Now that IPCop is installed and you can access it from anywhere in the world via OpenVPN, now comes securing your network and making sure that the bad guys stay out while making sure that what goes on in your network is logged.
Read on for more.
In case you missed it:
Packet Sniffing with snort
snort is a program that watches the packets coming in and out of an interface and looks for Evil Things (R). It will log all the odd traffic that it either knows is evil or just doesn't look right.
IPCop comes with snort already installed and just waiting to do something. To use snort, you need to head over to http://www.snort.org/ and either register (the cheap option) or purchase (the expensive option) snort.
Since the registered version will probably work for most home users, just register for a snort account and request an Oink code. This code will allow IPCop to download and install snort updates via the IPCop interface.
Armed with your Oink code, go into your IPCop firewall and go under 'Services'->'Intrusion Detection'. Select 'Sourcefire VRT rules for registered users' and paste your Oink code into the Oink Code box. Over under 'Interfaces', select what interfaces you want snort to run on. I recommend everything but Blue. Click 'Save', and IPCop can now download updates for you.
Once the page has refreshed, click on 'Download New Ruleset' to grab the latest rules.
Automatically Block Evil Things (R) with Guardian
Guardian takes all the information that snort collects and will automatically block people doing evil things. For example, if someone is trying to port scan you, snort will notice this and log the attempt. Guardian will then turn around and set up a firewall rule to just drop all traffic from that IP for a short time period. Guardian also allows you to permanently block IPs by entering them manually or from automatic blocks, or to permanently allow all traffic from an IP.
Download Guardian from mhaddons, which has all the useful security software for IPCop. Installation for Guardian is the same as OpenVPN - download the package, scp it to your firewall, unzip it into /tmp, and run the installer (see Part 2 above) or follow the instructions on the download page.
Once installed, head back to 'Services'->'Intrusion Detection' and select Guardian under the Interfaces list. Click 'Save' and Guardian will now watch snort and automatically block IPs for you.
Instantly Disconnect and Block Strange Connections with Cutblock
So, now a lot of stuff should be getting blocked just out of the box without you needing to do anything. What happens when you see something that isn't getting flagged but you want to stop? Cutblock is the answer! Cutblock allows you to look at the 'Status'->'Connections' screen and cut a connection, and block that IP from reconnecting.
More than likely a user won't have to do anything with cutblock, but if there are a large number of latent connections (such as from running BitTorrent), you can cut the connections to make things cleaner.
Allow Only What Should Go Out To Get Out with BlockOutTraffic
BlockOutTraffic allows you to set up egress filtering (egress filtering is filtering outbound connections). BOT helps stop unwanted programs or services from accessing the internet. For example, BOT can lock down a single computer to only HTTP(S), POP, and SMTP traffic while allowing other PCs full access to the internet.
BOT is an incredibly detailed and complex addon for IPCop, but with all the complexity comes a ton of power. Look for a BOT-centric tutorial coming in the future.
What Do We Have?
At this stage in the game, your IPCop firewall should be leaps and bounds ahead of any $100 router that you can purchase. What else can you do with IPCop? Check out the other addons that further extend your logging and network watching capabilities.