Hello together,
i was thinking about security for the ‘webinterface / webgui’, i made a vlan only for management, where only 2 computers have access to it. here i want to put the webgui from ipfire in it. what i saw, i can manage the ‘listen.conf’ in /etc/httpd/conf/, and write for example ‘listen :444’. But can someone tell me, how it will be after an upgrade?
Is this the right way?
Thank you.
Greetings
I think a far easier way would be to create some firewall rules that blocks all green access to the wui and then allow one or two IP’s to get access.
However you need to make sure your firewall rules are correct otherwise you will block all access via the WUI to IPFire. You would then have to manually edit the firewall rules files via the console to remove the faulty rules.
An even easier way is firstly to make sure that the password is a strong one. I use a 20 character password using upper and lower case letter, digits and special characters.
Have Guardian installed, which you can then specify the two IP’s as hosts to be ignored by Guardian and all others to be blocked if they have 1 faulty password attempt. The default with Guardian is to block for 24 hours but of course you could block them for a week or whatever. Just enter the block time in seconds.
You will also see the IP’s on the Guardian WUI page that tried to access the WUI and failed and have been blocked.
https://www.ipfire.org/docs/addons/guardian
If you also have a Blue Network make sure that you follow this link to prevent users trying to access the WUI via that network.
https://www.ipfire.org/docs/configuration/firewall/accesstoblue#deny-blue-clients-access-to-the-ipfire-web-interface
but does /etc/sysconfig/rc.local get erased on an upgrade?
if not. then inside it could be structured
grep -qF "Listen vlan_ip:444" "/etc/httpd/conf/listen.conf" || printf "Listen vlan_ip:444" > "/etc/httpd/conf/listen.conf"
assuming vlan_ip is replaced with a valid ip assigning to the interfaces vlan in the same file