homelab-sec-guide/README.md

Homelab Security Guide

A comprehensive security hardening guide for pfSense firewalls, Linux servers, and home network infrastructure.

Table of Contents

• Overview
• Quick Start
• pfSense Firewall Hardening
• Linux Server VM Security
• Network Security Best Practices
• Advanced Security Features
• Monitoring & SIEM Setup
• Backup & Disaster Recovery
• Maintenance & Operations
• Compliance & Documentation
• Emergency Response
• Additional Resources

Overview

This guide provides a comprehensive approach to securing your home network infrastructure, including:

• pfSense firewall hardening
• Linux server security
• Network segmentation
• Monitoring and logging
• Incident response procedures

Security Philosophy

• Defense in Depth: Multiple layers of security controls
• Zero Trust: Never trust, always verify
• Principle of Least Privilege: Minimum necessary access
• Continuous Monitoring: Always watching for threats

Quick Start

Prerequisites

• pfSense firewall (physical or virtual)
• Linux server VMs (Ubuntu/Debian preferred)
• Basic networking knowledge
• Administrative access to all systems

Initial Security Steps (Do These First!)

1. Change all default passwords
2. Update all systems
3. Enable HTTPS for pfSense WebGUI
4. Disable SSH root login on Linux servers
5. Enable basic firewall rules
6. Set up logging

pfSense Firewall Hardening

Initial Setup & Access Control

Change Default Credentials

# Access pfSense WebGUI
# Navigate to System > User Manager
# Change admin password immediately
# Create new admin user with different name

Secure WebGUI Access

# System > Advanced > Admin Access
- Enable HTTPS
- Change port from 443 to custom (e.g., 8443)
- Restrict access to specific IP ranges
- Enable session timeout (30 minutes)
- Disable HTTP redirect

Two-Factor Authentication

# System > User Manager > Users > Edit user
# Add TOTP (Time-based One-Time Password)
# Use Google Authenticator or similar app

Network Interface Security

WAN Interface Hardening

# Interfaces > WAN
- Enable "Block RFC1918 Private Networks"
- Enable "Block bogon networks"  
- Disable "Allow IPv6"
- Enable anti-spoofing protection

# Firewall > Rules > WAN
- Default deny all inbound
- Block ICMP (ping) requests
- Only allow specific services (VPN, etc.)

LAN Interface Configuration

# Interfaces > LAN
- Change default subnet if using 192.168.1.0/24
- Consider using 172.16.0.0/16 or 10.0.0.0/8

# Firewall > Rules > LAN  
- Deny access to firewall management from most IPs
- Allow only specific admin workstation
- Block inter-VLAN communication by default

Advanced Firewall Rules

Egress Filtering (Outbound Control)

# Control what can leave your network:
- Block P2P protocols
- Allow only necessary outbound ports (80, 443, 53, 123)
- Block direct IP connections (force DNS resolution)
- Limit outbound connections per host

Geo-blocking

# Install pfBlockerNG
# System > Package Manager > Available Packages
# Search for "pfBlockerNG-devel" and install

# Configure country blocking:
# Firewall > pfBlockerNG > IP > Add
- Block high-risk countries (CN, RU, KP, etc.)
- Allow your country and trusted regions

VPN Configuration

OpenVPN Server Setup

# VPN > OpenVPN > Servers > Add
Server Mode: Remote Access (SSL/TLS + User Auth)
Protocol: UDP
Port: 1194 (or custom)
Encryption: AES-256-GCM
Auth: SHA256
Certificate Authority: Create new CA

WireGuard Setup (Recommended)

# VPN > WireGuard > Settings
# Enable WireGuard
# Create new tunnel:
- Listen Port: 51820 (or custom)
- Generate key pair
- Configure allowed networks

Services Hardening

SSH Service Configuration

# System > Advanced > Admin Access
- Enable SSH
- Change port from 22 to custom
- Disable password authentication  
- Upload SSH public keys only
- Set connection timeout

DNS Security

# System > General Setup
Primary DNS: 1.1.1.1 (Cloudflare)
Secondary DNS: 9.9.9.9 (Quad9)

# Services > DNS Resolver
- Enable DNSSEC Support
- Enable DNS over TLS
- Configure custom blocklists

DHCP Hardening

# Services > DHCP Server
- Reduce lease time to 4 hours
- Enable static ARP entries for servers
- Configure custom DNS for clients
- Enable DHCP logging

Intrusion Detection & Prevention

pfBlockerNG Configuration

# Firewall > pfBlockerNG > IP
# Add these threat feeds:
- Emerging Threats
- Spamhaus DROP/EDROP
- Malware Domain List
- Tor exit nodes (optional)

# Configure update frequency: Daily
# Enable logging for all blocks

Suricata IDS/IPS

# System > Package Manager > Install Suricata
# Services > Suricata > Interfaces
- Add WAN interface
- Enable IPS mode (blocking)
- Enable all appropriate rule categories
- Update rules daily

Logging & Monitoring

System Logging

# Status > System Logs > Settings
- Enable remote logging
- Set log file size limits
- Enable log rotation
- Configure severity levels

# Forward logs to SIEM:
Remote Log Server: 192.168.1.100:514
Remote Logging: Everything

SMTP Notifications

# System > Advanced > Notifications
SMTP Server: smtp.gmail.com
Port: 587
Secure SMTP: Enable STARTTLS
Username: your-email@gmail.com
Password: app-specific-password

