Hardening, Securing and Privacy configuration!

Velcro

Update and follow up:

Upgraded to 2.4(Beta)

I just wanted to update all on my progress:

I have found this forum extremely helpful in getting me this far and have tried to document my efforts and questions in a way that might help other “newbies”. I have made some strides but hoping for some additional thoughts and feedback. If my steps are not correct please feel free to provide any thoughts, I have also included my specific questions.

Harden Web Gui
System/Advanced/Admin Access

Max Process to “1”
Make sure Secure Shell is disabled
Change Port for SSH port and TCP port (WebGUI)
Disabled Antilockout rule in System-Advanced-Anti-lockout-Checked (Making sure to add new rule prior with new port).
Disabled “Secure Shell Server” in “System-Advanced-Admin Access”
(While I realize not all are major security updates, some were easier to do and I didn't need some of the functionality (I.e. Disable "Secure Shell Server")

My questions:
1. How can I add a key or change the default? Do I need to get this externally from a Comodo or Verisign with my domain? Can I self sign a new certificate?
2. Does removing “User - System: Shell account access” from “System-User Manager-Users-Edit” reduce an attack footprint?
3. How does one turn off HTTP->HTTPS redirect off? Is this on the browser?
(Funny but getting me this far has locked me out my webGUI about 6-7 times!! :-[)

Rules, static leases and white listing:
I first created Static IPs by doing the following:

In “Services-DHCP Server-“Each of my interfaces””, I made sure “Deny unknown clients” was unchecked.
I connected all the devices to the interface.
I then went to “Status-DHCP Leases” and noted all the MAC addresses.
I then added them as static lease type.
I then went back to “Services-DHCP Server-“Each individual interface” and made sure “Deny unknown clients” was checked.
I then created aliases for each interfaces devices(using the static IPs I created in step 1 in “Firewall-Aliases-IPs”, labelled as “hosts”
This allowed me very specific “Sources”
I then went to “Firewall-Rules-“Each of my interfaces”“ and created rules as follows:

SEE ATTACHMENT FOR IMAGE OF RULES

(I also have a floating rule (IPv4+6 TCP/UDP * * Gateway Interfaces Firewall ports * none) to prevent access to firewall)

My questions/Looking for feedback:
1. For my “Very secure interface” I tried getting more granular with the destinations, some of my email providers had 1-2 IPs but google has so many that the list seemed endless. For example, I was able to get port 80 down to 5-6 IPs but again googles list was too big. How can I make this more granular?
2. Is there a way to allow allow google voice and hangouts only?
3. Is there a more restrictive way to write these rules?
4. Is this the right approach?

OpenVPN used for privacy to access the web:

I added a VPN client(based on the VPN providers instructions), then added an Interface.
I also replicated each existing “WAN rule” in NAT-Manual-Outbound/Manual with a new rule for the “OpenVPN client” and a new rule for the “OpenVPN interface”.
I then proceeded to delete the “OpenVPN client” rules and “WAN rule” specific rules in the “NAT-Outbound/Manual” section for interfaces that I want to use VPN(WIFI Interface) only (kind of a kill switch) and interfaces I want/need to use WAN(AppleTV) only.
I added rules in the VPN Interface only(not client) similar to the WAN rules blocking everything(bogon networks, private networks, etc.).
I modified rules in the internal interfaces(WIFI and VLAN) that I only wanted to access the VPN specifying the "VPN Interface" as the "Gateway"(See my rule attachment image)

My questions/Looking for feedback:
1. I tried adding a self signed certificate on my end but it broke the VPN connection. Similar to the web GUI question, do I need to get this externally from a Comodo or Verisign with my domain? In the logs my vpn provider did not appear to accept it.
2. Does setting up an interface just give me more options? I was able to bypass the “AppleTV” by changing each rule Gateway in the AppleTV interface (Extra Options-Display Advanced-Gateway-WAN) to access the WAN
3. I was unable to SHA2, nor AES-128-GCM working with PIA…is this a PIA limitation? Their instructions were pretty specific on setup so I assume it is…any recommendation for another provider?
4. Do I need rules on OpenVPN Interface? Or are these rules covered in WAN?
5. In the dashboard, my VPN Gateway is showing “Offline” yet when I go online to find my IP it is showing my VPN’s? The graph on my Dashboard seems to show activity as well…
6. Do I need to set up a DHCP server for my VPN Interface?
7. Is this the right approach?

Surricata:
Set up “WIFI interface” and “Guest VLAN” interfaces to block offenders. Type of rules I enabled in Services-Suricata-Global settings are(after getting a snort code):

Install ETOpen Emerging Threats rules
Install Snort VRT rules
Install Snort Community rules

I periodically have “Force-Disabled” these rules:

1:2002157 ET CHAT Skype User-Agent detected
1:2002878 ET POLICY iTunes User Agent
1:2210000 SURICATA STREAM 3way handshake with ack in wrong dir

Some rules I am currently reviewing are:

1:2210054 SURICATA STREAM excessive retransmissions
1:2230003 SURICATA TLS invalid handshake message
1:2210044 SURICATA STREAM Packet with invalid timestamp
1:2010066 ET POLICY Data POST to an image file (gif)
1:2210042 SURICATA STREAM TIMEWAIT ACK with wrong seq
1:2221028 SURICATA HTTP Host header invalid
1:2200094 SURICATA zero length padN option

I currently have my WAN and VPN interface being monitored only.

My questions/Looking for feedback:
1. Why are Suricata rules triggered on the Wifi Interface/Network(The interface) and GuestVLAN(a VLAN on the WIFI interface), when the app is only on the VLAN I.e. Skype alert on WIFI when it is only accessed on VLAN? Is it more secure to setup 2-3 VLANs on the WIFI network I.e. Secure WIFI(VLAN #1), IOTDevices(VLAN #2) and WIFES(VLAN #3)?
2. I have been unable to get my DNSLB working? I think it has something to do with my DNS resolver, my “RFC_1918_nets “ rule, or my OpenDNS IPs, or something in my “General settings”. I am still working on this…
3. How do I add the 2 golden rules detailed above? pfBasic any thoughts?

Thank you again for any and all feedback!

![Interface rules.jpg](/public/imported_attachments/1/Interface rules.jpg)
![Interface rules.jpg_thumb](/public/imported_attachments/1/Interface rules.jpg_thumb)

Hardening, Securing and Privacy configuration!

I don't know anything about google voice/VOIP setup. For any kind of bandwidth planning though you can use the HFSC Traffic Shaper wizard. I'm pretty sure that if you run suricata in inline mode that it breaks the traffic shaper right now though so you'll have to use legacy mode if you want both.

I don't know anything about google voice/VOIP setup. For any kind of bandwidth planning though you can use the HFSC Traffic Shaper wizard.
I'm pretty sure that if you run suricata in inline mode that it breaks the traffic shaper right now though so you'll have to use legacy mode if you want both.