Part of the IPFire Security Hardening Guide

Implementation Scale

This guide uses two scales:

Impact (security benefit) A. MAJOR B. SIGNIFICANT C. MINOR
Effort (to implement) 1. LOW 2. MEDIUM 3. HIGH

See the Security Guide introduction for a more detailed explanation of the scale.

Disable SSH Access - enable only when connecting

Impact Effort

The main way to manage IPFire is the web user interface (WebGUI). By default, it is always available on your internal Green network. If you use Secure Shell (SSH) to make changes in a Linux shell, only start the shell as you connect, do not leave it permanently open. This way an attacker cannot conduct a brute-force attack against IPFire using SSH (although the Guardian add-on does also offer some protection).

  • Only enable SSH access in the WUI using the "Stop SSH daemon in 15 minutes" button on the occasions you need a secure shell.
  • Any sessions established during the 15 minutes following do not get disconnected after that time, but all new attempts to connect after 15 minutes will fail.
  • If for you cannot disable IPFire from permanently running SSH (perhaps you may use a SSH-based monitoring software) then ensure that access is restricted to a specific set of IP addresses allocated to administrators only, by configuring a custom Firewall rule.

Use public key authentication for SSH

Impact Effort

If you use SSH to administer IPFire, use public key based authentication (using a key with a strong passphrase) instead of password based authentication. Key based authentication prevents an attacker performing a man-in-the middle attacks from using your password to impersonate you as your private key is never sent to the SSH server.

  • Configure IPFire to only allow public key based authentication
  • Use an SSH key with a strong passphrase, so that if somebody gets access to your account (or discovers your password) they cannot connect to IPFire
  • From a Linux system, run ssh-keygen to generate an RSA key and enter a strong passphrase. If you cannot remember this passphrase, use a Password manager to store it.
  • Then run ssh-copy-id <ipfire hostname>

Send syslogs to another server

Impact Effort

Hackers usually aim to be stealthy and conceal that they have gained access to a system. To do this they often will remove evidence of a successful attack by removing log entries. If you send your logs to another system inside your network they cannot remove all evidence of their attack.

Use the URL filter

Impact Effort

If your IPFire system has more resources memory free, low CPU usage) than are required during times of peak traffic for example, lunchtime for a business) use the Proxy's URL filter to block advertising (ads) and malware. Malicious advertisements are now a common way that attackers attempt to deliver exploits to users through their browser.

  • Configure the URL filter to block "ads" and "malware"
  • Remember to enable the "URL Filter" check box in the Enable redirector section of the Advanced web proxy configuration page in the WebGUI.
  • Make sure to filter HTTPS traffic. This is only possible if your clients use the squid proxy directly (and not in transparent mode). However, only the basic server name (e.g. can be blocked, since paths (e.g. are encrypted. Filtering contents is also impossible.

Use the Intrusion Prevention System

Impact Effort

Although it often takes a large effort to learn and configure and then some effort to maintain, the Suricata Intrusion Prevention System (IPS) built in to IPFire can provide a significant security benefit, depending on the rules enabled and the kind of traffic your IPFire system routes.

Note: If you really want to ensure accurate monitoring, you should consider disabling various network card offload features. These features are excellent for lowering CPU utilization of your IPFire system but can truncate packets, preventing Snort detecting malicious network activity.

Use Location Block

Impact Effort

After enabling the Intrusion Detection System in IPFire, wait a week or so. Then check the Firewall logs sorted by country. In the WUI, go to Logs > FW-Loggraphs (Country). Depending on where your IPFire system is located and who you need to contact for business or personal reasons, you can block significant amounts of hostile traffic from the internet by simply blocking certain countries. This won't prevent a determined attacker in control of multiple systems (using a botnet for example) but it will significantly reduce noise and allow you to focus on items which actually need investigating.

  • Do some research and block countries with a high percentage of malicious traffic using the Location Block feature.

Note: Using IPFire's Location Block feature is the easiest way to make a massive reduction in the amount of incoming malicious traffic probing your network.

Configure Outgoing Firewall Rules

Impact Effort

By default IPFire does not restrict (most) types of network traffic going out to the internet from your network. Creating outgoing firewall rules for all traffic on your network makes it difficult for malware to communicate to external servers. This means that it is less likely most malware will be able to steal your valuable information. It may also reduce the chance of malware like this to spread to other systems on your network.

Note: This requires a high amount of effort and mistakes may prevent devices and PCs from using the internet.

FIXME - Instructions for this procedure are yet to be written

  • Follow this procedure to monitor all your internet traffic over a period of time (to establish a baseline)
  • Based on what was recorded, create outgoing firewall rules to allow normal traffic
  • Deny all other traffic

Protect your network against DNS hijacking

Impact Effort

Follow the instructions to force all DNS traffic to use IPFire's built-in DNS proxy server so that you are less vulnerable to DNS hijacking. Use a DNS server which support DNSSEC to avoid DNS manipulation attacks.

Configure PPPoE from IPFire

Impact Effort

If you connect to the internet using a cable or DSL modem, it is highly likely that your modem rarely has patches available for security flaws. At worst, your modem may have a built-in default Administration account which have been hard-coded to allow your ISP to take control of it. Such built-in accounts are often discovered by hackers. Unless you are are extremely familiar with configuring your modem and it is regularly patched (like, for example, current model Fritz!Box modem routers which self-update) it is best to bypass your modem by configuring IPFire to connect to your ISP directly using PPPoE.

----Next Page: Reducing Attack Surface