From ccfd70b2b73a0e935e64926b2f23755a3a0ad18b Mon Sep 17 00:00:00 2001 From: Cipher Vance Date: Sun, 27 Jul 2025 13:34:40 -0500 Subject: [PATCH] Initial commit --- README.md | 1976 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1976 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..243b3bb --- /dev/null +++ b/README.md @@ -0,0 +1,1976 @@ +# Homelab Security Guide + +A comprehensive security hardening guide for pfSense firewalls, Linux servers, and home network infrastructure. + +## Table of Contents + +- [Overview](#overview) +- [Quick Start](#quick-start) +- [pfSense Firewall Hardening](#pfsense-firewall-hardening) +- [Linux Server VM Security](#linux-server-vm-security) +- [Network Security Best Practices](#network-security-best-practices) +- [Advanced Security Features](#advanced-security-features) +- [Monitoring & SIEM Setup](#monitoring--siem-setup) +- [Backup & Disaster Recovery](#backup--disaster-recovery) +- [Maintenance & Operations](#maintenance--operations) +- [Compliance & Documentation](#compliance--documentation) +- [Emergency Response](#emergency-response) +- [Additional Resources](#additional-resources) + +## Overview + +This guide provides a comprehensive approach to securing your home network infrastructure, including: + +- pfSense firewall hardening +- Linux server security +- Network segmentation +- Monitoring and logging +- Incident response procedures + +### Security Philosophy +- **Defense in Depth**: Multiple layers of security controls +- **Zero Trust**: Never trust, always verify +- **Principle of Least Privilege**: Minimum necessary access +- **Continuous Monitoring**: Always watching for threats + +## Quick Start + +### Prerequisites +- pfSense firewall (physical or virtual) +- Linux server VMs (Ubuntu/Debian preferred) +- Basic networking knowledge +- Administrative access to all systems + +### Initial Security Steps (Do These First!) +1. Change all default passwords +2. Update all systems +3. Enable HTTPS for pfSense WebGUI +4. Disable SSH root login on Linux servers +5. Enable basic firewall rules +6. Set up logging + +## pfSense Firewall Hardening + +### Initial Setup & Access Control + +#### Change Default Credentials +```bash +# Access pfSense WebGUI +# Navigate to System > User Manager +# Change admin password immediately +# Create new admin user with different name +``` + +#### Secure WebGUI Access +```bash +# System > Advanced > Admin Access +- Enable HTTPS +- Change port from 443 to custom (e.g., 8443) +- Restrict access to specific IP ranges +- Enable session timeout (30 minutes) +- Disable HTTP redirect +``` + +#### Two-Factor Authentication +```bash +# System > User Manager > Users > Edit user +# Add TOTP (Time-based One-Time Password) +# Use Google Authenticator or similar app +``` + +### Network Interface Security + +#### WAN Interface Hardening +```bash +# Interfaces > WAN +- Enable "Block RFC1918 Private Networks" +- Enable "Block bogon networks" +- Disable "Allow IPv6" +- Enable anti-spoofing protection + +# Firewall > Rules > WAN +- Default deny all inbound +- Block ICMP (ping) requests +- Only allow specific services (VPN, etc.) +``` + +#### LAN Interface Configuration +```bash +# Interfaces > LAN +- Change default subnet if using 192.168.1.0/24 +- Consider using 172.16.0.0/16 or 10.0.0.0/8 + +# Firewall > Rules > LAN +- Deny access to firewall management from most IPs +- Allow only specific admin workstation +- Block inter-VLAN communication by default +``` + +### Advanced Firewall Rules + +#### Egress Filtering (Outbound Control) +```bash +# Control what can leave your network: +- Block P2P protocols +- Allow only necessary outbound ports (80, 443, 53, 123) +- Block direct IP connections (force DNS resolution) +- Limit outbound connections per host +``` + +#### Geo-blocking +```bash +# Install pfBlockerNG +# System > Package Manager > Available Packages +# Search for "pfBlockerNG-devel" and install + +# Configure country blocking: +# Firewall > pfBlockerNG > IP > Add +- Block high-risk countries (CN, RU, KP, etc.) +- Allow your country and trusted regions +``` + +### VPN Configuration + +#### OpenVPN Server Setup +```bash +# VPN > OpenVPN > Servers > Add +Server Mode: Remote Access (SSL/TLS + User Auth) +Protocol: UDP +Port: 1194 (or custom) +Encryption: AES-256-GCM +Auth: SHA256 +Certificate Authority: Create new CA +``` + +#### WireGuard Setup (Recommended) +```bash +# VPN > WireGuard > Settings +# Enable WireGuard +# Create new tunnel: +- Listen Port: 51820 (or custom) +- Generate key pair +- Configure allowed networks +``` + +### Services Hardening + +#### SSH Service Configuration +```bash +# System > Advanced > Admin Access +- Enable SSH +- Change port from 22 to custom +- Disable password authentication +- Upload SSH public keys only +- Set connection timeout +``` + +#### DNS Security +```bash +# System > General Setup +Primary DNS: 1.1.1.1 (Cloudflare) +Secondary DNS: 9.9.9.9 (Quad9) + +# Services > DNS Resolver +- Enable DNSSEC Support +- Enable DNS over TLS +- Configure custom blocklists +``` + +#### DHCP Hardening +```bash +# Services > DHCP Server +- Reduce lease time to 4 hours +- Enable static ARP entries for servers +- Configure custom DNS for clients +- Enable DHCP logging +``` + +### Intrusion Detection & Prevention + +#### pfBlockerNG Configuration +```bash +# Firewall > pfBlockerNG > IP +# Add these threat feeds: +- Emerging Threats +- Spamhaus DROP/EDROP +- Malware Domain List +- Tor exit nodes (optional) + +# Configure update frequency: Daily +# Enable logging for all blocks +``` + +#### Suricata IDS/IPS +```bash +# System > Package Manager > Install Suricata +# Services > Suricata > Interfaces +- Add WAN interface +- Enable IPS mode (blocking) +- Enable all