wiki.ipfire.

org
The community-maintained documentation platform of IPFire

IPFire Security hardening

Introduction
IPFire is designed to be secure by default, however it can be further hardened so that it is even more difficult to attack.
Hardening includes;

good security practice

some additional configuration
and reducing the attack surface [https://en.wikipedia.org/wiki/attack surface] by disabling features which are not in use.

Implementation Scale

As a guide for new readers, this page uses two scales:

Security benefit (impact) A. MAJOR B. SIGNIFICANT C. MINOR

Effort to implement 1. LOW 2. MEDIUM 3. HIGH

This scale is subjective. It will differ based on the value of

your data to an attacker as well as your technical skill or
previous experience. It aims give an indication of both the
benefit of doing an item and the approximate effort
required.

Scale examples

For example, items which are categorised

Impact Effort
A. MAJOR 1. LOW

are highly recommended, as they are both easy to implement and have a high security benefit.

While items which are

Impact Effort
C. MINOR 3. HIGH

will be helpful, but need only done for a high-risk environment or if you are a bit paranoid!
1. Good Security Practice
Strong Passwords, stored securely

Impact Effort
A. MAJOR 2. MEDIUM

Use strong passwords [https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html] for the “admin” web user

interface (WUI) and “root” console accounts
Do not use the same password for “admin” and “root”
Do not re-use a password which has been used elsewhere
These passwords should be at least 15 characters long, contain all character types (uppercase, lowercase, numbers
and symbols) and avoid using words.
Store passwords in a Password Manager [https://en.wikipedia.org/wiki/Password Manager] so that they can be longer and
more complex than you can remember
Ideally your Password Manager should be Open Source software which has been inspected for security flaws
(such as KeePass [http://keepass.info/])
Do not save passwords for the IPFire WUI in your browser
Avoid creating additional accounts on your IPFire system, unless specifically required

Patch!

Impact Effort
A. MAJOR 1. LOW

Always use the latest stable version of IPFire. Old versions have known security flaws.
When an update is available, the WUI will display a red note at the bottom of each screen. Arrange an outage and apply
updates as soon as possible - most updates require a reboot.
You might want to subscribe to the IPFire-Announce mailing list [http://lists.ipfire.org/mailman/listinfo/ipfire-announce]. That
way, you will receive an e-mail in case of a new available update.
 Go with security expert's advice. Source Google Security Blog [https://googleonlinesecurity.blogspot.com.au/2015/07/new-research-comparing-how-
security.html]

Check logs regularly

Impact Effort
A. MAJOR 1. LOW

Most IPFire features create logs which are visible from the WUI. Without regularly checking logs it can be very difficult to
know if your system is under attack, or at worst an intruder already has access to it.

Depending on your preference, you may prefer to configure some logs to be emailed to you. It would be best if this is to an
internal email server and not an internet-based server as logs can contain sensitive information about your IPFire system and
it's configuration.

Aim to check at least these logs regularly:

The WUI Status > Services page, to ensure services are still running and you don't suddenly have a high number of
processes or high memory usage
The 'Log Summary' page
IDS Logs (if your IDS is configured, otherwise it will be of little value)
'FW-Loggraphs (Port)'
'FW-Loggraphs (Country)' to note which countries most attacks come from.
After you have enabled the GeoIP Block (highly recommended, below) to see the number of hits against your
firewall from countries which you are blocking:
1. In the WUI open the “Firewall” menu and click “iptables”
2. In the first “iptables” section, select “GEOIPBLOCK” from the drop down list
3. Click Update
4. A list of the countries you block will be displayed along with a packet and byte count for the number of hits
those countries have had against your firewall and the volume of traffic blocked
Generous capacity for logs

Impact Effort
B. SIGNIFICANT 1. HIGH

When installing IPFire, ensure there is a large amount of space available for logs. Ideally IPFire will allow users to create a
separate /var/log filesystem in future as this will prevent denial of service [https://en.wikipedia.org/wiki/denial of service] attacks
created by thousands of deliberate log entries.

When installing IPFire, ensure there is a generous capacity available for logs
If possible, create a separate partition and remount /var/log on it

Change default login details

Impact Effort
A. MAJOR 3. HIGH

It is ideal to change the login details of accounts used to administer any system. This adds another step for a potential attacker
who now has to guess your login as well as attempt to break (or brute-force) your password.

