How to protect webservers / help make the ultimate setup
-
Hey guys!
First off, I’d like to say that I’m completely new to PFsense in every possible way! A friend of mine showed me PFsense when my old router broke and I started playing around with PFsense and I really like it.
The reason for my post is I started working on a “mock” project. My goal was to create a “pretend” doctors clinic online and I wanted to setup a firewall (UTM) system to defend it. A few people pointed me at untangle UTM but the more I played with PFsense, the more I fell in love with it and the more I realized PFsense could do so much more! My goal here is to create the ultimate setup guide for anyone new like me trying to create any kind of “mock” company… or even anyone trying to create a company in general on how they can secure their web-servers online.
I’ve put all of my notes / “how to’s” in one super easy to read and follow along to guide which I’ve zipped and attached to this forum post for anyone to view and follow along to.
I actually need the communities help because I want to make this really secure! And I just don’t have enough knowledge. So for starters; heres what I have… (again, to keep this post short. All of my how to’s and notes are in the attached document. They are from youtube videos, forum posts and Google on how to do everything so far)
So; say I have www . URL . com as my website.
My first step is to direct my url (from godaddy) to a free CloudFlare (WAF) account as my first level of defense in protecting my servers. It’s another community based web application firewall but let’s face it. You can never have too much protection when put your company online (again, mine is a mock up but I’m hoping this can help a lot of people)
From CloudFlare; now the traffic is shot back at my PFsense firewall. My first thought is IDS/IPS. So I installed “Snort” for intrusion detection. I left the “automatically” block turned off as it had to many false positives… but I’m hoping you guys can help me change that if at all possible?
From there I went on to setup multiple VLAN’s. Separating devices is just another layer of security. I have my webserver on 1 vlan and my mysql server on another vlan with a firewall rule setup so that only the webserver can talk to the mysql server through a single port.
From there I locked down the traffic with firewall rules. Only port 80, 443 and 53 were allowed out and only port 80 and 443 were allowed in.
For additional security. Web traffic doesn’t actually reach my webserver. I just recently learned about HA Proxy setup as a reverse proxy… so its kind of like when you go to burger king. You don’t talk to the cook making your burger; you take to the cashier at the front and then the cashier gives the cook your order. A really cool idea when it comes to security!
That’s about as far as I have gotten personally and also covered in my notes so far. So I hope that helps new people like me who really don’t know the firewall all that well. Although I started looking into:
- IP tables and blocking specific regions (although I met a security pentester through www . freelancer . com - it cost me a few dollars but I have had him test stuff before for me)
- SSL certificates for HTTPS (I didn’t really forget about this, I just haven’t had time to get to it)(on a personal note I'm torn between lets encrypt and a cert from go daddy)
anyways… any help from you guys making this more secure and also the ultimate how to and easy setup guide for newbies like me would be awesome!!!!
many many thanks in advance guys!
[PFsense - Infrastructure Setup.zip](/public/imported_attachments/1/PFsense - Infrastructure Setup.zip)
-
Just as an update to the above post…
I have updated the infrastructure setup that I had originally posted.
I have added notes on:
- Adding a godaddy SSL cert (found a sale for $5 ssl certs from godaddy)
- HA Proxy SSL acceptsAfter crazy amounts of reading I have adjusted Snort to scan for threats on the internal network and block them and scan the WAN port but not block. Just record for now. I was kind of hoping one of the amazing PFsense folks could give some better advice on this.
I have also started researching: pfblockerNG
and I found an article on how to configure that to monitor your network for malware: http://www.malware.com.br/howto_pfBlockerNG.shtml
so to recap:
-
All web traffic is sent to CloudFlare
--- I setup a rule to convert all traffic to SSL -
Then redirected to PFsense
-
Checked over by Snort and then
-
All Traffic is picked up by HAProxy (converted to SSL if not already using GoDaddy SSL cert / still working on a way to clean the URL if needed)
-
And then it hits the web servers
Now to research out pfBlockerNG
...but what is everyone else doing to make protecting their servers more secure?
[UPDATED PFsense - Infrastructure Setup.zip](/public/imported_attachments/1/UPDATED PFsense - Infrastructure Setup.zip)
-
-
I would love to know more about this.
-
Good morning my friend,
I havent had a chance to update my notes… I'm only learning about this myself. I was really hoping some of the really smart forum people would jump in... but I'll try and update my notes and post more when I can.
-
Great information. I work professionally in security and you have it down pat. You should consider adding an ELK stack for analyzing your logs. There are some good templates online you can import that will create useful dashboards. For instance, you can create graphs which show metrics of IP's and sessions being blocked.
-
hi @armaclaren
I just read your post. it's like my idea of wanting to build WAF, DBF based on pfsense. Can You give me your setup guide for reference pls. I can't see it on your post anymore. Thanks for the article -
@armaclaren said in How to protect webservers / help make the ultimate setup:
and only port 80 and 443 were allowed in.
You are aware of the fact that all TCP and UDP request are blocked right at your door step, the WAN IP.
TCP traffic using destination 80 and 443 are passed.
Attacks, garbage and other noise will come in on 80 and 443.
You could parse or inspect '80' traffic on pfSense but .... who uses 80 (clear http requests) these days ? Close to nobody.
Traffic on port 443 could be inspected if you go the HAproxy way.
Still, a great deal of your security plans have to be realized on the web server itself. The firewall can be at best a filter.@armaclaren said in How to protect webservers / help make the ultimate setup:
SSL certificates for HTTPS
With plain http you site will not be indexed by any search engine these days. https is a must. Server port 80 = http has become close to depreciated (but keep it up for now).
Free certs from Letenscrypt or other sources are all the same. You could stand out by using a green one (if that notion still exists today).
@armaclaren said in How to protect webservers / help make the ultimate setup:
configure that to monitor your network for malware
Your web server should be on a separated LAN segment, using a dedicated NIC on pfSense that is normally called a DMZ. On that network there isn't even a switch. Just the NIC of pfSense and on the other side your web server.
Monitoring malware on a RJ45 cable is ..... useless.
If something happens to your web server your other devices on other LANs won't risk anything.Your web server should react on valid https page requests. That's it. It should not accept files (executables ?) and the like.
Common web servers like nginx and apache2 are all rock solid these days without the need of any special tools. The default set-up will do.
If you accept that visitors upload files, you have to deal with them, pretty old school these days. There are some very good examples available on the net about how to do so - and how not to do so.Btw : web servers belong on web servers devices like a VPS or even a dedicate server that you rent from companies who do thus that.
For me, hosting a public server behind an ISP type IP is not possible.
I'm using a couple of them, for 20 years now. On these servers I do not use a firewall. I never found it useful to block ports that aren't opened = used = being served. And if some one comes in as root, the firewall is the first to fall anyway.
I do use a tool like fail2ban, that blocks IP's if these are emitting suspected requests or are abusing (so, I do use the firewall after all^^)
mail server : same story.