# Homelab Security Guide
A comprehensive security hardening guide for pfSense firewalls, Linux servers, and home network infrastructure.
## Table of Contents
- [Overview](#overview)
- [Quick Start](#quick-start)
- [pfSense Firewall Hardening](#pfsense-firewall-hardening)
- [Linux Server VM Security](#linux-server-vm-security)
- [Network Security Best Practices](#network-security-best-practices)
- [Advanced Security Features](#advanced-security-features)
- [Monitoring & SIEM Setup](#monitoring--siem-setup)
- [Backup & Disaster Recovery](#backup--disaster-recovery)
- [Maintenance & Operations](#maintenance--operations)
- [Compliance & Documentation](#compliance--documentation)
- [Emergency Response](#emergency-response)
- [Additional Resources](#additional-resources)
## Overview
This guide provides a comprehensive approach to securing your home network infrastructure, including:
- pfSense firewall hardening
- Linux server security
- Network segmentation
- Monitoring and logging
- Incident response procedures
### Security Philosophy
- **Defense in Depth**: Multiple layers of security controls
- **Zero Trust**: Never trust, always verify
- **Principle of Least Privilege**: Minimum necessary access
- **Continuous Monitoring**: Always watching for threats
## Quick Start
### Prerequisites
- pfSense firewall (physical or virtual)
- Linux server VMs (Ubuntu/Debian preferred)
- Basic networking knowledge
- Administrative access to all systems
### Initial Security Steps (Do These First!)
1. Change all default passwords
2. Update all systems
3. Enable HTTPS for pfSense WebGUI
4. Disable SSH root login on Linux servers
5. Enable basic firewall rules
6. Set up logging
## pfSense Firewall Hardening
### Initial Setup & Access Control
#### Change Default Credentials
```bash
# Access pfSense WebGUI
# Navigate to System > User Manager
# Change admin password immediately
# Create new admin user with different name
```
#### Secure WebGUI Access
```bash
# System > Advanced > Admin Access
- Enable HTTPS
- Change port from 443 to custom (e.g., 8443)
- Restrict access to specific IP ranges
- Enable session timeout (30 minutes)
- Disable HTTP redirect
```
#### Two-Factor Authentication
```bash
# System > User Manager > Users > Edit user
# Add TOTP (Time-based One-Time Password)
# Use Google Authenticator or similar app
```
### Network Interface Security
#### WAN Interface Hardening
```bash
# Interfaces > WAN
- Enable "Block RFC1918 Private Networks"
- Enable "Block bogon networks"
- Disable "Allow IPv6"
- Enable anti-spoofing protection
# Firewall > Rules > WAN
- Default deny all inbound
- Block ICMP (ping) requests
- Only allow specific services (VPN, etc.)
```
#### LAN Interface Configuration
```bash
# Interfaces > LAN
- Change default subnet if using 192.168.1.0/24
- Consider using 172.16.0.0/16 or 10.0.0.0/8
# Firewall > Rules > LAN
- Deny access to firewall management from most IPs
- Allow only specific admin workstation
- Block inter-VLAN communication by default
```
### Advanced Firewall Rules
#### Egress Filtering (Outbound Control)
```bash
# Control what can leave your network:
- Block P2P protocols
- Allow only necessary outbound ports (80, 443, 53, 123)
- Block direct IP connections (force DNS resolution)
- Limit outbound connections per host
```
#### Geo-blocking
```bash
# Install pfBlockerNG
# System > Package Manager > Available Packages
# Search for "pfBlockerNG-devel" and install
# Configure country blocking:
# Firewall > pfBlockerNG > IP > Add
- Block high-risk countries (CN, RU, KP, etc.)
- Allow your country and trusted regions
```
### VPN Configuration
#### OpenVPN Server Setup
```bash
# VPN > OpenVPN > Servers > Add
Server Mode: Remote Access (SSL/TLS + User Auth)
Protocol: UDP
Port: 1194 (or custom)
Encryption: AES-256-GCM
Auth: SHA256
Certificate Authority: Create new CA
```
#### WireGuard Setup (Recommended)
```bash
# VPN > WireGuard > Settings
# Enable WireGuard
# Create new tunnel:
- Listen Port: 51820 (or custom)
- Generate key pair
- Configure allowed networks
```
### Services Hardening
#### SSH Service Configuration
```bash
# System > Advanced > Admin Access
- Enable SSH
- Change port from 22 to custom
- Disable password authentication
- Upload SSH public keys only
- Set connection timeout
```
#### DNS Security
```bash
# System > General Setup
Primary DNS: 1.1.1.1 (Cloudflare)
Secondary DNS: 9.9.9.9 (Quad9)
# Services > DNS Resolver
- Enable DNSSEC Support
- Enable DNS over TLS
- Configure custom blocklists
```
#### DHCP Hardening
```bash
# Services > DHCP Server
- Reduce lease time to 4 hours
- Enable static ARP entries for servers
- Configure custom DNS for clients
- Enable DHCP logging
```
### Intrusion Detection & Prevention
#### pfBlockerNG Configuration
```bash
# Firewall > pfBlockerNG > IP
# Add these threat feeds:
- Emerging Threats
- Spamhaus DROP/EDROP
- Malware Domain List
- Tor exit nodes (optional)
# Configure update frequency: Daily
# Enable logging for all blocks
```
#### Suricata IDS/IPS
```bash
# System > Package Manager > Install Suricata
# Services > Suricata > Interfaces
- Add WAN interface
- Enable IPS mode (blocking)
- Enable all appropriate rule categories
- Update rules daily
```
### Logging & Monitoring
#### System Logging
```bash
# Status > System Logs > Settings
- Enable remote logging
