Newbie needs help with IPFire Security hardening

General questions.
Post Reply
sayopen
Posts: 3
Joined: January 28th, 2019, 9:36 pm

Newbie needs help with IPFire Security hardening

Post by sayopen » February 5th, 2019, 6:39 pm

I followed this manual:
https://wiki.ipfire.org/optimization/st ... ardening #
(Many thanks to the Autor of the hardening guide: viewtopic.php?f=27&t=15151&start=30)

What i have done (all works fine only if the Firewall-Options are FORWARD=Allowed and OUTGOING=Allowed):
-Install Tor-Addon (https://wiki.ipfire.org/addons/tor/client)
-Block all DNS traffic except through IPFire's DNS proxy: I have blocked all dns from GREEN to RED and i set the IPfire-IP as DNS-Server in the Setup.(https://wiki.ipfire.org/configuration/firewall/dns)
-Install the Guardian 2.0 Addon (https://wiki.ipfire.org/addons/guardian/start)
-I don't use the Intrusion Detection System or URL-Filter because i think my IPFire-Hardware (RaspberryPi) has not enough resources for this. Does anyone know if there is an open-source-hardware that is not affected by spectre or meltdown which has a from IPfire supported Random Number Generator (HWRNG)?https://wiki.ipfire.org/hardware/rng?

The questions:
- When in the Firewall-Options FORWARD=Blocked and OUTGOING=Blocked then which rules have to be created for internetaccess and mail-program? I think i have to first allow the PC (the IP or MAC-address of this PC) the access to RED. I heard i have to add many rules for pakfire, dns, time-server when OUTGOING=Blocked?? (viewtopic.php?t=12587) I don't know which services or ports I have to allow, i found a thread (viewtopic.php?t=15334), but it did not help me.

- Don't know how to change the default “admin” account in IPFire to a different username which will not be obvious to an attacker.

- Is it alright to disable root SSH-access in the webUI or should SSH be disabled by adding an entry to the /etc/ssh/sshd_config configuration file?

- What if i use iPfire as a ADSL-Modem or behind a Modem or router, i think the Firewall-Rules must be differently?

- Don't know how to send syslog messages to another server.

- I heard some changes are only effective after a reboot. For which changes does the ipfire have to be restarted?

Thanks in advance for your help :D

dnl
Posts: 336
Joined: June 28th, 2013, 11:03 am

Re: Newbie needs help with IPFire Security hardening

Post by dnl » February 9th, 2019, 10:38 am

sayopen wrote:
February 5th, 2019, 6:39 pm
I followed this manual:
https://wiki.ipfire.org/optimization/st ... ardening #
(Many thanks to the Autor of the hardening guide: viewtopic.php?f=27&t=15151&start=30)
Thank you!
sayopen wrote:
February 5th, 2019, 6:39 pm
-I don't use the Intrusion Detection System or URL-Filter because i think my IPFire-Hardware (RaspberryPi) has not enough resources for this. Does anyone know if there is an open-source-hardware that is not affected by spectre or meltdown which has a from IPfire supported Random Number Generator (HWRNG)?https://wiki.ipfire.org/hardware/rng?
That's a tough question - ther's not much truly open source hardware - the RasberryPi isn't!
If you don't really mean "open source hardware" then anything AMD or Intel may have the vulnerabilities but there are software mitigations in place for all known variants of the "Spectre" or "Meltdown" classes of vulnerabiliites.
sayopen wrote:
February 5th, 2019, 6:39 pm
The questions:
- When in the Firewall-Options FORWARD=Blocked and OUTGOING=Blocked then which rules have to be created for internetaccess and mail-program? I think i have to first allow the PC (the IP or MAC-address of this PC) the access to RED. I heard i have to add many rules for pakfire, dns, time-server when OUTGOING=Blocked?? (viewtopic.php?t=12587) I don't know which services or ports I have to allow, i found a thread (viewtopic.php?t=15334), but it did not help me.

- Don't know how to change the default “admin” account in IPFire to a different username which will not be obvious to an attacker.

- Is it alright to disable root SSH-access in the webUI or should SSH be disabled by adding an entry to the /etc/ssh/sshd_config configuration file?

- What if i use iPfire as a ADSL-Modem or behind a Modem or router, i think the Firewall-Rules must be differently?

- Don't know how to send syslog messages to another server.

- I heard some changes are only effective after a reboot. For which changes does the ipfire have to be restarted?

Thanks in advance for your help :D
1 I'm sorry I do not quite understand that question. Could you please explain it a different way?