appropriate rule categories +- Update rules daily +``` + +### Logging & Monitoring + +#### System Logging +```bash +# Status > System Logs > Settings +- Enable remote logging +- Set log file size limits +- Enable log rotation +- Configure severity levels + +# Forward logs to SIEM: +Remote Log Server: 192.168.1.100:514 +Remote Logging: Everything +``` + +#### SMTP Notifications +```bash +# System > Advanced > Notifications +SMTP Server: smtp.gmail.com +Port: 587 +Secure SMTP: Enable STARTTLS +Username: your-email@gmail.com +Password: app-specific-password + +# Enable notifications for: +- System startup/shutdown +- Package updates +- Certificate expiration +- High CPU/memory usage +``` + +## Linux Server VM Security + +### System Updates & Package Management + +#### Automated Updates +```bash +# Install unattended-upgrades +sudo apt update && sudo apt upgrade -y +sudo apt install unattended-upgrades apt-listchanges + +# Configure automatic security updates +sudo dpkg-reconfigure unattended-upgrades + +# Edit /etc/apt/apt.conf.d/20auto-upgrades +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; +APT::Periodic::AutocleanInterval "7"; +``` + +#### Package Security +```bash +# Remove unnecessary packages +sudo apt autoremove --purge +sudo apt autoclean + +# List installed packages +dpkg --get-selections > installed-packages.txt + +# Audit installed packages regularly +sudo apt list --installed | grep -v "automatic" +``` + +### User Account Security + +#### User Management +```bash +# Create limited sudo user +sudo useradd -m -s /bin/bash secadmin +sudo usermod -aG sudo secadmin + +# Set strong password +sudo passwd secadmin + +# Lock/disable unused accounts +sudo usermod -L username +sudo usermod -s /bin/false username + +# Remove user +sudo deluser --remove-home username +``` + +#### Password Policies +```bash +# Install password quality library +sudo apt install libpam-pwquality + +# Edit /etc/security/pwquality.conf +minlen = 12 +minclass = 3 +maxrepeat = 2 +dcredit = -1 +ucredit = -1 +lcredit = -1 +ocredit = -1 + +# Set password aging +sudo chage -M 90 username # Max 90 days +sudo chage -W 7 username # Warn 7 days before expiry +``` + +### SSH Hardening + +#### SSH Configuration +```bash +# Edit /etc/ssh/sshd_config +Port 2222 +Protocol 2 +PermitRootLogin no +PasswordAuthentication no +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +MaxAuthTries 3 +ClientAliveInterval 300 +ClientAliveCountMax 2 +X11Forwarding no +AllowTcpForwarding no +AllowUsers secadmin +DenyUsers root + +# Restart SSH service +sudo systemctl restart sshd +``` + +#### SSH Key Management +```bash +# Generate ED25519 key (most secure) +ssh-keygen -t ed25519 -C "admin@hostname" + +# Copy public key to server +ssh-copy-id -i ~/.ssh/id_ed25519.pub secadmin@server-ip + +# Test key-based login +ssh -i ~/.ssh/id_ed25519 secadmin@server-ip + +# Disable password authentication after testing +sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config +``` + +### Firewall Configuration (UFW) + +#### Basic UFW Setup +```bash +# Install and configure UFW +sudo apt install ufw + +# Set default policies +sudo ufw default deny incoming +sudo ufw default allow outgoing + +# Allow SSH (use your custom port) +sudo ufw allow 2222/tcp + +# Allow specific services +sudo ufw allow 80/tcp # HTTP +sudo ufw allow 443/tcp # HTTPS +sudo ufw allow from 192.168.1.0/24 to any port 22 # SSH from LAN only + +# Enable firewall +sudo ufw enable + +# Check status +sudo ufw status verbose +``` + +#### Advanced UFW Rules +```bash +# Rate limiting for SSH +sudo ufw limit 2222/tcp + +# Allow specific IP ranges +sudo ufw allow from 192.168.1.0/24 + +# Block specific countries (requires geoip) +sudo ufw deny from [country-ip-ranges] + +# Log all denied connections +sudo ufw logging on +``` + +### Intrusion Detection + +#### Fail2Ban Setup +```bash +# Install Fail2Ban +sudo apt install fail2ban + +# Create local configuration +sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + +# Edit /etc/fail2ban/jail.local +[DEFAULT] +bantime = 3600 # 1 hour ban +findtime = 600 # 10 minute window +maxretry = 3 # 3 attempts +backend = systemd # Use systemd for log parsing + +[sshd] +enabled = true +port = 2222 # Your SSH port +logpath = /var/log/auth.log +maxretry = 3 + +# Start and enable Fail2Ban +sudo systemctl start fail2ban +sudo systemctl enable fail2ban + +# Check status +sudo fail2ban-client status sshd +``` + +#### AIDE (File Integrity Monitoring) +```bash +# Install AIDE +sudo apt install aide + +# Initialize database +sudo aideinit + +# Move database to final location +sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db + +# Run integrity check +sudo aide --check + +# Set up daily checks via cron +echo "0 2 * * * root /usr/bin/aide --check" | sudo tee -a /etc/crontab +``` + +### System Monitoring + +#### Auditd (System Call Auditing) +```bash +# Install auditd +sudo apt install auditd audispd-plugins + +# Configure audit rules +sudo nano /etc/audit/rules.d/audit.rules + +# Example audit rules: +# Monitor passwd file changes +-w /etc/passwd -p wa -k passwd_changes + +# Monitor sudo usage +-w /etc/sudoers -p wa -k sudoers_changes + +# Monitor login/logout events +-w /var/log/wtmp -p wa -k session_changes + +# Restart auditd +sudo service auditd restart + +# View audit logs +sudo ausearch -k passwd_changes +``` + +#### System Resource Monitoring +```bash +# Install monitoring tools +sudo apt install htop iotop nethogs sysstat + +# Enable system statistics collection +sudo systemctl enable sysstat + +# View system statistics +sar -u 1 10 # CPU usage +sar -r 1 10 # Memory usage +sar -d 1 10 # Disk I/O +``` + +### Application Security + +#### Web Server Hardening (Nginx) +```bash +# Install Nginx +sudo apt