- Set log file size limits
- Enable log rotation
- Configure severity levels
# Forward logs to SIEM:
Remote Log Server: 192.168.1.100:514
Remote Logging: Everything
```
#### SMTP Notifications
```bash
# System > Advanced > Notifications
SMTP Server: smtp.gmail.com
Port: 587
Secure SMTP: Enable STARTTLS
Username: your-email@gmail.com
Password: app-specific-password
# Enable notifications for:
- System startup/shutdown
- Package updates
- Certificate expiration
- High CPU/memory usage
```
## Linux Server VM Security
### System Updates & Package Management
#### Automated Updates
```bash
# Install unattended-upgrades
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades apt-listchanges
# Configure automatic security updates
sudo dpkg-reconfigure unattended-upgrades
# Edit /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
```
#### Package Security
```bash
# Remove unnecessary packages
sudo apt autoremove --purge
sudo apt autoclean
# List installed packages
dpkg --get-selections > installed-packages.txt
# Audit installed packages regularly
sudo apt list --installed | grep -v "automatic"
```
### User Account Security
#### User Management
```bash
# Create limited sudo user
sudo useradd -m -s /bin/bash secadmin
sudo usermod -aG sudo secadmin
# Set strong password
sudo passwd secadmin
# Lock/disable unused accounts
sudo usermod -L username
sudo usermod -s /bin/false username
# Remove user
sudo deluser --remove-home username
```
#### Password Policies
```bash
# Install password quality library
sudo apt install libpam-pwquality
# Edit /etc/security/pwquality.conf
minlen = 12
minclass = 3
maxrepeat = 2
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
# Set password aging
sudo chage -M 90 username # Max 90 days
sudo chage -W 7 username # Warn 7 days before expiry
```
### SSH Hardening
#### SSH Configuration
```bash
# Edit /etc/ssh/sshd_config
Port 2222
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
AllowTcpForwarding no
AllowUsers secadmin
DenyUsers root
# Restart SSH service
sudo systemctl restart sshd
```
#### SSH Key Management
```bash
# Generate ED25519 key (most secure)
ssh-keygen -t ed25519 -C "admin@hostname"
# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub secadmin@server-ip
# Test key-based login
ssh -i ~/.ssh/id_ed25519 secadmin@server-ip
# Disable password authentication after testing
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
```
### Firewall Configuration (UFW)
#### Basic UFW Setup
```bash
# Install and configure UFW
sudo apt install ufw
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (use your custom port)
sudo ufw allow 2222/tcp
# Allow specific services
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow from 192.168.1.0/24 to any port 22 # SSH from LAN only
# Enable firewall
sudo ufw enable
# Check status
sudo ufw status verbose
```
#### Advanced UFW Rules
```bash
# Rate limiting for SSH
sudo ufw limit 2222/tcp
# Allow specific IP ranges
sudo ufw allow from 192.168.1.0/24
# Block specific countries (requires geoip)
sudo ufw deny from [country-ip-ranges]
# Log all denied connections
sudo ufw logging on
```
### Intrusion Detection
#### Fail2Ban Setup
```bash
# Install Fail2Ban
sudo apt install fail2ban
# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600 # 1 hour ban
findtime = 600 # 10 minute window
maxretry = 3 # 3 attempts
backend = systemd # Use systemd for log parsing
[sshd]
enabled = true
port = 2222 # Your SSH port
logpath = /var/log/auth.log
maxretry = 3
# Start and enable Fail2Ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
# Check status
sudo fail2ban-client status sshd
```
#### AIDE (File Integrity Monitoring)
```bash
# Install AIDE
sudo apt install aide
# Initialize database
sudo aideinit
# Move database to final location
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Run integrity check
sudo aide --check
# Set up daily checks via cron
echo "0 2 * * * root /usr/bin/aide --check" | sudo tee -a /etc/crontab
```
### System Monitoring
#### Auditd (System Call Auditing)
```bash
# Install auditd
sudo apt install auditd audispd-plugins
# Configure audit rules
sudo nano /etc/audit/rules.d/audit.rules
# Example audit rules:
# Monitor passwd file changes
-w /etc/passwd -p wa -k passwd_changes
# Monitor sudo usage
-w /etc/sudoers -p wa -k sudoers_changes
# Monitor login/logout events
-w /var/log/wtmp -p wa -k session_changes
# Restart auditd
sudo service auditd restart
# View audit logs
sudo ausearch -k passwd_changes
```
#### System Resource Monitoring
```bash
# Install monitoring tools
sudo apt install htop iotop nethogs sysstat
# Enable system statistics collection
sudo systemctl enable sysstat
# View system statistics
sar -u 1 10 # CPU usage
sar -r 1 10 # Memory usage
sar -d 1 10 # Disk I/O
```
### Application Security
#### Web Server Hardening (Nginx)
```bash
# Install Nginx
sudo apt install nginx
# Basic security configuration
# Edit /etc/nginx/nginx.conf
server_tokens off; # Hide version
add_header X-Frame-Options DENY; # Prevent clickjacking
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# SSL/TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
ssl_prefer_server_ciphers off;
```
#### Database Security (MySQL/MariaDB)
```bash
# Install MariaDB
sudo apt install mariadb-server
# Run security script
sudo mysql_secure_installation