# Enable notifications for:
- System startup/shutdown
- Package updates
- Certificate expiration
- High CPU/memory usage

Linux Server VM Security

System Updates & Package Management

Automated Updates

# Install unattended-upgrades
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades apt-listchanges

# Configure automatic security updates
sudo dpkg-reconfigure unattended-upgrades

# Edit /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

Package Security

# Remove unnecessary packages
sudo apt autoremove --purge
sudo apt autoclean

# List installed packages
dpkg --get-selections > installed-packages.txt

# Audit installed packages regularly
sudo apt list --installed | grep -v "automatic"

User Account Security

User Management

# Create limited sudo user
sudo useradd -m -s /bin/bash secadmin
sudo usermod -aG sudo secadmin

# Set strong password
sudo passwd secadmin

# Lock/disable unused accounts
sudo usermod -L username
sudo usermod -s /bin/false username

# Remove user
sudo deluser --remove-home username

Password Policies

# Install password quality library
sudo apt install libpam-pwquality

# Edit /etc/security/pwquality.conf
minlen = 12
minclass = 3
maxrepeat = 2
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1

# Set password aging
sudo chage -M 90 username  # Max 90 days
sudo chage -W 7 username   # Warn 7 days before expiry

SSH Hardening

SSH Configuration

# Edit /etc/ssh/sshd_config
Port 2222
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
AllowTcpForwarding no
AllowUsers secadmin
DenyUsers root

# Restart SSH service
sudo systemctl restart sshd

SSH Key Management

# Generate ED25519 key (most secure)
ssh-keygen -t ed25519 -C "admin@hostname"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub secadmin@server-ip

# Test key-based login
ssh -i ~/.ssh/id_ed25519 secadmin@server-ip

# Disable password authentication after testing
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

Firewall Configuration (UFW)

Basic UFW Setup

# Install and configure UFW
sudo apt install ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (use your custom port)
sudo ufw allow 2222/tcp

# Allow specific services
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw allow from 192.168.1.0/24 to any port 22  # SSH from LAN only

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Advanced UFW Rules

# Rate limiting for SSH
sudo ufw limit 2222/tcp

# Allow specific IP ranges
sudo ufw allow from 192.168.1.0/24

# Block specific countries (requires geoip)
sudo ufw deny from [country-ip-ranges]

# Log all denied connections
sudo ufw logging on

Intrusion Detection

Fail2Ban Setup

# Install Fail2Ban
sudo apt install fail2ban

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600      # 1 hour ban
findtime = 600      # 10 minute window
maxretry = 3        # 3 attempts
backend = systemd   # Use systemd for log parsing

[sshd]
enabled = true
port = 2222         # Your SSH port
logpath = /var/log/auth.log
maxretry = 3

# Start and enable Fail2Ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

# Check status
sudo fail2ban-client status sshd

AIDE (File Integrity Monitoring)

# Install AIDE
sudo apt install aide

# Initialize database
sudo aideinit

# Move database to final location
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Run integrity check
sudo aide --check

# Set up daily checks via cron
echo "0 2 * * * root /usr/bin/aide --check" | sudo tee -a /etc/crontab

System Monitoring

Auditd (System Call Auditing)

# Install auditd
sudo apt install auditd audispd-plugins

# Configure audit rules
sudo nano /etc/audit/rules.d/audit.rules

# Example audit rules:
# Monitor passwd file changes
-w /etc/passwd -p wa -k passwd_changes

# Monitor sudo usage
-w /etc/sudoers -p wa -k sudoers_changes

# Monitor login/logout events
-w /var/log/wtmp -p wa -k session_changes

# Restart auditd
sudo service auditd restart

# View audit logs
sudo ausearch -k passwd_changes

System Resource Monitoring

# Install monitoring tools
sudo apt install htop iotop nethogs sysstat

# Enable system statistics collection
sudo systemctl enable sysstat

# View system statistics
sar -u 1 10    # CPU usage
sar -r 1 10    # Memory usage
sar -d 1 10    # Disk I/O

Application Security

Web Server Hardening (Nginx)

# Install Nginx
sudo apt install nginx

# Basic security configuration
# Edit /etc/nginx/nginx.conf
server_tokens off;                    # Hide version
add_header X-Frame-Options DENY;     # Prevent clickjacking
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

# SSL/TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
ssl_prefer_server_ciphers off;

Database Security (MySQL/MariaDB)

# Install MariaDB
sudo apt install mariadb-server

# Run security script
sudo mysql_secure_installation

# Additional hardening:
# Edit /etc/mysql/mariadb.conf.d/50-server.cnf
bind-address = 127.0.0.1        # Local connections only
skip-networking = 1             # Disable network access

Container Security (Docker)

Docker Installation & Hardening

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

# Add user to docker group
sudo usermod -aG docker $USER

# Configure Docker daemon security
# Edit /etc/docker/daemon.json
{
  "live-restore": true,
  "userland-proxy": false,
  "no-new-privileges": true,
  "seccomp-profile": "/etc/docker/seccomp.json"
}

Secure Container Practices

# Run containers with security options
docker run -d \
  --user 1000:1000 \
  --read-only \
  --cap-drop=ALL \
  --cap-add=CHOWN \
  --security-opt=no-new-privileges:true \
  --security-opt=apparmor:docker-default \
  nginx:alpine

# Use multi-stage builds
FROM node:alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

FROM node:alpine
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nextjs -u 1001
USER nextjs
COPY --from=builder /app/node_modules ./node_modules

Network Security Best Practices

Network Segmentation

VLAN Configuration

# pfSense VLAN Setup:
# Interfaces > VLANs > Add

VLAN 10 - Management (pfSense, switches, APs)
  Subnet: 192.168.10.0/24
  Gateway: 192.168.10.1

VLAN 20 - Servers (Production servers)
  Subnet: 192.168.20.0/24
  Gateway: 192.168.20.1

VLAN 30 - IoT (Smart devices, cameras)
  Subnet: 192.168.30.0/24
  Gateway: 192.168.30.1