Note: Currently this requires a high amount of effort for an inexperienced user. Hopefully in future IPFire will ask new users for
accounts they would like in the installation process

Change the default “admin” account in IPFire to a different username which will not be obvious to an attacker
Add another account to Linux on your IPFire system with a different username to the one you chose above. Allow this
user the ability to start a shell and use it to login and switch user (su) to root.
Then disable root access from SSH by adding an entry to the /etc/ssh/sshd_config configuration file

PermitRootLogin no

If you have a major outage, use a graphical console to login directly as root or remove your storage and mount it on
another Linux system

Use a VPN to manage IPFire from the internet

Impact Effort
A. MAJOR 3. HIGH

If you really need to manage an IPFire system from the internet (or any “hostile” network) do not open the WUI (tcp port 444) or
SSH [https://en.wikipedia.org/wiki/SSH] (tcp port 22) directly to the internet. Instead research how to configure a secure VPN and
use VPN access to administer IPFire using the WUI as if you were connected to on the local network.

If you need to manage IPFire from the internet, configure and use a VPN [https://en.wikipedia.org/wiki/VPN] to administer
IPFire systems over the internet
Two different VPNs are supported in IPFire: IPSec and OpenVPN although you could use a separate VPN
appliance.

2. Additional Configuration
Disable SSH Access - enable only when connecting
 Impact Effort
A. MAJOR 1. LOW

The main way to manage IPFire is the web user interface (WUI). By default, it is always available on your internal Green
network. If you use Secure Shell (SSH) [https://en.wikipedia.org/wiki/SSH] to make changes in a Linux shell, only start the shell as
you connect, do not leave it permanently open. This way an attacker cannot conduct a brute-force attack
[https://en.wikipedia.org/wiki/brute-force attack] against IPFire using SSH (although the Guardian addon does also offer some
protection).

Only enable SSH access in the WUI using the “Stop SSH demon in 15 minutes” button on the occasions you need a
secure shell.
Any sessions established during the 15 minutes following do not get disconnected after that time, but all new
attempts to connect after 15 minutes will fail.
If for you cannot disable IPFire from permanently running SSH (perhaps you may use a SSH-based monitoring software)
then ensure that access is restricted to a specific set of IP addresses allocated to administrators only, by configuring a
custom Firewall rule.

Use public key authentication for SSH

Impact Effort
B. SIGNIFICANT 1. LOW

If you use SSH [https://en.wikipedia.org/wiki/SSH] to administer IPFire, use public key based authentication (using a key with a
strong passphrase) instead of password based authentication. Key based authentication prevents an attacker performing a man-
in-the middle attacks [https://en.wikipedia.org/wiki/Man-in-the-middle_attack] from using your password to impersonate you as your
private key is never sent to the SSH server.

Configure IPFire to only allow public key based authentication

Use an SSH key with a strong passphrase, so that if somebody gets access to your account (or discovers your password)
they cannot connect to IPFire

1. From a Linux system, run

ssh-keygen

to generate an RSA key and enter a strong passphrase. If you cannot remember this passphrase, use a Password manager
to store it.

2. Then run
ssh-copy-id <ipfire hostname>

Send syslogs to another server

Impact Effort
B. SIGNIFICANT 2. MEDIUM

Hackers usually aim to be stealthy and conceal that they have gained access to a system. To do this they will often will remove
evidence of a successful attack by removing log entries. If you send your logs to another system inside your network they cannot
remove all evidence of their attack.

If you have another server within your network, which doesn't offer any services to the internet, configure remote logging
to it using syslog
Use the URL filter

Impact Effort
A. MAJOR 1. LOW

If your IPFire system has more resources (memory free, low CPU usage) than are required during times of peak traffic (for
example, lunchtime for a business) use the Proxy's URL filter to block advertising (ads) and malware. Malicious advertisements
[https://en.wikipedia.org/wiki/malvertising] are now a common way that attackers attempt to deliver exploits
[https://en.wikipedia.org/wiki/Exploit (computer security)] to users through their browser.

Be careful not to enable more than a few “block categories” in the 'URL filter' or you may
significantly slow down your proxy server and give users a poor web browsing experience.

Configure the URL filter to block "ads" and "malware"

Remember to enable the “URL Filter” check box in the “Number of filter processes” section of the Advanced web proxy
configuration page in the WUI.
Make sure to filter HTTPS traffic. This is only possible if your clients use the squid proxy directly (and not in transparent
mode). However, only the basic server name (e.g. example.com) can be blocked, since paths (e.g. example.com/file1) are
encrypted. Filtering contents is also impossible.

Use the Intrusion Detection System

Impact Effort
B. SIGNIFICANT 3. HIGH

Although it often takes a large effort to learn and configure and then some effort to maintain, the Snort
[https://en.wikipedia.org/wiki/Snort] Intrusion Detection System [https://en.wikipedia.org/wiki/Intrusion Detection System] (IDS) built in
to IPFire can provide a significant security benefit, depending on the rules enabled and the kind of traffic your IPFire system
routes.