# Additional hardening:
# Edit /etc/mysql/mariadb.conf.d/50-server.cnf
bind-address = 127.0.0.1 # Local connections only
skip-networking = 1 # Disable network access
```
### Container Security (Docker)
#### Docker Installation & Hardening
```bash
# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
# Add user to docker group
sudo usermod -aG docker $USER
# Configure Docker daemon security
# Edit /etc/docker/daemon.json
{
"live-restore": true,
"userland-proxy": false,
"no-new-privileges": true,
"seccomp-profile": "/etc/docker/seccomp.json"
}
```
#### Secure Container Practices
```bash
# Run containers with security options
docker run -d \
--user 1000:1000 \
--read-only \
--cap-drop=ALL \
--cap-add=CHOWN \
--security-opt=no-new-privileges:true \
--security-opt=apparmor:docker-default \
nginx:alpine
# Use multi-stage builds
FROM node:alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM node:alpine
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nextjs -u 1001
USER nextjs
COPY --from=builder /app/node_modules ./node_modules
```
## Network Security Best Practices
### Network Segmentation
#### VLAN Configuration
```bash
# pfSense VLAN Setup:
# Interfaces > VLANs > Add
VLAN 10 - Management (pfSense, switches, APs)
Subnet: 192.168.10.0/24
Gateway: 192.168.10.1
VLAN 20 - Servers (Production servers)
Subnet: 192.168.20.0/24
Gateway: 192.168.20.1
VLAN 30 - IoT (Smart devices, cameras)
Subnet: 192.168.30.0/24
Gateway: 192.168.30.1
VLAN 40 - Guest (Visitor access)
Subnet: 192.168.40.0/24
Gateway: 192.168.40.1
VLAN 50 - Work (Work devices)
Subnet: 192.168.50.0/24
Gateway: 192.168.50.1
```
#### Inter-VLAN Firewall Rules
```bash
# Default deny all inter-VLAN traffic
# Create specific allow rules as needed:
# Management to all VLANs (monitoring)
Source: VLAN 10 (Management)
Destination: Any
Action: Allow
Ports: SSH (22), SNMP (161), HTTPS (443)
# Servers to internet only
Source: VLAN 20 (Servers)
Destination: !RFC1918 (Internet only)
Action: Allow
# IoT devices limited internet
Source: VLAN 30 (IoT)
Destination: Specific IoT services
Action: Allow
```
### Wireless Security
#### Wi-Fi Access Point Hardening
```bash
# Wireless security settings:
Security: WPA3-Personal (or WPA2-Enterprise)
Encryption: AES
Password: 20+ character complex password
WPS: Disabled
Guest Network: Enabled, isolated
SSID Broadcast: Disabled for main network
MAC Filtering: Enabled for critical devices
# Access Point management:
Change default admin credentials
Update firmware regularly
Disable unnecessary services (Telnet, SSH)
Enable logging
Set strong SNMP community strings
```
#### Wi-Fi Network Configuration
```bash
# Main Network (Hidden SSID):
SSID: [Hidden/Custom]
VLAN: 20 (Servers) or 50 (Work)
Security: WPA3-Personal
Band: 5GHz preferred
# Guest Network:
SSID: Guest_Network
VLAN: 40 (Guest)
Security: WPA2-Personal
Isolation: Enabled
Bandwidth Limit: 50 Mbps
Time Restrictions: Enabled
# IoT Network:
SSID: IoT_Devices
VLAN: 30 (IoT)
Security: WPA2-Personal
Internet Access: Limited
```
### DNS Security
#### DNS over HTTPS/TLS Configuration
```bash
# pfSense DNS Resolver settings:
# Services > DNS Resolver > General Settings
Enable DNS over TLS: Checked
DNS over TLS Hostname: cloudflare-dns.com
# Custom DNS servers:
Primary: 1.1.1.1#cloudflare-dns.com
Secondary: 1.0.0.1#cloudflare-dns.com
```
#### DNS Filtering & Pi-hole Integration
```bash
# Install Pi-hole on dedicated VM
curl -sSL https://install.pi-hole.net | bash
# Configure pfSense to use Pi-hole:
# System > General Setup
DNS Servers: 192.168.20.100 (Pi-hole IP)
# Pi-hole configuration:
- Enable DNSSEC
- Use upstream DNS over HTTPS
- Add custom blocklists:
- https://someonewhocares.org/hosts/zero/hosts
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- https://mirror1.malwaredomains.com/files/justdomains
```
### Certificate Management
#### Internal Certificate Authority
```bash
# Create internal CA using Easy-RSA
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
# Initialize PKI
./easyrsa init-pki
# Build CA
./easyrsa build-ca
# Generate server certificates
./easyrsa gen-req server nopass
./easyrsa sign-req server server
# Generate client certificates
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
```
#### SSL/TLS Hardening
```bash
# pfSense SSL/TLS settings:
# System > Advanced > Admin Access
SSL/TLS Certificate: Use internal CA certificate
Minimum TLS Version: 1.2
SSL Ciphers: ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM
# Nginx SSL configuration:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
```
## Advanced Security Features
### Zero Trust Implementation
#### Micro-segmentation Strategy
```bash
# Implement granular network controls:
# Each service gets its own subnet/VLAN
Web Servers: 192.168.21.0/28 (16 IPs)
Database Servers: 192.168.22.0/28
Application Servers: 192.168.23.0/28
Management: 192.168.24.0/28
# Default deny all traffic
# Explicit allow rules for required communication:
Web -> Database: Port 3306 (MySQL)
App -> Database: Port 5432 (PostgreSQL)
Management -> All: SSH (22), HTTPS (443)
```
#### Just-in-Time Access
```bash
# Implement temporary access controls
# Use tools like:
- HashiCorp Boundary
- BeyondTrust
- CyberArk
# Example script for temporary SSH access:
#!/bin/bash
# grant_temp_access.sh
USER=$1
DURATION=${2:-3600} # Default 1 hour
# Add user to allowed SSH users
sudo usermod -a -G ssh-users $USER