VLAN 40 - Guest (Visitor access)
  Subnet: 192.168.40.0/24
  Gateway: 192.168.40.1

VLAN 50 - Work (Work devices)
  Subnet: 192.168.50.0/24
  Gateway: 192.168.50.1

Inter-VLAN Firewall Rules

# Default deny all inter-VLAN traffic
# Create specific allow rules as needed:

# Management to all VLANs (monitoring)
Source: VLAN 10 (Management)
Destination: Any
Action: Allow
Ports: SSH (22), SNMP (161), HTTPS (443)

# Servers to internet only
Source: VLAN 20 (Servers)
Destination: !RFC1918 (Internet only)
Action: Allow

# IoT devices limited internet
Source: VLAN 30 (IoT)
Destination: Specific IoT services
Action: Allow

Wireless Security

Wi-Fi Access Point Hardening

# Wireless security settings:
Security: WPA3-Personal (or WPA2-Enterprise)
Encryption: AES
Password: 20+ character complex password
WPS: Disabled
Guest Network: Enabled, isolated
SSID Broadcast: Disabled for main network
MAC Filtering: Enabled for critical devices

# Access Point management:
Change default admin credentials
Update firmware regularly
Disable unnecessary services (Telnet, SSH)
Enable logging
Set strong SNMP community strings

Wi-Fi Network Configuration

# Main Network (Hidden SSID):
SSID: [Hidden/Custom]
VLAN: 20 (Servers) or 50 (Work)
Security: WPA3-Personal
Band: 5GHz preferred

# Guest Network:
SSID: Guest_Network
VLAN: 40 (Guest)
Security: WPA2-Personal
Isolation: Enabled
Bandwidth Limit: 50 Mbps
Time Restrictions: Enabled

# IoT Network:
SSID: IoT_Devices
VLAN: 30 (IoT)
Security: WPA2-Personal
Internet Access: Limited

DNS Security

DNS over HTTPS/TLS Configuration

# pfSense DNS Resolver settings:
# Services > DNS Resolver > General Settings
Enable DNS over TLS: Checked
DNS over TLS Hostname: cloudflare-dns.com

# Custom DNS servers:
Primary: 1.1.1.1#cloudflare-dns.com
Secondary: 1.0.0.1#cloudflare-dns.com

DNS Filtering & Pi-hole Integration

# Install Pi-hole on dedicated VM
curl -sSL https://install.pi-hole.net | bash

# Configure pfSense to use Pi-hole:
# System > General Setup
DNS Servers: 192.168.20.100 (Pi-hole IP)

# Pi-hole configuration:
- Enable DNSSEC
- Use upstream DNS over HTTPS
- Add custom blocklists:
  - https://someonewhocares.org/hosts/zero/hosts
  - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  - https://mirror1.malwaredomains.com/files/justdomains

Certificate Management

Internal Certificate Authority

# Create internal CA using Easy-RSA
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3

# Initialize PKI
./easyrsa init-pki

# Build CA
./easyrsa build-ca

# Generate server certificates
./easyrsa gen-req server nopass
./easyrsa sign-req server server

# Generate client certificates
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

SSL/TLS Hardening

# pfSense SSL/TLS settings:
# System > Advanced > Admin Access
SSL/TLS Certificate: Use internal CA certificate
Minimum TLS Version: 1.2
SSL Ciphers: ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM

# Nginx SSL configuration:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;

Advanced Security Features

Zero Trust Implementation

Micro-segmentation Strategy

# Implement granular network controls:
# Each service gets its own subnet/VLAN

Web Servers: 192.168.21.0/28    (16 IPs)
Database Servers: 192.168.22.0/28
Application Servers: 192.168.23.0/28
Management: 192.168.24.0/28

# Default deny all traffic
# Explicit allow rules for required communication:
Web -> Database: Port 3306 (MySQL)
App -> Database: Port 5432 (PostgreSQL)
Management -> All: SSH (22), HTTPS (443)

Just-in-Time Access

# Implement temporary access controls
# Use tools like:
- HashiCorp Boundary
- BeyondTrust
- CyberArk

# Example script for temporary SSH access:
#!/bin/bash
# grant_temp_access.sh
USER=$1
DURATION=${2:-3600}  # Default 1 hour

# Add user to allowed SSH users
sudo usermod -a -G ssh-users $USER

# Set expiration
echo "sleep $DURATION && usermod -G -ssh-users $USER" | at now

Identity & Access Management

Multi-Factor Authentication

# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator

# Configure for SSH
# Add to /etc/pam.d/sshd:
auth required pam_google_authenticator.so

# Edit /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

# Initialize for user
google-authenticator

LDAP Integration

# Install OpenLDAP server
sudo apt install slapd ldap-utils

# Configure LDAP directory
sudo dpkg-reconfigure slapd

# Example LDAP user entry:
dn: uid=user1,ou=people,dc=home,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user1
cn: User One
sn: One
mail: user1@home.local
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user1
loginShell: /bin/bash

IoT Device Security

IoT Network Isolation

# Create IoT VLAN with strict rules
# VLAN 30 - IoT Devices

# Firewall rules for IoT VLAN:
# Block inter-device communication
Source: VLAN 30 subnets
Destination: VLAN 30 subnets  
Action: Block

# Allow only necessary internet access
Source: VLAN 30
Destination: !RFC1918
Action: Allow
Ports: 80, 443, 123 (NTP), 53 (DNS)

# Block access to other VLANs
Source: VLAN 30
Destination: VLAN 10, 20, 40, 50
Action: Block

IoT Device Management

# IoT device checklist:
□ Change default passwords
□ Update firmware to latest version
□ Disable unnecessary features
□ Enable encryption if available
□ Configure on isolated network
□ Monitor device behavior
□ Regular security assessment