install nginx + +# Basic security configuration +# Edit /etc/nginx/nginx.conf +server_tokens off; # Hide version +add_header X-Frame-Options DENY; # Prevent clickjacking +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; + +# SSL/TLS configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512; +ssl_prefer_server_ciphers off; +``` + +#### Database Security (MySQL/MariaDB) +```bash +# Install MariaDB +sudo apt install mariadb-server + +# Run security script +sudo mysql_secure_installation + +# Additional hardening: +# Edit /etc/mysql/mariadb.conf.d/50-server.cnf +bind-address = 127.0.0.1 # Local connections only +skip-networking = 1 # Disable network access +``` + +### Container Security (Docker) + +#### Docker Installation & Hardening +```bash +# Install Docker +curl -fsSL https://get.docker.com -o get-docker.sh +sudo sh get-docker.sh + +# Add user to docker group +sudo usermod -aG docker $USER + +# Configure Docker daemon security +# Edit /etc/docker/daemon.json +{ + "live-restore": true, + "userland-proxy": false, + "no-new-privileges": true, + "seccomp-profile": "/etc/docker/seccomp.json" +} +``` + +#### Secure Container Practices +```bash +# Run containers with security options +docker run -d \ + --user 1000:1000 \ + --read-only \ + --cap-drop=ALL \ + --cap-add=CHOWN \ + --security-opt=no-new-privileges:true \ + --security-opt=apparmor:docker-default \ + nginx:alpine + +# Use multi-stage builds +FROM node:alpine AS builder +WORKDIR /app +COPY package*.json ./ +RUN npm ci --only=production + +FROM node:alpine +RUN addgroup -g 1001 -S nodejs +RUN adduser -S nextjs -u 1001 +USER nextjs +COPY --from=builder /app/node_modules ./node_modules +``` + +## Network Security Best Practices + +### Network Segmentation + +#### VLAN Configuration +```bash +# pfSense VLAN Setup: +# Interfaces > VLANs > Add + +VLAN 10 - Management (pfSense, switches, APs) + Subnet: 192.168.10.0/24 + Gateway: 192.168.10.1 + +VLAN 20 - Servers (Production servers) + Subnet: 192.168.20.0/24 + Gateway: 192.168.20.1 + +VLAN 30 - IoT (Smart devices, cameras) + Subnet: 192.168.30.0/24 + Gateway: 192.168.30.1 + +VLAN 40 - Guest (Visitor access) + Subnet: 192.168.40.0/24 + Gateway: 192.168.40.1 + +VLAN 50 - Work (Work devices) + Subnet: 192.168.50.0/24 + Gateway: 192.168.50.1 +``` + +#### Inter-VLAN Firewall Rules +```bash +# Default deny all inter-VLAN traffic +# Create specific allow rules as needed: + +# Management to all VLANs (monitoring) +Source: VLAN 10 (Management) +Destination: Any +Action: Allow +Ports: SSH (22), SNMP (161), HTTPS (443) + +# Servers to internet only +Source: VLAN 20 (Servers) +Destination: !RFC1918 (Internet only) +Action: Allow + +# IoT devices limited internet +Source: VLAN 30 (IoT) +Destination: Specific IoT services +Action: Allow +``` + +### Wireless Security + +#### Wi-Fi Access Point Hardening +```bash +# Wireless security settings: +Security: WPA3-Personal (or WPA2-Enterprise) +Encryption: AES +Password: 20+ character complex password +WPS: Disabled +Guest Network: Enabled, isolated +SSID Broadcast: Disabled for main network +MAC Filtering: Enabled for critical devices + +# Access Point management: +Change default admin credentials +Update firmware regularly +Disable unnecessary services (Telnet, SSH) +Enable logging +Set strong SNMP community strings +``` + +#### Wi-Fi Network Configuration +```bash +# Main Network (Hidden SSID): +SSID: [Hidden/Custom] +VLAN: 20 (Servers) or 50 (Work) +Security: WPA3-Personal +Band: 5GHz preferred + +# Guest Network: +SSID: Guest_Network +VLAN: 40 (Guest) +Security: WPA2-Personal +Isolation: Enabled +Bandwidth Limit: 50 Mbps +Time Restrictions: Enabled + +# IoT Network: +SSID: IoT_Devices +VLAN: 30 (IoT) +Security: WPA2-Personal +Internet Access: Limited +``` + +### DNS Security + +#### DNS over HTTPS/TLS Configuration +```bash +# pfSense DNS Resolver settings: +# Services > DNS Resolver > General Settings +Enable DNS over TLS: Checked +DNS over TLS Hostname: cloudflare-dns.com + +# Custom DNS servers: +Primary: 1.1.1.1#cloudflare-dns.com +Secondary: 1.0.0.1#cloudflare-dns.com +``` + +#### DNS Filtering & Pi-hole Integration +```bash +# Install Pi-hole on dedicated VM +curl -sSL https://install.pi-hole.net | bash + +# Configure pfSense to use Pi-hole: +# System > General Setup +DNS Servers: 192.168.20.100 (Pi-hole IP) + +# Pi-hole configuration: +- Enable DNSSEC +- Use upstream DNS over HTTPS +- Add custom blocklists: + - https://someonewhocares.org/hosts/zero/hosts + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + - https://mirror1.malwaredomains.com/files/justdomains +``` + +### Certificate Management + +#### Internal Certificate Authority +```bash +# Create internal CA using Easy-RSA +git clone https://github.com/OpenVPN/easy-rsa.git +cd easy-rsa/easyrsa3 + +# Initialize PKI +./easyrsa init-pki + +# Build CA +./easyrsa build-ca + +# Generate server certificates +./easyrsa gen-req server nopass +./easyrsa sign-req server server + +# Generate client certificates +./easyrsa gen-req client1 nopass +./easyrsa sign-req client client1 +``` + +#### SSL/TLS Hardening +```bash +# pfSense SSL/TLS settings: +# System > Advanced > Admin Access +SSL/TLS Certificate: Use internal CA certificate +Minimum TLS Version: 1.2 +SSL Ciphers: ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM + +# Nginx SSL configuration: +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; +ssl_prefer_server_ciphers off; +add_header Strict-Transport-Security "max-age=63072000" always; +``` + +## Advanced Security Features + +### Zero Trust Implementation + +#### Micro-segmentation Strategy +```bash +# Implement granular network controls: +# Each service gets its own subnet/VLAN + +Web Servers: 192.168.21.0/28 (16 IPs) +Database Servers: 192.168.22.0/28 +Application Servers: 192.168.23.0/28 +Management: 192.168.24.0/28 + +# Default deny all traffic +# Explicit allow rules for required communication: +Web -> Database: Port 3306 (MySQL) +App -> Database: Port 5432 (PostgreSQL) +Management -> All: SSH (22), HTTPS (443) +``` + +#### Just-in-Time Access +```bash +# Implement temporary access controls +# Use tools like: +- HashiCorp Boundary +- BeyondTrust +- CyberArk + +# Example script for temporary SSH access: +#!