# Set expiration
echo "sleep $DURATION && usermod -G -ssh-users $USER" | at now
```
### Identity & Access Management
#### Multi-Factor Authentication
```bash
# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator
# Configure for SSH
# Add to /etc/pam.d/sshd:
auth required pam_google_authenticator.so
# Edit /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
# Initialize for user
google-authenticator
```
#### LDAP Integration
```bash
# Install OpenLDAP server
sudo apt install slapd ldap-utils
# Configure LDAP directory
sudo dpkg-reconfigure slapd
# Example LDAP user entry:
dn: uid=user1,ou=people,dc=home,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user1
cn: User One
sn: One
mail: user1@home.local
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user1
loginShell: /bin/bash
```
### IoT Device Security
#### IoT Network Isolation
```bash
# Create IoT VLAN with strict rules
# VLAN 30 - IoT Devices
# Firewall rules for IoT VLAN:
# Block inter-device communication
Source: VLAN 30 subnets
Destination: VLAN 30 subnets
Action: Block
# Allow only necessary internet access
Source: VLAN 30
Destination: !RFC1918
Action: Allow
Ports: 80, 443, 123 (NTP), 53 (DNS)
# Block access to other VLANs
Source: VLAN 30
Destination: VLAN 10, 20, 40, 50
Action: Block
```
#### IoT Device Management
```bash
# IoT device checklist:
□ Change default passwords
□ Update firmware to latest version
□ Disable unnecessary features
□ Enable encryption if available
□ Configure on isolated network
□ Monitor device behavior
□ Regular security assessment
# Example IoT device configurations:
# IP Cameras:
- Disable P2P features
- Change default ports
- Enable HTTPS only
- Disable audio if not needed
- Set up motion detection alerts
# Smart home devices:
- Use device-specific VLANs
- Block internet access if possible
- Use local control hubs (Home Assistant)
- Regular firmware updates
```
## Monitoring & SIEM Setup
### Centralized Logging Architecture
#### ELK Stack (Elasticsearch, Logstash, Kibana)
```bash
# Install Elasticsearch
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch
# Configure Elasticsearch
# Edit /etc/elasticsearch/elasticsearch.yml
network.host: 192.168.20.100
discovery.type: single-node
xpack.security.enabled: true
# Install Logstash
sudo apt install logstash
# Configure Logstash for pfSense logs
# Create /etc/logstash/conf.d/pfsense.conf
input {
udp {
port => 5514
type => "pfsense"
}
}
filter {
if [type] == "pfsense" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:hostname} %{WORD:program}: %{GREEDYDATA:message}" }
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "pfsense-%{+YYYY.MM.dd}"
}
}
# Install Kibana
sudo apt install kibana
# Configure Kibana
# Edit /etc/kibana/kibana.yml
server.host: "192.168.20.100"
elasticsearch.hosts: ["http://localhost:9200"]
```
#### Wazuh SIEM Setup
```bash
# Install Wazuh manager
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt update && apt install wazuh-manager
# Configure Wazuh for pfSense
# Edit /var/ossec/etc/ossec.conf
syslog
514
udp
192.168.1.1
# Install Wazuh agents on Linux servers
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.0-1_amd64.deb
dpkg -i wazuh-agent_4.3.0-1_amd64.deb
# Configure agent
# Edit /var/ossec/etc/ossec.conf
192.168.20.100
1514
tcp
```
### Network Monitoring
#### ntopng Setup
```bash
# Install ntopng
sudo apt install ntopng
# Configure ntopng
# Edit /etc/ntopng/ntopng.conf
-i=eth0
-d=/var/lib/ntopng/ntopng.db
-w=3000
-P=/etc/ntopng/ntopng.pid
-u=ntopng
-g=ntopng
# Start ntopng
sudo systemctl start ntopng
sudo systemctl enable ntopng
# Access web interface: http://server-ip:3000
```
#### Security Onion
```bash
# Download Security Onion ISO
# https://github.com/Security-Onion-Solutions/securityonion
# Minimum requirements:
- 16GB RAM
- 200GB disk space
- Dedicated network interface for monitoring
# Features included:
- Suricata IDS
- Zeek network analysis
- Elasticsearch + Kibana
- Wazuh HIDS
- NetworkMiner
- Wireshark
```
### Threat Intelligence
#### MISP Integration
```bash
# Install MISP
git clone https://github.com/MISP/MISP.git
cd MISP
sudo -u www-data git submodule update --init --recursive
# Configure threat feeds:
- CIRCL OSINT Feed
- Malware Information Sharing Platform
- Commercial threat intelligence
- Government security advisories
# Integrate with pfBlockerNG:
# Export MISP indicators to pfBlockerNG format
```
#### Threat Hunting Tools
```bash
# Install threat hunting tools:
sudo apt install yara
sudo apt install volatility
sudo apt install sleuthkit
sudo apt install autopsy
# Create threat hunting playbooks:
# Daily tasks:
- Review DNS queries for suspicious domains
- Analyze network traffic patterns
- Check for unusual login times/locations
- Monitor certificate changes
- Review outbound connections
```
### Honeypots & Deception
#### Cowrie SSH Honeypot
```bash
# Install Cowrie
sudo adduser --disabled-password cowrie
sudo su - cowrie
git clone http://github.com/cowrie/cowrie
cd cowrie
virtualenv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt
# Configure Cowrie
cp etc/cowrie.cfg.dist etc/cowrie.cfg
# Edit etc/cowrie.cfg:
[honeypot]
hostname = server
log_path = var/log/cowrie
listen_endpoints = tcp:2222:interface=0.0.0.0
# Start Cowrie
bin/cowrie start
```
#### Web Application Honeypot
```bash