# Example IoT device configurations:
# IP Cameras:
- Disable P2P features
- Change default ports
- Enable HTTPS only
- Disable audio if not needed
- Set up motion detection alerts

# Smart home devices:
- Use device-specific VLANs
- Block internet access if possible
- Use local control hubs (Home Assistant)
- Regular firmware updates

Monitoring & SIEM Setup

Centralized Logging Architecture

ELK Stack (Elasticsearch, Logstash, Kibana)

# Install Elasticsearch
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch

# Configure Elasticsearch
# Edit /etc/elasticsearch/elasticsearch.yml
network.host: 192.168.20.100
discovery.type: single-node
xpack.security.enabled: true

# Install Logstash
sudo apt install logstash

# Configure Logstash for pfSense logs
# Create /etc/logstash/conf.d/pfsense.conf
input {
  udp {
    port => 5514
    type => "pfsense"
  }
}

filter {
  if [type] == "pfsense" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{WORD:hostname} %{WORD:program}: %{GREEDYDATA:message}" }
    }
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "pfsense-%{+YYYY.MM.dd}"
  }
}

# Install Kibana
sudo apt install kibana

# Configure Kibana
# Edit /etc/kibana/kibana.yml
server.host: "192.168.20.100"
elasticsearch.hosts: ["http://localhost:9200"]

Wazuh SIEM Setup

# Install Wazuh manager
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt update && apt install wazuh-manager

# Configure Wazuh for pfSense
# Edit /var/ossec/etc/ossec.conf
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>192.168.1.1</allowed-ips>
</remote>

# Install Wazuh agents on Linux servers
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.0-1_amd64.deb
dpkg -i wazuh-agent_4.3.0-1_amd64.deb

# Configure agent
# Edit /var/ossec/etc/ossec.conf
<client>
  <server>
    <address>192.168.20.100</address>
    <port>1514</port>
    <protocol>tcp</protocol>
  </server>
</client>

Network Monitoring

ntopng Setup

# Install ntopng
sudo apt install ntopng

# Configure ntopng
# Edit /etc/ntopng/ntopng.conf
-i=eth0
-d=/var/lib/ntopng/ntopng.db
-w=3000
-P=/etc/ntopng/ntopng.pid
-u=ntopng
-g=ntopng

# Start ntopng
sudo systemctl start ntopng
sudo systemctl enable ntopng

# Access web interface: http://server-ip:3000

Security Onion

# Download Security Onion ISO
# https://github.com/Security-Onion-Solutions/securityonion

# Minimum requirements:
- 16GB RAM
- 200GB disk space
- Dedicated network interface for monitoring

# Features included:
- Suricata IDS
- Zeek network analysis
- Elasticsearch + Kibana
- Wazuh HIDS
- NetworkMiner
- Wireshark

Threat Intelligence

MISP Integration

# Install MISP
git clone https://github.com/MISP/MISP.git
cd MISP
sudo -u www-data git submodule update --init --recursive

# Configure threat feeds:
- CIRCL OSINT Feed
- Malware Information Sharing Platform
- Commercial threat intelligence
- Government security advisories

# Integrate with pfBlockerNG:
# Export MISP indicators to pfBlockerNG format

Threat Hunting Tools

# Install threat hunting tools:
sudo apt install yara
sudo apt install volatility
sudo apt install sleuthkit
sudo apt install autopsy

# Create threat hunting playbooks:
# Daily tasks:
- Review DNS queries for suspicious domains
- Analyze network traffic patterns
- Check for unusual login times/locations
- Monitor certificate changes
- Review outbound connections

Honeypots & Deception

Cowrie SSH Honeypot

# Install Cowrie
sudo adduser --disabled-password cowrie
sudo su - cowrie
git clone http://github.com/cowrie/cowrie
cd cowrie
virtualenv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt

# Configure Cowrie
cp etc/cowrie.cfg.dist etc/cowrie.cfg
# Edit etc/cowrie.cfg:
[honeypot]
hostname = server
log_path = var/log/cowrie
listen_endpoints = tcp:2222:interface=0.0.0.0

# Start Cowrie
bin/cowrie start

Web Application Honeypot

# Install Glastopf
sudo apt install python3-pip
pip3 install glastopf

# Configure Glastopf
glastopf-runner

# Deploy on isolated VLAN
# Monitor attacks and collect intelligence

Backup & Disaster Recovery

Backup Strategy Implementation

pfSense Configuration Backup

#!/bin/bash
# backup_pfsense.sh
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/backups/pfsense"
PFSENSE_IP="192.168.1.1"
USERNAME="admin"
PASSWORD="your-password"

# Create backup directory
mkdir -p $BACKUP_DIR

# Download configuration
curl -k -u $USERNAME:$PASSWORD \
  "https://$PFSENSE_IP/diag_backup.php?download=download&donotbackuprrd=yes" \
  > "$BACKUP_DIR/pfsense_config_$DATE.xml"

# Compress and encrypt backup
gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
  --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
  "$BACKUP_DIR/pfsense_config_$DATE.xml"

# Remove unencrypted backup
rm "$BACKUP_DIR/pfsense_config_$DATE.xml"

# Upload to cloud storage (optional)
# aws s3 cp "$BACKUP_DIR/pfsense_config_$DATE.xml.gpg" s3://backup-bucket/

Linux Server Backup

#!/bin/bash
# backup_server.sh
SERVER_NAME=$(hostname)
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/backups/$SERVER_NAME"
EXCLUDE_FILE="/etc/backup_exclude.txt"