/bin/bash +# grant_temp_access.sh +USER=$1 +DURATION=${2:-3600} # Default 1 hour + +# Add user to allowed SSH users +sudo usermod -a -G ssh-users $USER + +# Set expiration +echo "sleep $DURATION && usermod -G -ssh-users $USER" | at now +``` + +### Identity & Access Management + +#### Multi-Factor Authentication +```bash +# Install Google Authenticator PAM module +sudo apt install libpam-google-authenticator + +# Configure for SSH +# Add to /etc/pam.d/sshd: +auth required pam_google_authenticator.so + +# Edit /etc/ssh/sshd_config: +ChallengeResponseAuthentication yes +AuthenticationMethods publickey,keyboard-interactive + +# Initialize for user +google-authenticator +``` + +#### LDAP Integration +```bash +# Install OpenLDAP server +sudo apt install slapd ldap-utils + +# Configure LDAP directory +sudo dpkg-reconfigure slapd + +# Example LDAP user entry: +dn: uid=user1,ou=people,dc=home,dc=local +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: user1 +cn: User One +sn: One +mail: user1@home.local +uidNumber: 1001 +gidNumber: 1001 +homeDirectory: /home/user1 +loginShell: /bin/bash +``` + +### IoT Device Security + +#### IoT Network Isolation +```bash +# Create IoT VLAN with strict rules +# VLAN 30 - IoT Devices + +# Firewall rules for IoT VLAN: +# Block inter-device communication +Source: VLAN 30 subnets +Destination: VLAN 30 subnets +Action: Block + +# Allow only necessary internet access +Source: VLAN 30 +Destination: !RFC1918 +Action: Allow +Ports: 80, 443, 123 (NTP), 53 (DNS) + +# Block access to other VLANs +Source: VLAN 30 +Destination: VLAN 10, 20, 40, 50 +Action: Block +``` + +#### IoT Device Management +```bash +# IoT device checklist: +□ Change default passwords +□ Update firmware to latest version +□ Disable unnecessary features +□ Enable encryption if available +□ Configure on isolated network +□ Monitor device behavior +□ Regular security assessment + +# Example IoT device configurations: +# IP Cameras: +- Disable P2P features +- Change default ports +- Enable HTTPS only +- Disable audio if not needed +- Set up motion detection alerts + +# Smart home devices: +- Use device-specific VLANs +- Block internet access if possible +- Use local control hubs (Home Assistant) +- Regular firmware updates +``` + +## Monitoring & SIEM Setup + +### Centralized Logging Architecture + +#### ELK Stack (Elasticsearch, Logstash, Kibana) +```bash +# Install Elasticsearch +wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - +echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list +sudo apt update && sudo apt install elasticsearch + +# Configure Elasticsearch +# Edit /etc/elasticsearch/elasticsearch.yml +network.host: 192.168.20.100 +discovery.type: single-node +xpack.security.enabled: true + +# Install Logstash +sudo apt install logstash + +# Configure Logstash for pfSense logs +# Create /etc/logstash/conf.d/pfsense.conf +input { + udp { + port => 5514 + type => "pfsense" + } +} + +filter { + if [type] == "pfsense" { + grok { + match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:hostname} %{WORD:program}: %{GREEDYDATA:message}" } + } + } +} + +output { + elasticsearch { + hosts => ["localhost:9200"] + index => "pfsense-%{+YYYY.MM.dd}" + } +} + +# Install Kibana +sudo apt install kibana + +# Configure Kibana +# Edit /etc/kibana/kibana.yml +server.host: "192.168.20.100" +elasticsearch.hosts: ["http://localhost:9200"] +``` + +#### Wazuh SIEM Setup +```bash +# Install Wazuh manager +curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - +echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list +apt update && apt install wazuh-manager + +# Configure Wazuh for pfSense +# Edit /var/ossec/etc/ossec.conf + + syslog + 514 + udp + 192.168.1.1 + + +# Install Wazuh agents on Linux servers +wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.0-1_amd64.deb +dpkg -i wazuh-agent_4.3.0-1_amd64.deb + +# Configure agent +# Edit /var/ossec/etc/ossec.conf + + +
192.168.20.100
+ 1514 + tcp + + +``` + +### Network Monitoring + +#### ntopng Setup +```bash +# Install ntopng +sudo apt install ntopng + +# Configure ntopng +# Edit /etc/ntopng/ntopng.conf +-i=eth0 +-d=/var/lib/ntopng/ntopng.db +-w=3000 +-P=/etc/ntopng/ntopng.pid +-u=ntopng +-g=ntopng + +# Start ntopng +sudo systemctl start ntopng +sudo systemctl enable ntopng + +# Access web interface: http://server-ip:3000 +``` + +#### Security Onion +```bash +# Download Security Onion ISO +# https://github.com/Security-Onion-Solutions/securityonion + +# Minimum requirements: +- 16GB RAM +- 200GB disk space +- Dedicated network interface for monitoring + +# Features included: +- Suricata IDS +- Zeek network analysis +- Elasticsearch + Kibana +- Wazuh HIDS +- NetworkMiner +- Wireshark +``` + +### Threat Intelligence + +#### MISP Integration +```bash +# Install MISP +git clone https://github.com/MISP/MISP.git +cd MISP +sudo -u www-data git submodule update --init --recursive + +# Configure threat feeds: +- CIRCL OSINT Feed +- Malware Information Sharing Platform +- Commercial threat intelligence +- Government security advisories + +# Integrate with pfBlockerNG: +# Export MISP indicators to pfBlockerNG format +``` + +#### Threat Hunting Tools +```bash +# Install threat hunting tools: +sudo apt install yara +sudo apt install volatility +sudo apt install sleuthkit +sudo apt install autopsy + +# Create threat hunting playbooks: +# Daily tasks: +- Review DNS queries for suspicious domains +- Analyze network traffic patterns +- Check for unusual login times/locations +- Monitor certificate changes +- Review outbound connections +``` + +### Honeypots & Deception + +#### Cowrie SSH Honeypot +```bash +# Install Cowrie +sudo adduser --disabled-password cowrie +sudo su - cowrie +git clone http://github.com/cowrie/cowrie +cd cowrie +virtualenv cowrie-env +source cowrie-env/bin/activate +pip install -r requirements.txt + +# Configure Cowrie +cp etc/cowrie.cfg.dist etc/cowrie.cfg +# Edit etc/cowrie.cfg: +[honeypot] +hostname = server +log_path = var/log/cowrie +listen_endpoints = tcp:2222:interface=0.0.0.0 + +# Start Cowrie +bin/cowrie start +``` + +#### Web Application Honeypot +```bash +# Install Glastopf +sudo apt install python3-pip +pip3 install glastopf + +# Configure Glastopf +glastopf-runner + +# Deploy on isolated VLAN +# Monitor attacks and collect intelligence +``` + +## Backup & Disaster Recovery + +### Backup Strategy Implementation + +#### pfSense Configuration Backup +```bash +#!/bin/bash +# backup_pfsense.sh +DATE=$(date +%Y%m%d_%H%M%S) +BACKUP_DIR="/backups/pfsense" +PFSENSE_IP="192.168.1.1" +USERNAME="admin" +PASSWORD="your-password" + +# Create backup directory +mkdir -p $BACKUP_DIR + +# Download configuration +curl -k -u $USERNAME:$PASSWORD \ + "https://$PFSENSE_IP/diag_backup.php?download=download&donotbackuprrd=yes" \ + > "$BACKUP_DIR/pfsense_config_$DATE.xml" + +# Compress and encrypt backup +gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \ + --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \ + "$BACKUP_DIR/pfsense_config_$DATE.xml" + +# Remove unencrypted backup +rm "$BACKUP_DIR/pfsense_config_$DATE.xml" + +# Upload to cloud storage (optional) +# aws s3 cp "$BACKUP_DIR/pfsense_config_$DATE.xml.gpg" s3://backup-bucket/ +``` + +#### Linux Server Backup +```bash +#!/bin/bash +# backup_server.sh +SERVER_NAME=$(hostname) +DATE=$(date +%Y%m%d_%H%M%S) +BACKUP_DIR="/backups/$SERVER_NAME" +EXCLUDE_FILE="/etc/backup_exclude.txt" + +# Create backup directory +mkdir -p $BACKUP_DIR + +# System backup with rsync +rsync -avH --delete --exclude-from="$EXCLUDE_FILE" \ + / "$BACKUP_DIR/system_$DATE/" + +# Database backup +mysqldump --all-databases --routines --triggers > \ + "$BACKUP_DIR/database_$DATE.sql" + +# VM configuration backup (if virtualized) +virsh dumpxml $SERVER_NAME > "$BACKUP_DIR/vm_config_$DATE.xml" + +# Compress backup +tar -czf "$BACKUP_DIR/backup_$DATE.tar.gz" \ + "$BACKUP_DIR/system_$DATE" \ + "$BACKUP_DIR/database_$DATE.sql" \ + "$BACKUP_DIR/vm_config_$DATE.xml" + +# Clean up temporary files +rm -rf "$BACKUP_DIR/system_$DATE" +rm "$BACKUP_DIR/database_$DATE.sql" +rm "$BACKUP_DIR/vm_config_$DATE.xml" +``` + +#### Backup Exclude File +```bash +# /etc/backup_exclude.txt +/dev/* +/proc/* +/sys/* +/tmp/* +/run/* +/mnt/* +/media/* +/lost+found +/var/cache/* +/var/tmp/* +/home/*/.cache/* +/home/*/.local/share/Trash/* +``` + +### Disaster Recovery Procedures + +#### Recovery Time Objectives (RTO) +```bash +# Define RTO for each system: +Critical Systems (RTO: 1 hour): +- pfSense firewall +- Domain controller +- Primary DNS server + +Important Systems (RTO: 4 hours): +- Web servers +- Database servers +- File servers + +Non-critical Systems (RTO: 24 hours): +- Development servers +- Test environments +- Secondary services +``` + +#### Disaster Recovery Testing +```bash +#!/bin/bash +# dr_test.sh - Quarterly DR test script + +echo "Starting Disaster Recovery Test - $(date)" + +# Test 1: pfSense configuration restore +echo "Testing pfSense restore..." +# Upload test configuration to pfSense +# Verify connectivity after restore + +# Test 2: VM restore from backup +echo "Testing VM restore..." +# Restore VM from latest backup +# Verify services start correctly + +# Test 3: Database restore +echo "Testing database restore..." +# Restore database from backup +# Verify data integrity + +# Test 4: Network connectivity +echo "Testing network connectivity..." +# Verify all VLANs are accessible +# Test inter-VLAN communication rules + +# Generate test report +echo "DR Test completed - $(date)" > /var/log/dr_test_$(date +%Y%m%d).log +``` + +## Maintenance & Operations + +### Daily Security Tasks + +#### Automated Daily Checks +```bash +#!/bin/bash +# daily_security_check.sh + +LOG_FILE="/var/log/security_check_$(date +%Y%m%d).log" + +echo "Daily Security Check - $(date)" >> $LOG_FILE + +# Check for failed login attempts +echo "=== Failed Login Attempts ===" >> $LOG_FILE +grep "Failed password" /var/log/auth.log | tail -10 >> $LOG_FILE + +# Check for unusual network connections +echo "=== Unusual Network Connections ===" >> $LOG_FILE +netstat -an | grep ESTABLISHED | awk '{print $5}' | \ + cut -d: -f1 | sort | uniq -c | sort -nr | head -10 >> $LOG_FILE + +# Check system resources +echo "=== System Resources ===" >> $LOG_FILE +df -h >> $LOG_FILE +free -m >> $LOG_FILE +uptime >> $LOG_FILE + +# Check for updates +echo "=== Available Updates ===" >> $LOG_FILE +apt list --upgradable 2>/dev/null >> $LOG_FILE + +# Check firewall status +echo "=== Firewall Status ===" >> $LOG_FILE +ufw status >> $LOG_FILE + +# Check for rootkits +echo "=== Rootkit Check ===" >> $LOG_FILE +chkrootkit >> $LOG_FILE 2>&1 + +# Email report +mail -s "Daily Security Report - $(hostname)" admin@example.com < $LOG_FILE +``` + +#### Log Analysis Scripts +```bash +#!/bin/bash +# analyze_logs.sh + +# Analyze pfSense logs for threats +echo "Top blocked IPs in last 24 hours:" +grep "$(date +'%b %d')" /var/log/pfsense.log | \ + grep "block" | awk '{print $8}' | sort | uniq -c | sort -nr | head -10 + +# Check for port scans +echo "Potential port scans:" +grep "$(date +'%b %d')" /var/log/pfsense.log | \ + grep -E "(tcp|udp).