# Install Glastopf
sudo apt install python3-pip
pip3 install glastopf
# Configure Glastopf
glastopf-runner
# Deploy on isolated VLAN
# Monitor attacks and collect intelligence
```
## Backup & Disaster Recovery
### Backup Strategy Implementation
#### pfSense Configuration Backup
```bash
#!/bin/bash
# backup_pfsense.sh
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/backups/pfsense"
PFSENSE_IP="192.168.1.1"
USERNAME="admin"
PASSWORD="your-password"
# Create backup directory
mkdir -p $BACKUP_DIR
# Download configuration
curl -k -u $USERNAME:$PASSWORD \
"https://$PFSENSE_IP/diag_backup.php?download=download&donotbackuprrd=yes" \
> "$BACKUP_DIR/pfsense_config_$DATE.xml"
# Compress and encrypt backup
gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
--s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
"$BACKUP_DIR/pfsense_config_$DATE.xml"
# Remove unencrypted backup
rm "$BACKUP_DIR/pfsense_config_$DATE.xml"
# Upload to cloud storage (optional)
# aws s3 cp "$BACKUP_DIR/pfsense_config_$DATE.xml.gpg" s3://backup-bucket/
```
#### Linux Server Backup
```bash
#!/bin/bash
# backup_server.sh
SERVER_NAME=$(hostname)
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/backups/$SERVER_NAME"
EXCLUDE_FILE="/etc/backup_exclude.txt"
# Create backup directory
mkdir -p $BACKUP_DIR
# System backup with rsync
rsync -avH --delete --exclude-from="$EXCLUDE_FILE" \
/ "$BACKUP_DIR/system_$DATE/"
# Database backup
mysqldump --all-databases --routines --triggers > \
"$BACKUP_DIR/database_$DATE.sql"
# VM configuration backup (if virtualized)
virsh dumpxml $SERVER_NAME > "$BACKUP_DIR/vm_config_$DATE.xml"
# Compress backup
tar -czf "$BACKUP_DIR/backup_$DATE.tar.gz" \
"$BACKUP_DIR/system_$DATE" \
"$BACKUP_DIR/database_$DATE.sql" \
"$BACKUP_DIR/vm_config_$DATE.xml"
# Clean up temporary files
rm -rf "$BACKUP_DIR/system_$DATE"
rm "$BACKUP_DIR/database_$DATE.sql"
rm "$BACKUP_DIR/vm_config_$DATE.xml"
```
#### Backup Exclude File
```bash
# /etc/backup_exclude.txt
/dev/*
/proc/*
/sys/*
/tmp/*
/run/*
/mnt/*
/media/*
/lost+found
/var/cache/*
/var/tmp/*
/home/*/.cache/*
/home/*/.local/share/Trash/*
```
### Disaster Recovery Procedures
#### Recovery Time Objectives (RTO)
```bash
# Define RTO for each system:
Critical Systems (RTO: 1 hour):
- pfSense firewall
- Domain controller
- Primary DNS server
Important Systems (RTO: 4 hours):
- Web servers
- Database servers
- File servers
Non-critical Systems (RTO: 24 hours):
- Development servers
- Test environments
- Secondary services
```
#### Disaster Recovery Testing
```bash
#!/bin/bash
# dr_test.sh - Quarterly DR test script
echo "Starting Disaster Recovery Test - $(date)"
# Test 1: pfSense configuration restore
echo "Testing pfSense restore..."
# Upload test configuration to pfSense
# Verify connectivity after restore
# Test 2: VM restore from backup
echo "Testing VM restore..."
# Restore VM from latest backup
# Verify services start correctly
# Test 3: Database restore
echo "Testing database restore..."
# Restore database from backup
# Verify data integrity
# Test 4: Network connectivity
echo "Testing network connectivity..."
# Verify all VLANs are accessible
# Test inter-VLAN communication rules
# Generate test report
echo "DR Test completed - $(date)" > /var/log/dr_test_$(date +%Y%m%d).log
```
## Maintenance & Operations
### Daily Security Tasks
#### Automated Daily Checks
```bash
#!/bin/bash
# daily_security_check.sh
LOG_FILE="/var/log/security_check_$(date +%Y%m%d).log"
echo "Daily Security Check - $(date)" >> $LOG_FILE
# Check for failed login attempts
echo "=== Failed Login Attempts ===" >> $LOG_FILE
grep "Failed password" /var/log/auth.log | tail -10 >> $LOG_FILE
# Check for unusual network connections
echo "=== Unusual Network Connections ===" >> $LOG_FILE
netstat -an | grep ESTABLISHED | awk '{print $5}' | \
cut -d: -f1 | sort | uniq -c | sort -nr | head -10 >> $LOG_FILE
# Check system resources
echo "=== System Resources ===" >> $LOG_FILE
df -h >> $LOG_FILE
free -m >> $LOG_FILE
uptime >> $LOG_FILE
# Check for updates
echo "=== Available Updates ===" >> $LOG_FILE
apt list --upgradable 2>/dev/null >> $LOG_FILE
# Check firewall status
echo "=== Firewall Status ===" >> $LOG_FILE
ufw status >> $LOG_FILE
# Check for rootkits
echo "=== Rootkit Check ===" >> $LOG_FILE
chkrootkit >> $LOG_FILE 2>&1
# Email report
mail -s "Daily Security Report - $(hostname)" admin@example.com < $LOG_FILE
```
#### Log Analysis Scripts
```bash
#!/bin/bash
# analyze_logs.sh
# Analyze pfSense logs for threats
echo "Top blocked IPs in last 24 hours:"
grep "$(date +'%b %d')" /var/log/pfsense.log | \
grep "block" | awk '{print $8}' | sort | uniq -c | sort -nr | head -10
# Check for port scans
echo "Potential port scans:"
grep "$(date +'%b %d')" /var/log/pfsense.log | \
grep -E "(tcp|udp).*BLOCK" | awk '{print $8}' | \
sort | uniq -c | awk '$1 > 10 {print $2, $1}' | sort -nr
# Analyze SSH logs
echo "SSH login analysis:"
grep "$(date +'%b %d')" /var/log/auth.log | \
grep "sshd.*Accepted" | awk '{print $11}' | sort | uniq -c
```
### Weekly Maintenance Tasks
#### System Updates
```bash
#!/bin/bash
# weekly_updates.sh
# Update pfSense packages
# Manual process - check System > Package Manager
# Update Linux servers
servers=("192.168.20.10" "192.168.20.11" "192.168.20.12")
for server in "${servers[@]}"; do
echo "Updating $server..."
