
- A list of the countries you block will be displayed along with a packet and byte count for the number of hits those countries have had against your firewall and the volume of traffic blocked
 
### Generous capacity for logs
| Impact | Effort |
|---|---|
| **<span style="color:mediumseagreen">B. SIGNIFICANT</span>** | **<span style="color:crimson">1. HIGH</span>** |
 
When installing IPFire, ensure there is a large amount of space available for logs. Ideally IPFire will allow users to create a separate /var/log filesystem in future as this will prevent [denial of service](https://en.wikipedia.org/wiki/Denial-of-service_attack) attacks created by thousands of deliberate log entries.
 
* When installing IPFire, ensure there is a generous capacity available for logs
* If possible, create a separate partition and remount /var/log on it
 
To check space availability go to menu **Status** > **Media**. Scroll down to **Disk usage** and search for Mounted on "/var".
 
### Use the 64 bit version of IPFire
| Impact | Effort |
|---|---|
|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:coral">2. MEDIUM</span>**|
 
In the past IPFire only ran on 32 bit systems but now the majority of people use the 64 bit version. The 64 bit version has [Linux kernel security mitigations (for "Meltdown", "Spectre" and the like)](https://planet.ipfire.org/post/protect-yourself-better-against-meltdown-spectre-and-other-attacks-with-ipfire-on-64-bit) which are not as well tested in the 32 bit version.
 
* Backup a 32 bit IPFire system and reinstall with the 64 bit release
 
### Change default login details
 
| Impact | Effort |
|---|---|
|**<span style="color:lime">A. MAJOR</span>**|**<span style="color:crimson">3. HIGH</span>**|
 
It is ideal to change the login details of accounts used to administer any system. This adds another step for a potential attacker who now has to guess your login as well as attempt to break (or brute-force) your password.
 
**Note:** Currently this requires a high amount of effort for an inexperienced user. Hopefully in future IPFire will ask new users for accounts they would like in the installation process
 
* Change the default "admin" account in IPFire to a different username which will not be obvious to an attacker
* Add another account to Linux on your IPFire system with a different username to the one you chose above. Allow this user the ability to start a shell and use it to login and switch user (su) to root.
* Then disable root access from SSH by adding an entry to the /etc/ssh/sshd_config configuration file `PermitRootLogin no`
* If you have a major outage, use a graphical console to login directly as root or remove your storage and mount it on another Linux system
 
 
### Use a VPN to manage IPFire from the internet
 
| Impact | Effort |
|---|---|
|**<span style="color:lime">A. MAJOR</span>**|**<span style="color:crimson">3. HIGH</span>**|
 
If you really need to manage an IPFire system from the internet (or any "hostile" network) do not open the [WUI](/configuration) (tcp port 444) or [SSH](https://en.wikipedia.org/wiki/SSH) (tcp port 22) directly to the internet. Instead research how to configure a secure VPN and use VPN access to administer IPFire using the WUI as if you were connected to on the local network.
 
* If you need to manage IPFire from the internet, configure and use a [VPN](https://en.wikipedia.org/wiki/VPN) to administer IPFire systems over the internet
* Two different VPNs are supported in IPFire: [IPSec](/configuration/services/ipsec) and [OpenVPN](/configuration/services/openvpn) although you could use a separate VPN appliance.
 
----
 
**Next Page: [](/optimization/start/security_hardening/additional_security_configuration)**
*--Next Page: [](/optimization/start/security_hardening/additional_security_configuration)*