Enable the Intrusion Detection System and learn to configure an appropriate set of rules for your network
Ensure the rules are kept up to date
Install the Guardian Addon to allow the IDS to automatically prevent malicious traffic - this turns the IDS in to an
Intrusion Prevention System [https://en.wikipedia.org/wiki/Intrusion Prevention System] (IPS)

Note: If you really want to ensure accurate monitoring, you should consider disabling various network card offload features
[http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html]. These features are excellent for lowering CPU utilisation of your IPFire system
but can truncate packets, preventing Snort detecting malicious network activity.

Use GeoIP Block

Impact Effort
A. MAJOR 1. LOW

After enabling the Intrusion Detection System in IPFire, wait a week or so. Then check the Firewall logs sorted by country [In
the WUI, go to Logs > FW-Loggraphs (Country)]. Depending on where your IPFire system is located and who you need to
contact for business or personal reasons, you can block significant amounts of hostile traffic from the internet by simply
blocking certain countries.
 Do some research and block countries with a high percentage of malicious traffic using the GeoIP block feature

Using IPFire's GeoIP feature is the easiest way to make a massive reduction in the
amount of malicious traffic probing your network.

Configure Outgoing Firewall Rules

Impact Effort
A. MAJOR 3. HIGH

By default IPFire does not restrict (most) types of network traffic going out to the internet from your network. Creating outgoing
firewall rules for all traffic on your network makes it difficult for malware to communicate to external servers. This means that it
is less likely most malware will be able to steal your valuable information. It may also reduce the chance of malware like this to
spread to other systems on your network.

Note: This requires a high amount of effort and mistakes may prevent devices and PCs from using the internet.

( - Instructions for this procedure are yet to be written)

Follow this procedure to monitor all your internet traffic over a period of time (to establish a baseline)
Based on what was recorded, create outgoing firewall rules to allow normal traffic
Deny all other traffic

Install Rootkit Hunter

Impact Effort
B. SIGNIFICANT 2. MEDIUM

RootKit Hunter [https://en.wikipedia.org/wiki/rkhunter] (or rkhunter) is a UNIX shell utility which scans Linux systems for rootkits
[https://en.wikipedia.org/wiki/Rootkit], backdoors [https://en.wikipedia.org/wiki/Backdoor_(computing)] and possible local exploits
[https://en.wikipedia.org/wiki/Exploit_(computer_security)]. Although it is not currently packaged in as an IPFire Addon, it can be
manually installed (instructions coming!) and used to perform a scan on a nightly basis, sending the results to an administrator's
email account.

Install rkhunter (instructions coming!) for IPFire

Configure to run from a daily fcron script and to send email results to an administrator

Use SquidClamAV

Impact Effort
C. MINOR 1. LOW

It is ideal to use the built-in Squid web proxy to control your internet access, even if you do not use it for caching (if, for
example, you do not have a very powerful machine running IPFire). When doing so, for a small benefit, install and enable the
free ClamAV virus scanner which can scan for viruses in files downloaded through the proxy.
 It may surprise you to learn that AntiVirus software is not very
effective today!

Previously people often wrote viruses (malware) to get attention or in the aim of infecting as many systems as possible. This
meant it was likely somebody else will have experienced a virus before you were exposed. This gave an AntiVirus company an
opportunity to develop a signature to protect you. Today malware tends to be more stealthy and may be obfuscated or
customised for each individual target. ClamAV is sadly one of the least effective virus scanners today [https://www.av-
test.org/en/news/news-single-view/linux-16-security-packages-against-windows-and-linux-malware-put-to-the-test/] (detecting only 15% of
Windows malware and 66% of Linux malware according to one study) however if your IPFire system has spare CPU cycles it
cannot hurt to enable it.

Use the built-in Squid web proxy and install the ClamAV virus scanner Addon.
It may not be highly effective, but it will prevent very common malware from being downloaded from a web
connection.

Protect your network against DNS hijacking

Impact Effort
B. SIGNIFICANT 2. MEDIUM

Follow the instructions to force all DNS traffic to use IPFire's built-in DNS proxy server so that you are less vulnerable to DNS
hijacking [https://en.wikipedia.org/wiki/DNS hijacking]. Use a DNS server which support DNSSEC to avoid DNS manipulation
attacks.

Enforce usage of IPFire's DNS server for all devices on your network

Configure PPPoE from IPFire

Impact Effort
B. SIGNIFICANT 1. LOW

If you connect to the internet using a cable or DSL modem, it is highly likely that your modem rarely has patches available for
security flaws. At worst, your modem may have a built-in default Administration account which have been hard-coded to allow
your ISP to take control of it. Such built-in accounts are often discovered by hackers. Unless you are are extremely familiar with
configuring your modem and it is regularly patched (like, for example, current model Fritz!Box modem routers which self-
update) it is best to bypass your modem by configuring IPFire to connect to your ISP directly using PPPoE.