ssh admin@$server "
sudo apt update
sudo apt upgrade -y
sudo apt autoremove -y
sudo apt autoclean
sudo reboot
"
done
# Update threat intelligence feeds
# pfBlockerNG: Firewall > pfBlockerNG > Update
# MISP: Update threat feeds
# Suricata: Update rules
```
#### Security Assessments
```bash
#!/bin/bash
# weekly_security_assessment.sh
# Network vulnerability scan
nmap -sS -O -A 192.168.1.0/24 > /tmp/network_scan_$(date +%Y%m%d).txt
# Web application security scan
nikto -h https://internal-web-server > /tmp/web_scan_$(date +%Y%m%d).txt
# SSL/TLS certificate check
echo | openssl s_client -servername internal-server -connect internal-server:443 2>/dev/null | \
openssl x509 -noout -dates
# Check for unauthorized changes
aide --check > /tmp/aide_check_$(date +%Y%m%d).txt
# Generate security report
{
echo "Weekly Security Assessment - $(date)"
echo "=================================="
echo
echo "Network Scan Results:"
cat /tmp/network_scan_$(date +%Y%m%d).txt
echo
echo "Web Security Scan:"
cat /tmp/web_scan_$(date +%Y%m%d).txt
echo
echo "File Integrity Check:"
cat /tmp/aide_check_$(date +%Y%m%d).txt
} > /var/log/weekly_security_$(date +%Y%m%d).log
```
### Monthly Tasks
#### Security Review
```bash
#!/bin/bash
# monthly_security_review.sh
# Review user accounts
echo "Active user accounts:"
cut -d: -f1 /etc/passwd | sort
echo "Users with sudo access:"
grep -Po '^sudo.+:\K.*$' /etc/group
echo "Last login times:"
lastlog
# Review installed packages
echo "Recently installed packages:"
grep " install " /var/log/dpkg.log | tail -20
# Review firewall rules
echo "Current UFW rules:"
ufw status numbered
# Review cron jobs
echo "System cron jobs:"
crontab -l
# Review network services
echo "Listening services:"
ss -tulpn
# Check for unauthorized SUID files
echo "SUID files:"
find / -perm -4000 -type f 2>/dev/null
```
#### Certificate Management
```bash
#!/bin/bash
# certificate_check.sh
# Check certificate expiration dates
echo "Certificate expiration check:"
# Internal certificates
for cert in /etc/ssl/certs/*.crt; do
echo "Certificate: $cert"
openssl x509 -in "$cert" -noout -subject -dates
echo "---"
done
# Remote certificates
hosts=("internal-server1.local" "internal-server2.local")
for host in "${hosts[@]}"; do
echo "Checking $host..."
echo | openssl s_client -servername $host -connect $host:443 2>/dev/null | \
openssl x509 -noout -subject -dates
echo "---"
done
# Generate renewal warnings
# Add logic to send alerts for certificates expiring in 30 days
```
## Compliance & Documentation
### Security Documentation
#### Network Topology Documentation
```yaml
# network_topology.yml
network:
name: "Home Network"
subnets:
management:
vlan: 10
subnet: "192.168.10.0/24"
gateway: "192.168.10.1"
description: "Management VLAN for network equipment"
devices:
- pfSense firewall (192.168.10.1)
- Managed switch (192.168.10.2)
- Wireless access points (192.168.10.3-5)
servers:
vlan: 20
subnet: "192.168.20.0/24"
gateway: "192.168.20.1"
description: "Production servers"
devices:
- Web server (192.168.20.10)
- Database server (192.168.20.11)
- File server (192.168.20.12)
- SIEM server (192.168.20.100)
iot:
vlan: 30
subnet: "192.168.30.0/24"
gateway: "192.168.30.1"
description: "IoT devices with restricted internet access"
devices:
- IP cameras (192.168.30.10-19)
- Smart home devices (192.168.30.20-50)
```
#### Asset Inventory
```csv
Asset Type,Hostname,IP Address,MAC Address,OS,Version,Owner,Criticality,Last Updated
Firewall,pfsense-fw,192.168.10.1,00:11:22:33:44:55,pfSense,2.6.0,IT,Critical,2023-01-15
Server,web-server,192.168.20.10,00:11:22:33:44:56,Ubuntu,20.04 LTS,IT,High,2023-01-10
Server,db-server,192.168.20.11,00:11:22:33:44:57,Ubuntu,20.04 LTS,IT,Critical,2023-01-10
Server,file-server,192.168.20.12,00:11:22:33:44:58,Ubuntu,20.04 LTS,IT,Medium,2023-01-10
Camera,front-door-cam,192.168.30.10,00:11:22:33:44:59,Embedded,1.2.3,Security,Low,2023-01-05
```
#### Security Policies
```markdown
# Information Security Policy
## Purpose
This document establishes the security requirements for the home network infrastructure.
## Scope
This policy applies to all network devices, servers, and systems within the home network.
