How to protect webservers / help make the ultimate setup



  • Hey guys!

    First off, I’d like to say that I’m completely new to PFsense in every possible way! A friend of mine showed me PFsense when my old router broke and I started playing around with PFsense and I really like it.

    The reason for my post is I started working on a “mock” project. My goal was to create a “pretend” doctors clinic online and I wanted to setup a firewall (UTM) system to defend it. A few people pointed me at untangle UTM but the more I played with PFsense, the more I fell in love with it and the more I realized PFsense could do so much more! My goal here is to create the ultimate setup guide for anyone new like me trying to create any kind of “mock” company… or even anyone trying to create a company in general on how they can secure their web-servers online.

    I’ve put all of my notes / “how to’s” in one super easy to read and follow along to guide which I’ve zipped and attached to this forum post for anyone to view and follow along to.

    I actually need the communities help because I want to make this really secure! And I just don’t have enough knowledge. So for starters; heres what I have… (again, to keep this post short. All of my how to’s and notes are in the attached document. They are from youtube videos, forum posts and Google on how to do everything so far)

    So; say I have www . URL . com as my website.

    My first step is to direct my url (from godaddy) to a free CloudFlare (WAF) account as my first level of defense in protecting my servers. It’s another community based web application firewall but let’s face it. You can never have too much protection when put your company online (again, mine is a mock up but I’m hoping this can help a lot of people)

    From CloudFlare; now the traffic is shot back at my PFsense firewall. My first thought is IDS/IPS. So I installed “Snort” for intrusion detection. I left the “automatically” block turned off as it had to many false positives… but I’m hoping you guys can help me change that if at all possible?

    From there I went on to setup multiple VLAN’s. Separating devices is just another layer of security. I have my webserver on 1 vlan and my mysql server on another vlan with a firewall rule setup so that only the webserver can talk to the mysql server through a single port.

    From there I locked down the traffic with firewall rules. Only port 80, 443 and 53 were allowed out and only port 80 and 443 were allowed in.

    For additional security. Web traffic doesn’t actually reach my webserver. I just recently learned about HA Proxy setup as a reverse proxy… so its kind of like when you go to burger king. You don’t talk to the cook making your burger; you take to the cashier at the front and then the cashier gives the cook your order. A really cool idea when it comes to security!

    That’s about as far as I have gotten personally and also covered in my notes so far. So I hope that helps new people like me who really don’t know the firewall all that well. Although I started looking into:

    • IP tables and blocking specific regions (although I met a security pentester through www . freelancer . com - it cost me a few dollars but I have had him test stuff before for me)
    • SSL certificates for HTTPS (I didn’t really forget about this, I just haven’t had time to get to it)(on a personal note I'm torn between lets encrypt and a cert from go daddy)

    anyways… any help from you guys making this more secure and also the ultimate how to and easy setup guide for newbies like me would be awesome!!!!

    many many thanks in advance guys!

    [PFsense - Infrastructure Setup.zip](/public/imported_attachments/1/PFsense - Infrastructure Setup.zip)



  • Just as an update to the above post…

    I have updated the infrastructure setup that I had originally posted.

    I have added notes on:

    - Adding a godaddy SSL cert (found a sale for $5 ssl certs from godaddy)
      - HA Proxy SSL accepts

    After crazy amounts of reading I have adjusted Snort to scan for threats on the internal network and block them and scan the WAN port but not block. Just record for now. I was kind of hoping one of the amazing PFsense folks could give some better advice on this.

    I have also started researching: pfblockerNG

    and I found an article on how to configure that to monitor your network for malware: http://www.malware.com.br/howto_pfBlockerNG.shtml

    so to recap:

    • All web traffic is sent to CloudFlare
      --- I setup a rule to convert all traffic to SSL

    • Then redirected to PFsense

    • Checked over by Snort and then

    • All Traffic is picked up by HAProxy (converted to SSL if not already using GoDaddy SSL cert / still working on a way to clean the URL if needed)

    • And then it hits the web servers

    Now to research out pfBlockerNG

    ...but what is everyone else doing to make protecting their servers more secure?

    [UPDATED PFsense - Infrastructure Setup.zip](/public/imported_attachments/1/UPDATED PFsense - Infrastructure Setup.zip)



  • I would love to know more about this.



  • Good morning my friend,

    I havent had a chance to update my notes… I'm only learning about this myself. I was really hoping some of the really smart forum people would jump in... but I'll try and update my notes and post more when I can.



  • Great information. I work professionally in security and you have it down pat. You should consider adding an ELK stack for analyzing your logs. There are some good templates online you can import that will create useful dashboards. For instance, you can create graphs which show metrics of IP's and sessions being blocked.