*BLOCK" | awk '{print $8}' | \ + sort | uniq -c | awk '$1 > 10 {print $2, $1}' | sort -nr + +# Analyze SSH logs +echo "SSH login analysis:" +grep "$(date +'%b %d')" /var/log/auth.log | \ + grep "sshd.*Accepted" | awk '{print $11}' | sort | uniq -c +``` + +### Weekly Maintenance Tasks + +#### System Updates +```bash +#!/bin/bash +# weekly_updates.sh + +# Update pfSense packages +# Manual process - check System > Package Manager + +# Update Linux servers +servers=("192.168.20.10" "192.168.20.11" "192.168.20.12") + +for server in "${servers[@]}"; do + echo "Updating $server..." + ssh admin@$server " + sudo apt update + sudo apt upgrade -y + sudo apt autoremove -y + sudo apt autoclean + sudo reboot + " +done + +# Update threat intelligence feeds +# pfBlockerNG: Firewall > pfBlockerNG > Update +# MISP: Update threat feeds +# Suricata: Update rules +``` + +#### Security Assessments +```bash +#!/bin/bash +# weekly_security_assessment.sh + +# Network vulnerability scan +nmap -sS -O -A 192.168.1.0/24 > /tmp/network_scan_$(date +%Y%m%d).txt + +# Web application security scan +nikto -h https://internal-web-server > /tmp/web_scan_$(date +%Y%m%d).txt + +# SSL/TLS certificate check +echo | openssl s_client -servername internal-server -connect internal-server:443 2>/dev/null | \ + openssl x509 -noout -dates + +# Check for unauthorized changes +aide --check > /tmp/aide_check_$(date +%Y%m%d).txt + +# Generate security report +{ + echo "Weekly Security Assessment - $(date)" + echo "==================================" + echo + echo "Network Scan Results:" + cat /tmp/network_scan_$(date +%Y%m%d).txt + echo + echo "Web Security Scan:" + cat /tmp/web_scan_$(date +%Y%m%d).txt + echo + echo "File Integrity Check:" + cat /tmp/aide_check_$(date +%Y%m%d).txt +} > /var/log/weekly_security_$(date +%Y%m%d).log +``` + +### Monthly Tasks + +#### Security Review +```bash +#!/bin/bash +# monthly_security_review.sh + +# Review user accounts +echo "Active user accounts:" +cut -d: -f1 /etc/passwd | sort + +echo "Users with sudo access:" +grep -Po '^sudo.+:\K.*$' /etc/group + +echo "Last login times:" +lastlog + +# Review installed packages +echo "Recently installed packages:" +grep " install " /var/log/dpkg.log | tail -20 + +# Review firewall rules +echo "Current UFW rules:" +ufw status numbered + +# Review cron jobs +echo "System cron jobs:" +crontab -l + +# Review network services +echo "Listening services:" +ss -tulpn + +# Check for unauthorized SUID files +echo "SUID files:" +find / -perm -4000 -type f 2>/dev/null +``` + +#### Certificate Management +```bash +#!/bin/bash +# certificate_check.sh + +# Check certificate expiration dates +echo "Certificate expiration check:" + +# Internal certificates +for cert in /etc/ssl/certs/*.crt; do + echo "Certificate: $cert" + openssl x509 -in "$cert" -noout -subject -dates + echo "---" +done + +# Remote certificates +hosts=("internal-server1.local" "internal-server2.local") + +for host in "${hosts[@]}"; do + echo "Checking $host..." + echo | openssl s_client -servername $host -connect $host:443 2>/dev/null | \ + openssl x509 -noout -subject -dates + echo "---" +done + +# Generate renewal warnings +# Add logic to send alerts for certificates expiring in 30 days +``` + +## Compliance & Documentation + +### Security Documentation + +#### Network Topology Documentation +```yaml +# network_topology.yml +network: + name: "Home Network" + subnets: + management: + vlan: 10 + subnet: "192.168.10.0/24" + gateway: "192.168.10.1" + description: "Management VLAN for network equipment" + devices: + - pfSense firewall (192.168.10.1) + - Managed switch (192.168.10.2) + - Wireless access points (192.168.10.3-5) + + servers: + vlan: 20 + subnet: "192.168.20.0/24" + gateway: "192.168.20.1" + description: "Production servers" + devices: + - Web server (192.168.20.10) + - Database server (192.168.20.11) + - File server (192.168.20.12) + - SIEM server (192.168.20.100) + + iot: + vlan: 30 + subnet: "192.168.30.0/24" + gateway: "192.168.30.1" + description: "IoT devices with restricted internet access" + devices: + - IP cameras (192.168.30.10-19) + - Smart home devices (192.168.30.20-50) +``` + +#### Asset Inventory +```csv +Asset Type,Hostname,IP Address,MAC Address,OS,Version,Owner,Criticality,Last Updated +Firewall,pfsense-fw,192.168.10.1,00:11:22:33:44:55,pfSense,2.6.0,IT,Critical,2023-01-15 +Server,web-server,192.168.20.10,00:11:22:33:44:56,Ubuntu,20.04 LTS,IT,High,2023-01-10 +Server,db-server,192.168.20.11,00:11:22:33:44:57,Ubuntu,20.04 LTS,IT,Critical,2023-01-10 +Server,file-server,192.168.20.12,00:11:22:33:44:58,Ubuntu,20.04 LTS,IT,Medium,2023-01-10 +Camera,front-door-cam,192.168.30.10,00:11:22:33:44:59,Embedded,1.2.3,Security,Low,2023-01-05 +``` + +#### Security Policies +```markdown +# Information Security Policy + +## Purpose +This document establishes the security requirements for the home network infrastructure. + +## Scope +This policy applies to all network devices, servers, and systems within the home network. + +## Password Policy +- Minimum 12 characters +- Must contain uppercase, lowercase, numbers, and symbols +- No dictionary words +- Changed every 90 days +- No password reuse for last 12 passwords + +## Access Control Policy +- Principle of least privilege +- All administrative access requires MFA +- Regular access reviews (monthly) +- Immediate revocation upon role change + +## Network Security Policy +- Default deny firewall rules +- Network segmentation required +- VPN required for remote access +- All traffic logged and monitored + +## Incident Response Policy +- Incident classification levels +- Response team