2 At this stage there's no documentation on changing the default 'admin' account. I wrote that in the guide as it's best practice to use unpredictable administrator accounts, but sadly IPFire does not yet support changing it and for the moment it's probably best to leave it.

3 It's best to disable SSH access in the webUI, otherwise you'll have to log in to the console of the IPFire system just to re-enable it. The webUI stops the sshd service - there's no need to disable configuration also further.

4 If you use IPFire behind a modem, then I'd suggest using PPPoE to establish a connection directly from your ISP to IPFire. This way the modem just becomes a part of the wire between you and the ISP - it does no routing (or NAT) instead IPFire does all that for you.

5 There is a remote syslog feature available in the "Log Settings" page: https://wiki.ipfire.org/configuration/logs/logsettings. See the second last section of the page?

6 Without knowing what changes you refer to I cannot answer that. Generally speaking a reboot is not required, but you usually have to restart a service (proxy, IDS etc) for a change to make effect.
Image

dnl
Posts: 336
Joined: June 28th, 2013, 11:03 am

Re: Newbie needs help with IPFire Security hardening

Post by dnl » February 9th, 2019, 10:50 am

PS: If you have a specific question about hardware, it might be best to write a new thread about it.
Image

sayopen
Posts: 3
Joined: January 28th, 2019, 9:36 pm

Re: Newbie needs help with IPFire Security hardening

Post by sayopen » February 16th, 2019, 10:39 pm

Hey,

now its works fine!

For all who still need to configure it, i have now configured the ipfire like this:
My devices: D-link-ASDL-Modem with Router-funktion (establish a connection to Telekom-ISP) -> Ipfire -> PC.

Ipfire-Setup:
- Interface GREEN=192.168.0.0, Network Mask=255.255.255.0

- Interface RED=Static, IP adress=192.168.1.2 (is in the range of the IP from Router/Modem "192.168.1.1"), Network Mask=255.255.255.0

- In the Setup in Dns-Gateway-Settings: Primary Dns=46.182.19.48, Secondary Dns=89.233.43.71 (public DNS-Server with DNS over TLS and DNSSEC: https://wiki.ipfire.org/dns/public-servers), Default Gateway=192.168.1.1 (IP from Router/Modem)

-DHCP Server Configuration=Enabled, Start Adress=192.168.0.1, End Adress=192.168.0.254, Primary DNS=192.168.0.0 (GREEN IP of ipfire)

Firewall-Rules:
I have create 2 service groups: one with https, http and NTP, and one with dns (TCP) and dns (UDP).
- I have allowed my PC (the IP or MAC-address from my PC) only the HTTP, HTTPS and NTP connection access to RED (Source=MAC Adress from my PC in format for example: 8c:9s:k4:3g:s3, Destination=Standard-Network=RED, Protocol=Preset=Service-Groups=My-HTTPS/NTP-Service-Group, mark ACCEPT, Additional settings: mark Activate Rule and Log Rule)

- I have allowed the ipfire (GREEN IP of ipfire) only the HTTP, HTTPS, DNS and NTP connection access to RED:
Rule to allow ipfire HTTPS and NTP=(Source=Firewall GREEN-IP, Destination=Standard-Network=RED, Protocol=Preset=Service Groups=My-HTTPS/NTP-Service-Group, mark ACCEPT, Additional settings: mark Activate Rule and Log Rule)
Rule to allow the ipfire DNS=(Source=Firewall GREEN-IP, Destination=Standard-Network=RED, Protocol=Preset=Service Groups=My-DNS-Service-Group, mark ACCEPT, Additional settings: mark Activate Rule and Log Rule)

- In the Firewall-Options i set: FORWARD=Blocked and OUTGOING=Blocked, Application Layer Gateways: FTP, H.323, IRC, PPTP, SIP and TFTP = OFF

To allow Mailprogram access to internet you must allow IMAP or POP via rule. When you will update your Linux-PC you have maybe to allow FTP via rule. "If Pakfire runs the first time it has to import the gpg-keys, for this operation it is necessary that TCP port 11371 is once reachable, after the keys are present on the system the port can be closed" (https://wiki.ipfire.org/configuration/i ... fire/start).

Maybe a Opensource-Hardware-Board from Olimex will work with ipfire, but it seems that these boards have not a HWNRG. I think its possible to expand such boards with external usb-HWNRG but i do not know where i can buy such usb-HWRNG...: https://www.olimex.com/Products/OLinuXino/A64/

Interesting: https://www.raspberrypi.org/blog/why-ra ... -meltdown/

Thank for your answers ;)

Post Reply