## Password Policy
- Minimum 12 characters
- Must contain uppercase, lowercase, numbers, and symbols
- No dictionary words
- Changed every 90 days
- No password reuse for last 12 passwords
## Access Control Policy
- Principle of least privilege
- All administrative access requires MFA
- Regular access reviews (monthly)
- Immediate revocation upon role change
## Network Security Policy
- Default deny firewall rules
- Network segmentation required
- VPN required for remote access
- All traffic logged and monitored
## Incident Response Policy
- Incident classification levels
- Response team contact information
- Communication procedures
- Evidence preservation requirements
```
### Risk Assessment
#### Risk Register
```yaml
risks:
- id: R001
title: "Weak Authentication"
description: "Default or weak passwords on network devices"
likelihood: "Medium"
impact: "High"
risk_score: 15
mitigation:
- "Implement strong password policy"
- "Enable multi-factor authentication"
- "Regular password audits"
status: "Mitigated"
- id: R002
title: "Unpatched Systems"
description: "Systems running outdated software with known vulnerabilities"
likelihood: "High"
impact: "High"
risk_score: 20
mitigation:
- "Automated patch management"
- "Regular vulnerability scans"
- "Patch testing procedures"
status: "In Progress"
- id: R003
title: "IoT Device Compromise"
description: "Insecure IoT devices providing network access"
likelihood: "Medium"
impact: "Medium"
risk_score: 10
mitigation:
- "Network segmentation"
- "IoT device inventory"
- "Regular firmware updates"
status: "Mitigated"
```
### Compliance Framework
#### NIST Cybersecurity Framework Implementation
```yaml
nist_csf:
identify:
- Asset management
- Business environment understanding
- Governance policies
- Risk assessment
- Risk management strategy
protect:
- Identity management and access control
- Awareness and training
- Data security
- Information protection processes
- Maintenance procedures
- Protective technology
detect:
- Anomalies and events detection
- Security continuous monitoring
- Detection processes
respond:
- Response planning
- Communications procedures
- Analysis protocols
- Mitigation strategies
- Improvements processes
recover:
- Recovery planning
- Improvements procedures
- Communications protocols
```
## Emergency Response
### Incident Response Plan
#### Incident Classification
```yaml
incident_levels:
level_1_critical:
description: "Complete network compromise or critical system failure"
response_time: "Immediate (within 15 minutes)"
escalation: "All team members"
level_2_high:
description: "Partial network compromise or important system failure"
response_time: "Within 1 hour"
escalation: "Security team lead"
level_3_medium:
description: "Security event requiring investigation"
response_time: "Within 4 hours"
escalation: "Assigned team member"
level_4_low:
description: "Minor security event or policy violation"
response_time: "Within 24 hours"
escalation: "Security team"
```
#### Emergency Contacts
```yaml
contacts:
primary_admin:
name: "Primary Administrator"
phone: "+1-555-0101"
email: "admin@example.com"
role: "Incident Commander"
security_team:
name: "Security Team Lead"
phone: "+1-555-0102"
email: "security@example.com"
role: "Technical Response"
legal_counsel:
name: "Legal Advisor"
phone: "+1-555-0103"
email: "legal@example.com"
role: "Legal/Regulatory"
```
#### Response Procedures
##### Suspected Network Compromise
```bash
#!/bin/bash
# incident_response_network.sh
echo "NETWORK COMPROMISE RESPONSE PROCEDURE"
echo "====================================="
# Step 1: Immediate containment
echo "1. CONTAINMENT (Execute immediately)"
echo " - Isolate affected systems"
echo " - Preserve evidence"
echo " - Document all actions"
# Isolate affected system
read -p "Enter IP address of affected system: " AFFECTED_IP
ufw deny from $AFFECTED_IP
ufw deny to $AFFECTED_IP
# Step 2: Assessment
echo "2. ASSESSMENT"
echo " - Determine scope of compromise"
echo " - Identify attack vectors"
echo " - Assess data impact"
# Collect system information
ps aux > /tmp/processes_$(date +%Y%m%d_%H%M%S).txt
netstat -an > /tmp/network_connections_$(date +%Y%m%d_%H%M%S).txt
ls -la /tmp > /tmp/temp_files_$(date +%Y%m%d_%H%M%S).txt
# Step 3: Eradication
echo "3. ERADICATION"
echo " - Remove malware"
echo " - Close vulnerabilities"
echo " - Update systems"
# Step 4: Recovery
echo "4. RECOVERY"
echo " - Restore from clean backups"
echo " - Monitor for re-infection"
echo " - Validate system integrity"
# Step 5: Lessons learned
echo "5. POST-INCIDENT REVIEW"
echo " - Document incident timeline"
echo " - Identify improvements"
echo " - Update procedures"
```
##### Malware Detection Response
```bash
#!/bin/bash
# malware_response.sh
INFECTED_HOST=$1
INCIDENT_ID=$(date +%Y%m%d_%H%M%S)
echo "MALWARE INCIDENT RESPONSE - ID: $INCIDENT_ID"
echo "============================================="
# Immediate isolation
echo "Isolating infected host: $INFECTED_HOST"
# Add firewall rule to block all traffic from infected host
pfctl -t infected_hosts -T add $INFECTED_HOST
# Evidence collection
mkdir -p /incident_response/$INCIDENT_ID
echo "Collecting evidence..."
# Memory dump
if command -v volatility &> /dev/null; then
volatility -f /proc/kcore --profile=Linux imageinfo > \
/incident_response/$INCIDENT_ID/memory_analysis.txt
fi
# Network connections
ss -tulpn > /incident_response/$INCIDENT_ID/network_connections.txt
# Process list
ps auxf > /incident_response/$INCIDENT_ID/process_list.txt
# File system analysis
find /home -type f -mtime -1 > /incident_response/$INCIDENT_ID/recent_files.txt
# Hash known good files
md5sum /bin/* > /incident_response/$INCIDENT_ID/system_hashes.txt
echo "Evidence collected in: /incident_response/$INCIDENT_ID"
echo "Next steps:"
echo "1. Analyze collected evidence"
echo "2. Identify malware family and infection vector"
echo "3. Clean infected system or restore from backup"
echo "4. Update security controls to prevent reinfection"
```
### Forensic Procedures
#### Digital Evidence Collection
```bash
#!/bin/bash
# collect_evidence.sh
CASE_ID=$1
SYSTEM_NAME=$2
EVIDENCE_DIR="/forensic_evidence/$CASE_ID"
mkdir -p $EVIDENCE_DIR
echo "Digital Evidence Collection"
echo "=========================="
echo "Case ID: $CASE_ID"
echo "System: $SYSTEM_NAME"
echo "Date: $(date)"
echo "Investigator: $(whoami)"
# Create forensic image
echo "Creating disk image..."
