How Best to Configuring Home Network for Freedombox and Maintain Maximum Security?

Support
1

Hi, I’m wondering how best to set up my Freedombox on my home network to maintain maximum security for the other machines on the local network?

Possible Solution?
I found the following previous part answer to a different issue, which makes me think I should have my Freedombox setup as a DMZ device?: “This is typically done by logging into the router, and configuring DMZ ip address as FreedomBox IP address (after making a reservation for that IP address).” [Solved] Problems configuring DMS

Background
I’m looking at this because I had my Freedombox connected to my local network as a standard device, with ports forwarded to it by my home router. But I noticed yesterday that the web root index.html page had been changed (cracked!): /var/www/html/index.html The index.html had been clanged to point to an external website. Because I was obviously going to notice this change I assume it was a white-hat cracker warning me that my system was vulnerable!

I’m not too surprised because I have been doing a lot of messing about with the Freedombox machine: opening ports, not being careful enough about what info I provided on support posts on StackOverFlow etc. And I had also installed Wordpress and NextCloud in the web root and hadn’t looked at hardening either install. So there was probably too much information out on the web about how to find my machine and its configuration. And it was probably unnecessarily vulnerable. However, finding evidence that the machine has been cracked has made me consider my network security far more seriously!

Thanks for any advice with this

1 Like
2

Putting FreedomBox behind a router and forwarding all necessary ports (DMZ or individual ports) is pretty much equivalent to putting FreedomBox as the router.

Personally, I would always trust my FreedomBox (which is free software and fully under my control) than to router (which have proprietary software and are notorious for their security holds).

1 Like
3

Thanks for the clarification.

UPDATE

I don’t like the idea of the DMZ as it seems to just fully expose the Pi to the internet, which is not really what I want.

I’ve been exploring this a little bit more and hit on a set up using my DD-WRT router - described below. I would really welcome any feedback regarding if my understanding of my set up is correct and comments about the strengths/weaknesses of it, if it does in fact make sense and does add extra protection to my local network machines?

Background
As mentioned above, the reason I want to isolate the Raspberry Pi 3B+ web server is that I had it set up with Freedombox, NextCloud and Wordpress and someone hacked into it and changed the web root’s index.html file. There wasn’t anything sensitive on the Pi, but it did freak me out that it could be a possible way to break into the local network and start SSH brute forcing other accessible machines on the local network.

I agree that firewalls go a long way - but in this case the hacker did get past by, presumably, exploiting a vulnerability in Wordpress! I don’t really want to have to turn into a paranoid sys admin having to open and close ports on local machines all the time. I would rather start with a robust network configuration and then worry about each machine on the local network as best I can.

Possible Solution
I’m testing a setup using two routers and two separate DHCP fire-walled networks, based on the concept described here and tutorial here (though I’m not using VPN). See the attached image for a visual layout of the set up I’m testing.

From information I have found it seems that network two (IP: 192.168.11.x - the “inner” network) can reach out to network one (IP: 192.168.10.x - the “outer” network) and to the internet. But the outer network can’t (easily) get past the second router’s firewall and into the inner network.

This works because data is passed back though the NAT to the originating address, but all other traffic is stopped by the firewall. So the local machines on the inner network can reach out and SSH into the server on the outer network, but the server can’t break through the inner firewall to reach the local machines on the inner network.

I have tested and I can SSH from within the inner network to the server on the outer network. But I don’t seem to be able to SSH from the server to a machine on the inner network, so it does seem to be the case that this set up gives me what I want.

I am new to all of this though, so I could be missing something obvious here.

Does my set up this make sense in the way I have described?

2 Likes
4
  • It does seem more secure than a typical setup.
  • freedombox.local domain resolution may not work in this setup as it uses broadcast.
  • You still need to make sure web server is secure with right software, proper configuration and automatic security updates.
2 Likes
5

Would you say that the main point of weakness in my set up (as above) is the second router (which, in my case, is running DD-WRT)? A cracker who takes over the web server could start to probe the second router and potentially try and brute force it? I guess a strong password is essential to mitigate this. Also, I guess any vulnerability in the routers firmware could also be exploited?

1 Like
6

Subnet mask as possible helpful security measure

Separating the local network with subnet mask could be a helpful solution too using just a single router. This keeps the local machines unaccessible from the internet accessible Freedombox home server, should it get cracked into.

I.e., … using a subnet mask of 255.255.255.192, a local network of 192.168.123.0 becomes four networks: 192.168.123.0, 192.168.123.64, 192.168.123.128, 192.168.123.192.

These four networks would have as valid host addresses: 192.168.123.1-62, 192.168.123.65-126, 192.168.123.129-190, 192.168.123.193-254.

The binary host addresses with all ones or all zeros are invalid, so you cannot use addresses with the last octet of 0, 63, 64, 127, 128, 191, 192, or 255.

Source: https://support.microsoft.com/en-us/help/164015/understanding-tcp-ip-addressing-and-subnetting-basics

1 Like
7

Yes, to all the questions. However, this is no weaker than any typical setup where on router is facing the Internet. Since DD-WRT is open source, you can be more confident.

I don’t think this is more secure unless enforced by the network equipment such as in case of VLANs. This is because if a machine is compromised, they then assign themselves IP address from any other subnet and start connecting to other machines.

1 Like
8

Thanks - that’s helpful :slight_smile: