Overview of different ways to protect clients on your LAN through IPFire

General questions.
Post Reply
Garp
Posts: 127
Joined: July 8th, 2014, 7:38 am
Location: The Netherlands
Contact:

Overview of different ways to protect clients on your LAN through IPFire

Post by Garp » December 14th, 2014, 2:36 pm

All,

I implemented a number of measures to protect clients on the network (including clients like phones and tablets that have no anti-malware / anti-ads possibilities themselves). Some measures are facilitated by IPFire, some not. All measures together help in creating a layered security system, where each layer helps making the other one(s) stronger.

Why share this?
I wanted to share these protective layers with you, so anybody else wanting to 'optimize' the security on their LAN by utilizing their IPFire box as much as possible can benefit from it. Also, suggestions for improvements are very welcome offcourse. I'm not mister knowitall.

One small warning: editing things through the commandline can break things. Although i have full confidence in all people that are going to implement the measures below: it's always on your own risk. I only listed these measure for your convenience and cannot offer any serious support on it. I have a job, a wife and kids; my time is very limited.

Also, taking these measures doesn't guarantee that nothing bad happens anymore. They are just things you can implement on your IPFire box.

The measures i took:

A) [Fairly EASY] DOES NOT WORK ANYMORE ON VERSIONS HIGHER THAT CORE UPDATE 105 Use DNS blacklists. At this moment, i use a custom hostfile for blocking ads, malware, et cetera that is used by dnsmasq on the IPFire box (index.php?topic=11144.15 - thank you burningpenguin!). I use a 31 megs large version of the hostsfile from http://hosts-file.net without any real issues so far.
Howto: See the forum post. Watch the video in the post. Personally, i skipped the part with the error pages and only implemented the script to fill the /etc/hosts file with the 31 megs of url's that i want to block

Another option if you have a raspberry pi lying around: use PiHole [url](pi-hole.net)[/url]. His script is better than mine, so i'm currently integrating his script into my setup. Will post updates later.

B) [EASY] I use Norton ConnectSafe DNS servers (level 1) for DNS resolving on the IPFire box. There service is free for home users, so there is basically no resaon not to use them at home. This adds a layer of protection against sites hosting malware, phishing schemes and scams, which i do not have to manage myself. Thank you Norton. Offcourse, OpenDNS or other cloud DNS providers can also be used for this goal. For an up-to-date list, see http://pcsupport.about.com/od/tipstrick ... ervers.htm or http://wiki.ipfire.org/en/configuration/dns_list.
Howto: 'Assign DNS Servers' button on the Network tab on your IPFire installation. Choose your level of protection here https://dns.norton.com/configureRouter.html and use the corresponding DNS server ip's.

C) [EASY] DNSSEC. I chose the Norton ConnectSafe DNS servers because they also support DNSSEC and because they're not Google ;). Yet another layer of protection, free to use and without any form of maintenance from my side. Thank you IPFire and Norton.
Howto: Want to check if the DNS servers you use support DNSSEC? On your IPFire box, go to Status > Network (external), you should see it on that page

D) [EASY] Have your clients use only your internal DNS server and make sure they cannot connect to external DNS servers. Otherwise, malware can query external DNS servers directly. And yes, it actually does that in some cases
Howto: See the forum post at A) and watch the video from 7:44 onwards.

E) [EASY] I use the 'standard' url filtering on the transparent proxy within IPFire (Shalla list, updated daily) where i use the categories ads,  adv, malware, phishing, spyware, marketingware, proxy and tracker. Thank you IPFire and Shalla Secure Services.
Howto: see IPFire Wiki
Update: i stopped using the transparent proxy. Had some streaming issues (netflix) that appear to be solved when disabling this. Will investigate later if this was really the case.

F) [EASY] Squidclamav for scanning for http traffic for viruses (requirement: use proxy). Thank you IPFire.
Howto: see IPFire Wiki

F) [Not as easy as the other measures] Block network clients from connecting to known 'Bad' IP adresses. All the measures above are very helpfull, yet it doesn't prevent malware from connecting to adresses that are hardcoded into it or that they are able to resolve anyway. So we use the info in this forumpost (http://forum.ipfire.org//viewtopic.php?t=128) to load really, really bad IP's into the IPFire's iptables config, in the CUSTOMROUTING table.
Howto: please read the forumpost carefully. Note that (re)booting the IPFire box can take significantly longer than without using this measure.

Please note that F) is done with custom scripting, which is needed because IPFire lacks a packages like https://doc.pfsense.org/index.php/Pfblocker exists for pfSense. If such a package would exist for IPFire, the level of expertise needed to implement this blocking of outgoing connections to malicious IP adresses would be [EASY]/
Last edited by Garp on November 9th, 2016, 2:23 pm, edited 6 times in total.
Image
Provide some additional protection for the clients on your network in a few easy steps: viewtopic.php?f=27&t=12122&p=78219#p78219

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Overview of different ways to protect clients on your LAN through IPFire

Post by bloater99 » October 10th, 2015, 10:24 am

I see no one replied yet to your post. I just wanted to say thank you for taking the time to do this and share it with us!

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Overview of different ways to protect clients on your LAN through IPFire

Post by bloater99 » October 10th, 2015, 6:31 pm

That is weird. It shows that you bumped this post, but it also shows my reply to you with the same time stamp that you bumped it. So it appears that my reply was today rather than many months ago. I thought my account was hijacked.
Image

Image

Garp
Posts: 127
Joined: July 8th, 2014, 7:38 am
Location: The Netherlands
Contact:

Re: Overview of different ways to protect clients on your LAN through IPFire

Post by Garp » October 11th, 2015, 7:46 am

I accidentally clicked the bump button. My apologies :-)
Image
Provide some additional protection for the clients on your network in a few easy steps: viewtopic.php?f=27&t=12122&p=78219#p78219

dudech
Posts: 12
Joined: April 9th, 2015, 12:01 pm

Re: Overview of different ways to protect clients on your LAN through IPFire

Post by dudech » March 17th, 2016, 11:40 pm

Garp wrote:
E) [EASY] I use the 'standard' url filtering on the transparent proxy within IPFire (Shalla list, updated daily) where i use the categories ads,  adv, malware, phishing, spyware, marketingware, proxy and tracker. Thank you IPFire and Shalla Secure Services.
Howto: see IPFire Wiki
Update: i stopped using the transparent proxy. Had some streaming issues (netflix) that appear to be solved when disabling this. Will investigate later if this was really the case.

F) [Not as easy as the other measures] Block network clients from connecting to known 'Bad' IP adresses. All the measures above are very helpfull, yet it doesn't prevent malware from connecting to adresses that are hardcoded into it or that they are able to resolve anyway. So we use the info in this forumpost (http://forum.ipfire.org//viewtopic.php?t=128) to load really, really bad IP's into the IPFire's iptables config, in the CUSTOMROUTING table.
Howto: please read the forumpost carefully. Note that (re)booting the IPFire box can take significantly longer than without using this measure.

Please note that F) is done with custom scripting, which is needed because IPFire lacks a packages like https://doc.pfsense.org/index.php/Pfblocker exists for pfSense. If such a package would exist for IPFire, the level of expertise needed to implement this blocking of outgoing connections to malicious IP adresses would be [EASY]/
TYSM for this post, I also switched to host filtering instead of E) and for F) have you asked Michael about this? what about snort rules, any guidance on those?

salida
Posts: 32
Joined: July 18th, 2015, 9:33 pm

Re: Overview of different ways to protect clients on your LAN through IPFire

Post by salida » August 25th, 2016, 7:25 pm

I think it should be sticky. I use the wiki hardening guide but this one is a simpler yet effective guide too.

Post Reply