# Create backup directory
mkdir -p $BACKUP_DIR

# System backup with rsync
rsync -avH --delete --exclude-from="$EXCLUDE_FILE" \
  / "$BACKUP_DIR/system_$DATE/"

# Database backup
mysqldump --all-databases --routines --triggers > \
  "$BACKUP_DIR/database_$DATE.sql"

# VM configuration backup (if virtualized)
virsh dumpxml $SERVER_NAME > "$BACKUP_DIR/vm_config_$DATE.xml"

# Compress backup
tar -czf "$BACKUP_DIR/backup_$DATE.tar.gz" \
  "$BACKUP_DIR/system_$DATE" \
  "$BACKUP_DIR/database_$DATE.sql" \
  "$BACKUP_DIR/vm_config_$DATE.xml"

# Clean up temporary files
rm -rf "$BACKUP_DIR/system_$DATE"
rm "$BACKUP_DIR/database_$DATE.sql"
rm "$BACKUP_DIR/vm_config_$DATE.xml"

Backup Exclude File

# /etc/backup_exclude.txt
/dev/*
/proc/*
/sys/*
/tmp/*
/run/*
/mnt/*
/media/*
/lost+found
/var/cache/*
/var/tmp/*
/home/*/.cache/*
/home/*/.local/share/Trash/*

Disaster Recovery Procedures

Recovery Time Objectives (RTO)

# Define RTO for each system:
Critical Systems (RTO: 1 hour):
- pfSense firewall
- Domain controller
- Primary DNS server

Important Systems (RTO: 4 hours):
- Web servers
- Database servers  
- File servers

Non-critical Systems (RTO: 24 hours):
- Development servers
- Test environments
- Secondary services

Disaster Recovery Testing

#!/bin/bash
# dr_test.sh - Quarterly DR test script

echo "Starting Disaster Recovery Test - $(date)"

# Test 1: pfSense configuration restore
echo "Testing pfSense restore..."
# Upload test configuration to pfSense
# Verify connectivity after restore

# Test 2: VM restore from backup
echo "Testing VM restore..."
# Restore VM from latest backup
# Verify services start correctly

# Test 3: Database restore
echo "Testing database restore..."
# Restore database from backup
# Verify data integrity

# Test 4: Network connectivity
echo "Testing network connectivity..."
# Verify all VLANs are accessible
# Test inter-VLAN communication rules

# Generate test report
echo "DR Test completed - $(date)" > /var/log/dr_test_$(date +%Y%m%d).log

Maintenance & Operations

Daily Security Tasks

Automated Daily Checks

#!/bin/bash
# daily_security_check.sh

LOG_FILE="/var/log/security_check_$(date +%Y%m%d).log"

echo "Daily Security Check - $(date)" >> $LOG_FILE

# Check for failed login attempts
echo "=== Failed Login Attempts ===" >> $LOG_FILE
grep "Failed password" /var/log/auth.log | tail -10 >> $LOG_FILE

# Check for unusual network connections
echo "=== Unusual Network Connections ===" >> $LOG_FILE
netstat -an | grep ESTABLISHED | awk '{print $5}' | \
  cut -d: -f1 | sort | uniq -c | sort -nr | head -10 >> $LOG_FILE

# Check system resources
echo "=== System Resources ===" >> $LOG_FILE
df -h >> $LOG_FILE
free -m >> $LOG_FILE
uptime >> $LOG_FILE

# Check for updates
echo "=== Available Updates ===" >> $LOG_FILE
apt list --upgradable 2>/dev/null >> $LOG_FILE

# Check firewall status
echo "=== Firewall Status ===" >> $LOG_FILE
ufw status >> $LOG_FILE

# Check for rootkits
echo "=== Rootkit Check ===" >> $LOG_FILE
chkrootkit >> $LOG_FILE 2>&1

# Email report
mail -s "Daily Security Report - $(hostname)" admin@example.com < $LOG_FILE

Log Analysis Scripts

#!/bin/bash
# analyze_logs.sh

# Analyze pfSense logs for threats
echo "Top blocked IPs in last 24 hours:"
grep "$(date +'%b %d')" /var/log/pfsense.log | \
  grep "block" | awk '{print $8}' | sort | uniq -c | sort -nr | head -10

# Check for port scans
echo "Potential port scans:"
grep "$(date +'%b %d')" /var/log/pfsense.log | \
  grep -E "(tcp|udp).*BLOCK" | awk '{print $8}' | \
  sort | uniq -c | awk '$1 > 10 {print $2, $1}' | sort -nr

# Analyze SSH logs
echo "SSH login analysis:"
grep "$(date +'%b %d')" /var/log/auth.log | \
  grep "sshd.*Accepted" | awk '{print $11}' | sort | uniq -c

Weekly Maintenance Tasks

System Updates

#!/bin/bash
# weekly_updates.sh

# Update pfSense packages
# Manual process - check System > Package Manager

# Update Linux servers
servers=("192.168.20.10" "192.168.20.11" "192.168.20.12")

for server in "${servers[@]}"; do
  echo "Updating $server..."
  ssh admin@$server "
    sudo apt update
    sudo apt upgrade -y
    sudo apt autoremove -y
    sudo apt autoclean
    sudo reboot
  "
done

# Update threat intelligence feeds
# pfBlockerNG: Firewall > pfBlockerNG > Update
# MISP: Update threat feeds
# Suricata: Update rules

Security Assessments

#!/bin/bash
# weekly_security_assessment.sh

# Network vulnerability scan
nmap -sS -O -A 192.168.1.0/24 > /tmp/network_scan_$(date +%Y%m%d).txt

# Web application security scan
nikto -h https://internal-web-server > /tmp/web_scan_$(date +%Y%m%d).txt

# SSL/TLS certificate check
echo | openssl s_client -servername internal-server -connect internal-server:443 2>/dev/null | \
  openssl x509 -noout -dates