contact information +- Communication procedures +- Evidence preservation requirements +``` + +### Risk Assessment + +#### Risk Register +```yaml +risks: + - id: R001 + title: "Weak Authentication" + description: "Default or weak passwords on network devices" + likelihood: "Medium" + impact: "High" + risk_score: 15 + mitigation: + - "Implement strong password policy" + - "Enable multi-factor authentication" + - "Regular password audits" + status: "Mitigated" + + - id: R002 + title: "Unpatched Systems" + description: "Systems running outdated software with known vulnerabilities" + likelihood: "High" + impact: "High" + risk_score: 20 + mitigation: + - "Automated patch management" + - "Regular vulnerability scans" + - "Patch testing procedures" + status: "In Progress" + + - id: R003 + title: "IoT Device Compromise" + description: "Insecure IoT devices providing network access" + likelihood: "Medium" + impact: "Medium" + risk_score: 10 + mitigation: + - "Network segmentation" + - "IoT device inventory" + - "Regular firmware updates" + status: "Mitigated" +``` + +### Compliance Framework + +#### NIST Cybersecurity Framework Implementation +```yaml +nist_csf: + identify: + - Asset management + - Business environment understanding + - Governance policies + - Risk assessment + - Risk management strategy + + protect: + - Identity management and access control + - Awareness and training + - Data security + - Information protection processes + - Maintenance procedures + - Protective technology + + detect: + - Anomalies and events detection + - Security continuous monitoring + - Detection processes + + respond: + - Response planning + - Communications procedures + - Analysis protocols + - Mitigation strategies + - Improvements processes + + recover: + - Recovery planning + - Improvements procedures + - Communications protocols +``` + +## Emergency Response + +### Incident Response Plan + +#### Incident Classification +```yaml +incident_levels: + level_1_critical: + description: "Complete network compromise or critical system failure" + response_time: "Immediate (within 15 minutes)" + escalation: "All team members" + + level_2_high: + description: "Partial network compromise or important system failure" + response_time: "Within 1 hour" + escalation: "Security team lead" + + level_3_medium: + description: "Security event requiring investigation" + response_time: "Within 4 hours" + escalation: "Assigned team member" + + level_4_low: + description: "Minor security event or policy violation" + response_time: "Within 24 hours" + escalation: "Security team" +``` + +#### Emergency Contacts +```yaml +contacts: + primary_admin: + name: "Primary Administrator" + phone: "+1-555-0101" + email: "admin@example.com" + role: "Incident Commander" + + security_team: + name: "Security Team Lead" + phone: "+1-555-0102" + email: "security@example.com" + role: "Technical Response" + + legal_counsel: + name: "Legal Advisor" + phone: "+1-555-0103" + email: "legal@example.com" + role: "Legal/Regulatory" +``` + +#### Response Procedures + +##### Suspected Network Compromise +```bash +#!/bin/bash +# incident_response_network.sh + +echo "NETWORK COMPROMISE RESPONSE PROCEDURE" +echo "=====================================" + +# Step 1: Immediate containment +echo "1. CONTAINMENT (Execute immediately)" +echo " - Isolate affected systems" +echo " - Preserve evidence" +echo " - Document all actions" + +# Isolate affected system +read -p "Enter IP address of affected system: " AFFECTED_IP +ufw deny from $AFFECTED_IP +ufw deny to $AFFECTED_IP + +# Step 2: Assessment +echo "2. ASSESSMENT" +echo " - Determine scope of compromise" +echo " - Identify attack vectors" +echo " - Assess data impact" + +# Collect system information +ps aux > /tmp/processes_$(date +%Y%m%d_%H%M%S).txt +netstat -an > /tmp/network_connections_$(date +%Y%m%d_%H%M%S).txt +ls -la /tmp > /tmp/temp_files_$(date +%Y%m%d_%H%M%S).txt + +# Step 3: Eradication +echo "3. ERADICATION" +echo " - Remove malware" +echo " - Close vulnerabilities" +echo " - Update systems" + +# Step 4: Recovery +echo "4. RECOVERY" +echo " - Restore from clean backups" +echo " - Monitor for re-infection" +echo " - Validate system integrity" + +# Step 5: Lessons learned +echo "5. POST-INCIDENT REVIEW" +echo " - Document incident timeline" +echo " - Identify improvements" +echo " - Update procedures" +``` + +##### Malware Detection Response +```bash +#!/bin/bash +# malware_response.sh + +INFECTED_HOST=$1 +INCIDENT_ID=$(date +%Y%m%d_%H%M%S) + +echo "MALWARE INCIDENT RESPONSE - ID: $INCIDENT_ID" +echo "=============================================" + +# Immediate isolation +echo "Isolating infected host: $INFECTED_HOST" +# Add firewall rule to block all traffic from infected host +pfctl -t infected_hosts -T add $INFECTED_HOST + +# Evidence collection +mkdir -p /incident_response/$INCIDENT_ID +echo "Collecting evidence..." + +# Memory dump +if command -v volatility &> /dev/null; then + volatility -f /proc/kcore --profile=Linux imageinfo > \ + /incident_response/$INCIDENT_ID/memory_analysis.txt +fi + +# Network connections +ss -tulpn > /incident_response/$INCIDENT_ID/network_connections.txt + +# Process list +ps auxf > /incident_response/$INCIDENT_ID/process_list.txt + +# File system analysis +find /home -type f -mtime -1 > /incident_response/$INCIDENT_ID/recent_files.txt + +# Hash known good files +md5sum /bin/* > /incident_response/$INCIDENT_ID/system_hashes.txt + +echo "Evidence collected in: /incident_response/$INCIDENT_ID" +echo "Next steps:" +echo "1. Analyze collected evidence" +echo "2. Identify malware family and infection vector" +echo "3. Clean infected system or restore from backup" +echo "4. Update security controls to prevent reinfection" +``` + +### Forensic Procedures + +#### Digital Evidence Collection +```bash +#!