Configure IPFire to connect directly to your ISP by bridging your modem with PPPoE

Use a Host-Based Intrusion Detection System

Impact Effort
B. SIGNIFICANT 2. MEDIUM

A host-based intrusion detection system (HIDS [https://en.wikipedia.org/wiki/HIDS]) is an intrusion detection system that monitors
the configuration of a system. It can alert an administrator when something has changed when a change was not expected. IPFire
has a test addon [http://forum.ipfire.org/viewtopic.php?t=15597], OSSEC [https://en.wikipedia.org/wiki/OSSEC], which is a modern
open-source HIDS.
So;

Configure and enable Tripwire or OSSEC [https://forum.ipfire.org/viewtopic.php?f=4&t=4924#p80449] (English posts in a

German thread).
Maintain the database of either HIDS each time you make changes to IPFire

Use a strong SSL Certificate for IPFire

Impact Effort
B. SIGNIFICANT 1. LOW

Check that your host certificate (SSL Certificate) for IPFire is strong by using the “Calomel SSL Validation
[https://calomel.org/firefox_ssl_validation.html]” addon for Firefox (or similar). IPFire should already have a strong certificate, but if
not you should regenerate it to protect encrypted communications between your management computer and your IPFire system

IPFire should now generate strong host certificates with forward secrecy automatically, but if it has not, follow this
procedure to create a new SSL certificate.

3. Reduce Attack Surface

Remove unused IPFire Addons

Impact Effort
B. SIGNIFICANT 1. LOW

If you have installed any Addons in IPFire which you no longer use, remove them. This will reduce the attack surface
[https://en.wikipedia.org/wiki/attack surface] of your IPFire system.

Uninstall Addons which you are not using with PakFire in the WUI

Do not enable IPv6

Impact Effort
B. SIGNIFICANT 1. LOW

IPv6 is disabled by default in IPFire. For security reasons it is recommended that you do not enable it.

Although IPv6 [https://en.wikipedia.org/wiki/IPv6] may be the future of addressing on the internet, today most fixed-internet ISP
[https://en.wikipedia.org/wiki/ISP]s still provide an IPv4 address. IPv6 allows all devices on your network to be visible from the
internet. It was long thought that searching for devices in your network wasn't viable, due to the high number of possible
addresses. However it has recently been shown that there are smart ways around this [http://arstechnica.com/security/2016/02/using-
ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/].

Do not enable IPv6, unless you understand the full implications of using it
Avoid using “dual-stack” IPv4 and IPv6 at the same time. This exposes your system to the potential of more security bugs
than if you just used one of the two IP versions.

Don't host services from your network

Impact Effort
 B. SIGNIFICANT 2. MEDIUM

Host services like email and web servers in a cloud environment and not on your internet connection. This will avoid making
your network a target (as there won't be any interesting services visible) and significantly reduces the opportunities for an attack
to be successful.

Make your network a smaller, less interesting, target by not hosting any services on it.
If you really need to host services from your network, ensure you follow best-practice by using a DMZ
[https://en.wikipedia.org/wiki/DMZ] and setting up DMZ pinholes.

Do not run IPFire in a virtual machine

Impact Effort
B. SIGNIFICANT N/A

Although IPFire will run effectively in a virtual machine, it is ideal to run any security software (such as a firewall router) on a
separate physical machine. Running IPFire on a physical machine removes the possibility that another VM or the virtualization
environment could become [https://en.wikipedia.org/wiki/virtual machine escape] compromised
[http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/] and
[http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security] in turn
[http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf] compromise
[http://arstechnica.com/security/2012/08/crisis-espionage-malware-targets-virtual-machines/] your
[http://support.citrix.com/article/CTX201078] IPFire [http://www.security-database.com/detail.php?alert=CVE-2015-3456] firewall
[https://access.redhat.com/security/cve/CVE-2015-3456] or cause a denial of service [https://en.wikipedia.org/wiki/denial of service] by
consuming resources (network, disk, CPU or memory).

Where possible, for security purposes run IPFire on a physical computer

This is particularly important if IPFire is operating as your primary firewall while other VMs on
the same system are providing internet services, perhaps through an Orange DMZ.

IPFire is usually used in a position of trust as your internet gateway and if it is compromised it will be difficult to defend the rest
of your network.

Block Tor

If you don't use it, block tor traffic as malware can use it for command and control purposes.

Block P2P

As with Tor, block all P2P protocols which are not used on your network.

Suggestions for the future

Make it easy for new users to set up different login accounts during installation - replacements for 'admin' and an
alternate user for SSH, so that root cannot connect via SSH.
Discussion about improvements for this page is in the forum [http://forum.ipfire.org/viewtopic.php?f=27&t=15151].
optimization/start/security_hardening.txt · Last modified: 2018/05/09 09:37 by dnl [/user/dnl]