# Check for unauthorized changes
aide --check > /tmp/aide_check_$(date +%Y%m%d).txt

# Generate security report
{
  echo "Weekly Security Assessment - $(date)"
  echo "=================================="
  echo
  echo "Network Scan Results:"
  cat /tmp/network_scan_$(date +%Y%m%d).txt
  echo
  echo "Web Security Scan:"
  cat /tmp/web_scan_$(date +%Y%m%d).txt
  echo
  echo "File Integrity Check:"
  cat /tmp/aide_check_$(date +%Y%m%d).txt
} > /var/log/weekly_security_$(date +%Y%m%d).log

Monthly Tasks

Security Review

#!/bin/bash
# monthly_security_review.sh

# Review user accounts
echo "Active user accounts:"
cut -d: -f1 /etc/passwd | sort

echo "Users with sudo access:"
grep -Po '^sudo.+:\K.*$' /etc/group

echo "Last login times:"
lastlog

# Review installed packages
echo "Recently installed packages:"
grep " install " /var/log/dpkg.log | tail -20

# Review firewall rules
echo "Current UFW rules:"
ufw status numbered

# Review cron jobs
echo "System cron jobs:"
crontab -l

# Review network services
echo "Listening services:"
ss -tulpn

# Check for unauthorized SUID files
echo "SUID files:"
find / -perm -4000 -type f 2>/dev/null

Certificate Management

#!/bin/bash
# certificate_check.sh

# Check certificate expiration dates
echo "Certificate expiration check:"

# Internal certificates
for cert in /etc/ssl/certs/*.crt; do
  echo "Certificate: $cert"
  openssl x509 -in "$cert" -noout -subject -dates
  echo "---"
done

# Remote certificates
hosts=("internal-server1.local" "internal-server2.local")

for host in "${hosts[@]}"; do
  echo "Checking $host..."
  echo | openssl s_client -servername $host -connect $host:443 2>/dev/null | \
    openssl x509 -noout -subject -dates
  echo "---"
done

# Generate renewal warnings
# Add logic to send alerts for certificates expiring in 30 days

Compliance & Documentation

Security Documentation

Network Topology Documentation

# network_topology.yml
network:
  name: "Home Network"
  subnets:
    management:
      vlan: 10
      subnet: "192.168.10.0/24"
      gateway: "192.168.10.1"
      description: "Management VLAN for network equipment"
      devices:
        - pfSense firewall (192.168.10.1)
        - Managed switch (192.168.10.2)
        - Wireless access points (192.168.10.3-5)
    
    servers:
      vlan: 20
      subnet: "192.168.20.0/24"
      gateway: "192.168.20.1"
      description: "Production servers"
      devices:
        - Web server (192.168.20.10)
        - Database server (192.168.20.11)
        - File server (192.168.20.12)
        - SIEM server (192.168.20.100)
    
    iot:
      vlan: 30
      subnet: "192.168.30.0/24" 
      gateway: "192.168.30.1"
      description: "IoT devices with restricted internet access"
      devices:
        - IP cameras (192.168.30.10-19)
        - Smart home devices (192.168.30.20-50)

Asset Inventory

Asset Type,Hostname,IP Address,MAC Address,OS,Version,Owner,Criticality,Last Updated
Firewall,pfsense-fw,192.168.10.1,00:11:22:33:44:55,pfSense,2.6.0,IT,Critical,2023-01-15
Server,web-server,192.168.20.10,00:11:22:33:44:56,Ubuntu,20.04 LTS,IT,High,2023-01-10
Server,db-server,192.168.20.11,00:11:22:33:44:57,Ubuntu,20.04 LTS,IT,Critical,2023-01-10
Server,file-server,192.168.20.12,00:11:22:33:44:58,Ubuntu,20.04 LTS,IT,Medium,2023-01-10
Camera,front-door-cam,192.168.30.10,00:11:22:33:44:59,Embedded,1.2.3,Security,Low,2023-01-05

Security Policies

# Information Security Policy

## Purpose
This document establishes the security requirements for the home network infrastructure.

## Scope
This policy applies to all network devices, servers, and systems within the home network.

## Password Policy
- Minimum 12 characters
- Must contain uppercase, lowercase, numbers, and symbols
- No dictionary words
- Changed every 90 days
- No password reuse for last 12 passwords

## Access Control Policy
- Principle of least privilege
- All administrative access requires MFA
- Regular access reviews (monthly)
- Immediate revocation upon role change

## Network Security Policy
- Default deny firewall rules
- Network segmentation required
- VPN required for remote access
- All traffic logged and monitored

## Incident Response Policy
- Incident classification levels
- Response team contact information
- Communication procedures
- Evidence preservation requirements

Risk Assessment

Risk Register

risks:
  - id: R001
    title: "Weak Authentication"
    description: "Default or weak passwords on network devices"
    likelihood: "Medium"
    impact: "High"
    risk_score: 15
    mitigation:
      - "Implement strong password policy"
      - "Enable multi-factor authentication"
      - "Regular password audits"
    status: "Mitigated"
    
  - id: R002
    title: "Unpatched Systems"
    description: "Systems running outdated software with known vulnerabilities"
    likelihood: "High"
    impact: "High"
    risk_score: 20
    mitigation:
      - "Automated patch management"
      - "Regular vulnerability scans"
      - "Patch testing procedures"
    status: "In Progress"
    
  - id: R003
    title: "IoT Device Compromise"
    description: "Insecure IoT devices providing network access"
    likelihood: "Medium"
    impact: "Medium"
    risk_score: 10
    mitigation:
      - "Network segmentation"
      - "IoT device inventory"
      - "Regular firmware updates"
    status: "Mitigated"