/bin/bash +# collect_evidence.sh + +CASE_ID=$1 +SYSTEM_NAME=$2 +EVIDENCE_DIR="/forensic_evidence/$CASE_ID" + +mkdir -p $EVIDENCE_DIR + +echo "Digital Evidence Collection" +echo "==========================" +echo "Case ID: $CASE_ID" +echo "System: $SYSTEM_NAME" +echo "Date: $(date)" +echo "Investigator: $(whoami)" + +# Create forensic image +echo "Creating disk image..." +dd if=/dev/sda of=$EVIDENCE_DIR/disk_image.dd bs=4096 conv=noerror,sync +md5sum $EVIDENCE_DIR/disk_image.dd > $EVIDENCE_DIR/disk_image.md5 + +# Memory capture +echo "Capturing memory..." +if command -v LiME &> /dev/null; then + insmod lime.ko "path=$EVIDENCE_DIR/memory.lime format=lime" +fi + +# Network evidence +echo "Collecting network evidence..." +tcpdump -i any -w $EVIDENCE_DIR/network_traffic.pcap & +TCPDUMP_PID=$! + +# System information +echo "Collecting system information..." +uname -a > $EVIDENCE_DIR/system_info.txt +ps auxf > $EVIDENCE_DIR/processes.txt +lsof > $EVIDENCE_DIR/open_files.txt +netstat -an > $EVIDENCE_DIR/network_connections.txt + +# Log files +echo "Copying log files..." +cp -r /var/log $EVIDENCE_DIR/ + +# Stop network capture +sleep 60 +kill $TCPDUMP_PID + +# Generate chain of custody +cat << EOF > $EVIDENCE_DIR/chain_of_custody.txt +CHAIN OF CUSTODY RECORD +====================== +Case ID: $CASE_ID +System: $SYSTEM_NAME +Collection Date: $(date) +Investigator: $(whoami) + +Evidence Items: +- Disk image: disk_image.dd ($(stat -c%s $EVIDENCE_DIR/disk_image.dd) bytes) +- Memory dump: memory.lime +- Network traffic: network_traffic.pcap +- System logs: /var/log directory + +Hash Verification: +$(md5sum $EVIDENCE_DIR/*) + +Evidence sealed and secured at: $(date) +EOF + +echo "Evidence collection complete: $EVIDENCE_DIR" +``` + +## Additional Resources + +### Essential Security Tools + +#### Network Security Tools +```bash +# Network scanning and analysis +sudo apt install nmap ncat +sudo apt install wireshark tshark +sudo apt install tcpdump +sudo apt install hping3 +sudo apt install nikto +sudo apt install dirb + +# Vulnerability assessment +sudo apt install openvas +sudo apt install lynis +sudo apt install chkrootkit +sudo apt install rkhunter + +# Network monitoring +sudo apt install ntopng +sudo apt install bandwidthd +sudo apt install iftop +sudo apt install vnstat +``` + +#### System Hardening Tools +```bash +# Security scanning +sudo apt install aide +sudo apt install tripwire +sudo apt install samhain +sudo apt install ossec-hids + +# System monitoring +sudo apt install auditd +sudo apt install acct +sudo apt install psacct +sudo apt install sysstat + +# File integrity +sudo apt install integrit +sudo apt install afick +sudo apt install tiger +``` + +### Configuration Templates + +#### pfSense Configuration Template +```xml + + + 21.05 + + security + + aesni + + yes + + + https + 8443 + webConfigurator + + Local Database + 30 + + + + + + em0 + dhcp + + + + + + + em1 + 192.168.1.1 + 24 + + + +``` + +#### UFW Rules Template +```bash +#!/bin/bash +# ufw_rules_template.sh + +# Reset to defaults +ufw --force reset + +# Set default policies +ufw default deny incoming +ufw default allow outgoing + +# Allow SSH (change port as needed) +ufw allow 2222/tcp + +# Allow web services +ufw allow 80/tcp +ufw allow 443/tcp + +# Allow from management network only +ufw allow from 192.168.10.0/24 to any port 22 +ufw allow from 192.168.10.0/24 to any port 3000 + +# Rate limiting +ufw limit ssh + +# Enable logging +ufw logging on + +# Enable firewall +ufw --force enable +``` + +### Security Checklists + +#### Daily Security Checklist +- [ ] Review firewall logs for blocked traffic +- [ ] Check system logs for errors or anomalies +- [ ] Verify backup completion status +- [ ] Monitor system resource usage +- [ ] Review failed login attempts +- [ ] Check for security alerts/notifications +- [ ] Verify critical services are running +- [ ] Review network traffic patterns + +#### Weekly Security Checklist +- [ ] Update threat intelligence feeds +- [ ] Review and update firewall rules +- [ ] Check for system updates +- [ ] Verify SSL certificate validity +- [ ] Review user account activity +- [ ] Analyze security event trends +- [ ] Test backup restoration process +- [ ] Update security documentation + +#### Monthly Security Checklist +- [ ] Conduct vulnerability assessment +- [ ] Review and update security policies +- [ ] Perform user access review +- [ ] Update risk assessment +- [ ] Review incident response procedures +- [ ] Test disaster recovery plan +- [ ] Security awareness training +- [ ] Review compliance status + +### Learning Resources + +#### Recommended Reading +- NIST Cybersecurity Framework +- CIS Critical Security Controls +- OWASP Top 10 Security Risks +- SANS Institute Security Resources +- pfSense Official Documentation + +#### Online Training +- Cybrary.it - Free cybersecurity training +- SANS Cyber Aces - Hands-on cybersecurity tutorials +- Coursera - Network Security courses +- edX - Cybersecurity fundamentals + +#### Community Resources +- Reddit: r/netsec, r/homelab, r/sysadmin +- pfSense Forum and Documentation +- Ubuntu Security Documentation +- Security Now! Podcast +- Krebs on Security Blog + +--- + +## License + +This guide is released under the MIT License. Feel free to modify and distribute as needed. + +## Contributing + +Contributions are welcome! Please submit pull requests with improvements, corrections, or additional security measures. + +## Disclaimer + +This guide provides general security recommendations. Always test configurations in a lab environment before implementing in production. Security requirements may vary based on your specific environment and threat model.