dd if=/dev/sda of=$EVIDENCE_DIR/disk_image.dd bs=4096 conv=noerror,sync
md5sum $EVIDENCE_DIR/disk_image.dd > $EVIDENCE_DIR/disk_image.md5
# Memory capture
echo "Capturing memory..."
if command -v LiME &> /dev/null; then
insmod lime.ko "path=$EVIDENCE_DIR/memory.lime format=lime"
fi
# Network evidence
echo "Collecting network evidence..."
tcpdump -i any -w $EVIDENCE_DIR/network_traffic.pcap &
TCPDUMP_PID=$!
# System information
echo "Collecting system information..."
uname -a > $EVIDENCE_DIR/system_info.txt
ps auxf > $EVIDENCE_DIR/processes.txt
lsof > $EVIDENCE_DIR/open_files.txt
netstat -an > $EVIDENCE_DIR/network_connections.txt
# Log files
echo "Copying log files..."
cp -r /var/log $EVIDENCE_DIR/
# Stop network capture
sleep 60
kill $TCPDUMP_PID
# Generate chain of custody
cat << EOF > $EVIDENCE_DIR/chain_of_custody.txt
CHAIN OF CUSTODY RECORD
======================
Case ID: $CASE_ID
System: $SYSTEM_NAME
Collection Date: $(date)
Investigator: $(whoami)
Evidence Items:
- Disk image: disk_image.dd ($(stat -c%s $EVIDENCE_DIR/disk_image.dd) bytes)
- Memory dump: memory.lime
- Network traffic: network_traffic.pcap
- System logs: /var/log directory
Hash Verification:
$(md5sum $EVIDENCE_DIR/*)
Evidence sealed and secured at: $(date)
EOF
echo "Evidence collection complete: $EVIDENCE_DIR"
```
## Additional Resources
### Essential Security Tools
#### Network Security Tools
```bash
# Network scanning and analysis
sudo apt install nmap ncat
sudo apt install wireshark tshark
sudo apt install tcpdump
sudo apt install hping3
sudo apt install nikto
sudo apt install dirb
# Vulnerability assessment
sudo apt install openvas
sudo apt install lynis
sudo apt install chkrootkit
sudo apt install rkhunter
# Network monitoring
sudo apt install ntopng
sudo apt install bandwidthd
sudo apt install iftop
sudo apt install vnstat
```
#### System Hardening Tools
```bash
# Security scanning
sudo apt install aide
sudo apt install tripwire
sudo apt install samhain
sudo apt install ossec-hids
# System monitoring
sudo apt install auditd
sudo apt install acct
sudo apt install psacct
sudo apt install sysstat
# File integrity
sudo apt install integrit
sudo apt install afick
sudo apt install tiger
```
### Configuration Templates
#### pfSense Configuration Template
```xml
21.05
security
aesni
yes
https
8443
webConfigurator
Local Database
30
em0
dhcp
em1
192.168.1.1
24
```
#### UFW Rules Template
```bash
#!/bin/bash
# ufw_rules_template.sh
# Reset to defaults
ufw --force reset
# Set default policies
ufw default deny incoming
ufw default allow outgoing
# Allow SSH (change port as needed)
ufw allow 2222/tcp
# Allow web services
ufw allow 80/tcp
ufw allow 443/tcp
# Allow from management network only
ufw allow from 192.168.10.0/24 to any port 22
ufw allow from 192.168.10.0/24 to any port 3000
# Rate limiting
ufw limit ssh
# Enable logging
ufw logging on
# Enable firewall
ufw --force enable
```
### Security Checklists
#### Daily Security Checklist
- [ ] Review firewall logs for blocked traffic
- [ ] Check system logs for errors or anomalies
- [ ] Verify backup completion status
- [ ] Monitor system resource usage
- [ ] Review failed login attempts
- [ ] Check for security alerts/notifications
- [ ] Verify critical services are running
- [ ] Review network traffic patterns
#### Weekly Security Checklist
- [ ] Update threat intelligence feeds
- [ ] Review and update firewall rules
- [ ] Check for system updates
- [ ] Verify SSL certificate validity
- [ ] Review user account activity
- [ ] Analyze security event trends
- [ ] Test backup restoration process
- [ ] Update security documentation
#### Monthly Security Checklist
- [ ] Conduct vulnerability assessment
- [ ] Review and update security policies
- [ ] Perform user access review
- [ ] Update risk assessment
- [ ] Review incident response procedures
- [ ] Test disaster recovery plan
- [ ] Security awareness training
- [ ] Review compliance status
### Learning Resources
#### Recommended Reading
- NIST Cybersecurity Framework
- CIS Critical Security Controls
- OWASP Top 10 Security Risks
- SANS Institute Security Resources
- pfSense Official Documentation
#### Online Training
- Cybrary.it - Free cybersecurity training
- SANS Cyber Aces - Hands-on cybersecurity tutorials
- Coursera - Network Security courses
- edX - Cybersecurity fundamentals
#### Community Resources
- Reddit: r/netsec, r/homelab, r/sysadmin
- pfSense Forum and Documentation
- Ubuntu Security Documentation
- Security Now! Podcast
- Krebs on Security Blog
---
## License
This guide is released under the MIT License. Feel free to modify and distribute as needed.
## Contributing
Contributions are welcome! Please submit pull requests with improvements, corrections, or additional security measures.
## Disclaimer
This guide provides general security recommendations. Always test configurations in a lab environment before implementing in production. Security requirements may vary based on your specific environment and threat model.