Compliance Framework

NIST Cybersecurity Framework Implementation

nist_csf:
  identify:
    - Asset management
    - Business environment understanding  
    - Governance policies
    - Risk assessment
    - Risk management strategy
    
  protect:
    - Identity management and access control
    - Awareness and training
    - Data security
    - Information protection processes
    - Maintenance procedures
    - Protective technology
    
  detect:
    - Anomalies and events detection
    - Security continuous monitoring
    - Detection processes
    
  respond:
    - Response planning
    - Communications procedures
    - Analysis protocols
    - Mitigation strategies
    - Improvements processes
    
  recover:
    - Recovery planning
    - Improvements procedures
    - Communications protocols

Emergency Response

Incident Response Plan

Incident Classification

incident_levels:
  level_1_critical:
    description: "Complete network compromise or critical system failure"
    response_time: "Immediate (within 15 minutes)"
    escalation: "All team members"
    
  level_2_high:
    description: "Partial network compromise or important system failure"
    response_time: "Within 1 hour"
    escalation: "Security team lead"
    
  level_3_medium:
    description: "Security event requiring investigation"
    response_time: "Within 4 hours"
    escalation: "Assigned team member"
    
  level_4_low:
    description: "Minor security event or policy violation"
    response_time: "Within 24 hours"
    escalation: "Security team"

Emergency Contacts

contacts:
  primary_admin:
    name: "Primary Administrator"
    phone: "+1-555-0101"
    email: "admin@example.com"
    role: "Incident Commander"
    
  security_team:
    name: "Security Team Lead"
    phone: "+1-555-0102"
    email: "security@example.com"
    role: "Technical Response"
    
  legal_counsel:
    name: "Legal Advisor"
    phone: "+1-555-0103"
    email: "legal@example.com"
    role: "Legal/Regulatory"

Response Procedures

Suspected Network Compromise

#!/bin/bash
# incident_response_network.sh

echo "NETWORK COMPROMISE RESPONSE PROCEDURE"
echo "====================================="

# Step 1: Immediate containment
echo "1. CONTAINMENT (Execute immediately)"
echo "   - Isolate affected systems"
echo "   - Preserve evidence"
echo "   - Document all actions"

# Isolate affected system
read -p "Enter IP address of affected system: " AFFECTED_IP
ufw deny from $AFFECTED_IP
ufw deny to $AFFECTED_IP

# Step 2: Assessment
echo "2. ASSESSMENT"
echo "   - Determine scope of compromise"
echo "   - Identify attack vectors"
echo "   - Assess data impact"

# Collect system information
ps aux > /tmp/processes_$(date +%Y%m%d_%H%M%S).txt
netstat -an > /tmp/network_connections_$(date +%Y%m%d_%H%M%S).txt
ls -la /tmp > /tmp/temp_files_$(date +%Y%m%d_%H%M%S).txt

# Step 3: Eradication
echo "3. ERADICATION"
echo "   - Remove malware"
echo "   - Close vulnerabilities"
echo "   - Update systems"

# Step 4: Recovery
echo "4. RECOVERY"
echo "   - Restore from clean backups"
echo "   - Monitor for re-infection"
echo "   - Validate system integrity"

# Step 5: Lessons learned
echo "5. POST-INCIDENT REVIEW"
echo "   - Document incident timeline"
echo "   - Identify improvements"
echo "   - Update procedures"

Malware Detection Response

#!/bin/bash
# malware_response.sh

INFECTED_HOST=$1
INCIDENT_ID=$(date +%Y%m%d_%H%M%S)

echo "MALWARE INCIDENT RESPONSE - ID: $INCIDENT_ID"
echo "============================================="

# Immediate isolation
echo "Isolating infected host: $INFECTED_HOST"
# Add firewall rule to block all traffic from infected host
pfctl -t infected_hosts -T add $INFECTED_HOST

# Evidence collection
mkdir -p /incident_response/$INCIDENT_ID
echo "Collecting evidence..."

# Memory dump
if command -v volatility &> /dev/null; then
    volatility -f /proc/kcore --profile=Linux imageinfo > \
        /incident_response/$INCIDENT_ID/memory_analysis.txt
fi

# Network connections
ss -tulpn > /incident_response/$INCIDENT_ID/network_connections.txt

# Process list
ps auxf > /incident_response/$INCIDENT_ID/process_list.txt

# File system analysis
find /home -type f -mtime -1 > /incident_response/$INCIDENT_ID/recent_files.txt

# Hash known good files
md5sum /bin/* > /incident_response/$INCIDENT_ID/system_hashes.txt

echo "Evidence collected in: /incident_response/$INCIDENT_ID"
echo "Next steps:"
echo "1. Analyze collected evidence"
echo "2. Identify malware family and infection vector"
echo "3. Clean infected system or restore from backup"
echo "4. Update security controls to prevent reinfection"

Forensic Procedures

Digital Evidence Collection

#!/bin/bash
# collect_evidence.sh

CASE_ID=$1
SYSTEM_NAME=$2
EVIDENCE_DIR="/forensic_evidence/$CASE_ID"

mkdir -p $EVIDENCE_DIR

echo "Digital Evidence Collection"
echo "=========================="
echo "Case ID: $CASE_ID"
echo "System: $SYSTEM_NAME"
echo "Date: $(date)"
echo "Investigator: $(whoami)"

# Create forensic image
echo "Creating disk image..."
dd if=/dev/sda of=$EVIDENCE_DIR/disk_image.dd bs=4096 conv=noerror,sync
md5sum $EVIDENCE_DIR/disk_image.dd > $EVIDENCE_DIR/disk_image.md5

# Memory capture
echo "Capturing memory..."
if command -v LiME &> /dev/null; then
    insmod lime.ko "path=$EVIDENCE_DIR/memory.lime format=lime"
fi

# Network evidence
echo "Collecting network evidence..."
tcpdump -i any -w $EVIDENCE_DIR/network_traffic.pcap &
TCPDUMP_PID=$!

# System information
echo "Collecting system information..."
uname -a > $EVIDENCE_DIR/system_info.txt
ps auxf > $EVIDENCE_DIR/processes.txt
lsof > $EVIDENCE_DIR/open_files.txt
netstat -an > $EVIDENCE_DIR/network_connections.txt

# Log files
echo "Copying log files..."
cp -r /var/log $EVIDENCE_DIR/

# Stop network capture
sleep 60
kill $TCPDUMP_PID

# Generate chain of custody
cat << EOF > $EVIDENCE_DIR/chain_of_custody.txt
CHAIN OF CUSTODY RECORD
======================
Case ID: $CASE_ID
System: $SYSTEM_NAME
Collection Date: $(date)
Investigator: $(whoami)

Evidence Items:
- Disk image: disk_image.dd ($(stat -c%s $EVIDENCE_DIR/disk_image.dd) bytes)
- Memory dump: memory.lime
- Network traffic: network_traffic.pcap
- System logs: /var/log directory

Hash Verification:
$(md5sum $EVIDENCE_DIR/*)

Evidence sealed and secured at: $(date)
EOF

echo "Evidence collection complete: $EVIDENCE_DIR"

Additional Resources

Essential Security Tools

Network Security Tools

# Network scanning and analysis
sudo apt install nmap ncat
sudo apt install wireshark tshark
sudo apt install tcpdump
sudo apt install hping3
sudo apt install nikto
sudo apt install dirb

# Vulnerability assessment
sudo apt install openvas
sudo apt install lynis
sudo apt install chkrootkit
sudo apt install rkhunter

# Network monitoring  
sudo apt install ntopng
sudo apt install bandwidthd
sudo apt install iftop
sudo apt install vnstat

System Hardening Tools

# Security scanning
sudo apt install aide
sudo apt install tripwire
sudo apt install samhain
sudo apt install ossec-hids

# System monitoring
sudo apt install auditd
sudo apt install acct
sudo apt install psacct
sudo apt install sysstat

# File integrity
sudo apt install integrit
sudo apt install afick
sudo apt install tiger

Configuration Templates

pfSense Configuration Template

<!-- Minimal secure pfSense configuration -->
<pfsense>
  <version>21.05</version>
  <system>
    <optimization>security</optimization>
    <powerd_enable/>
    <crypto_hardware>aesni</crypto_hardware>
    <thermal_hardware/>
    <schedule_states>yes</schedule_states>
    <skip_rules_gw_down/>
    <webgui>
      <protocol>https</protocol>
      <port>8443</port>
      <ssl-certref>webConfigurator</ssl-certref>
      <noantilockout/>
      <authmode>Local Database</authmode>
      <session_timeout>30</session_timeout>
    </webgui>
  </system>
  <interfaces>
    <wan>
      <enable/>
      <if>em0</if>
      <ipaddr>dhcp</ipaddr>
      <blockpriv/>
      <blockbogons/>
      <spoofmac/>
    </wan>
    <lan>
      <enable/>
      <if>em1</if>
      <ipaddr>192.168.1.1</ipaddr>
      <subnet>24</subnet>
    </lan>
  </interfaces>
</pfsense>

UFW Rules Template

#!/bin/bash
# ufw_rules_template.sh

# Reset to defaults
ufw --force reset

# Set default policies
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (change port as needed)
ufw allow 2222/tcp

# Allow web services
ufw allow 80/tcp
ufw allow 443/tcp

# Allow from management network only
ufw allow from 192.168.10.0/24 to any port 22
ufw allow from 192.168.10.0/24 to any port 3000

# Rate limiting
ufw limit ssh

# Enable logging
ufw logging on

# Enable firewall
ufw --force enable

Security Checklists

Daily Security Checklist

• Review firewall logs for blocked traffic
• Check system logs for errors or anomalies
• Verify backup completion status
• Monitor system resource usage
• Review failed login attempts
• Check for security alerts/notifications
• Verify critical services are running
• Review network traffic patterns

Weekly Security Checklist

• Update threat intelligence feeds
• Review and update firewall rules
• Check for system updates
• Verify SSL certificate validity
• Review user account activity
• Analyze security event trends
• Test backup restoration process
• Update security documentation

Monthly Security Checklist

• Conduct vulnerability assessment
• Review and update security policies
• Perform user access review
• Update risk assessment
• Review incident response procedures
• Test disaster recovery plan
• Security awareness training
• Review compliance status

Learning Resources

Recommended Reading

• NIST Cybersecurity Framework
• CIS Critical Security Controls
• OWASP Top 10 Security Risks
• SANS Institute Security Resources
• pfSense Official Documentation

Online Training

• Cybrary.it - Free cybersecurity training
• SANS Cyber Aces - Hands-on cybersecurity tutorials
• Coursera - Network Security courses
• edX - Cybersecurity fundamentals

Community Resources

• Reddit: r/netsec, r/homelab, r/sysadmin
• pfSense Forum and Documentation
• Ubuntu Security Documentation
• Security Now! Podcast
• Krebs on Security Blog

---

License

This guide is released under the MIT License. Feel free to modify and distribute as needed.

Contributing

Contributions are welcome! Please submit pull requests with improvements, corrections, or additional security measures.

Disclaimer

This guide provides general security recommendations. Always test configurations in a lab environment before implementing in production. Security requirements may vary based on your specific environment and threat model.