For those of you running a firewall called IPfire and Home Assistant I have an integration that might be of interest.
I thought it might be cool to view IPfire’s firewall logs and Suricata intrusion prevention events( with added data ) in real time within HA (that then could be meaningfully used within HA)…
I setup sensors that automatically capture and present these events as follows: For example:
These are real examples coming from IPfire and constitute approx. 1500-1600 sensor activations that occur daily (on my network YMMV).
It is up to you to determine your risk level and whether you wish to automate a response to an event.
For example you can just send yourself a notification or shutdown HA temporarily… while you investigate the threat. Your call.
It is easy to create an automation for example here is a mobile device notification that might be of interest.
The setup of this overall integration process is somewhat difficult at certain steps. But if you already run IPfire should not be that hard.
Respond here if you want me to provide the how-to for this integration. I can’t gauge the interest in this, so if enough people request I will document and provide a step by step.
Hello, yes, please, it would be interesting to be able to carry out actions with IPFIRE events, which is a very good complement to control devices, I currently use it to define static IPs on my devices.
This implementation requires you to install Graylog, a log management software package. Graylog is open source and can be installed easily on many different platforms. I’m going to install Graylog using Docker Compose on a Windows 10 PC. Here is a high-level picture of the architecture.
Edit the yaml file docker-compose.yml and make two changes.
4.1 GRAYLOG_ROOT_PASSWORD_SHA2. Replace the string with your generated SHA256 hash string based on your chosen password. Use this link to do this. https://emn178.github.io/online-tools/sha256.html (Enter your password in the Input box and the generated text becomes your SHA2 field, no curly braces).
4.2 GRAYLOG_ROOT_TIMEZONE. Put your time zone here.
4.3 Save file.
Start docker desktop on your PC.
Open a windows CMD session on your PC.
6.1 cd into your Graylog folder
6.2 run cmd: docker-compose up
6.3 This will take awhile, be patient.
6.4 Ctl C and close the CMD session.
Go back to the docker desktop app and click on the “Containers/Apps” sidebar. You should see “graylog exited(undefined”) . Hover over graylog and click on the Start circle at the right.
Graylog is now installed and running.
Now to configure Graylog to accept IPfire logs, process them, and pass them to HA with webhooks.
9.1 Start up the Graylog interface on your PC with a browser. http://127.0.0.1:9000/. Use admin as username and the password you used to create the SHA2.
9.2 Under Systems/Users and Teams menu create a user for yourself with the “admin role”. Log out and log back in with your new user that has admin role.
9.3 Back on your PC download file content-pack-92aec92d-6c2c-4aff-be84-a7bce962e5c6-1.json from https://github.com/ijustlikeit/ipfire-graylog into a folder.
9.4 Back to Graylog under Systems/Content Packs menu click the “upload” button top right. Upload the file from step 9.3.
9.5 Click the blue “install” button on each of the available content packs. From “Open Threat Exchange - Threat Intel Plugin” thru "IPfire setup ". They should all read “installed” if successful.
9.6 Under Systems/Configuration find " Message Processors Configuration". Update so that last two entries are swapped. So 3 Message Filter Chain and 4 Pipeline Processor.
9.7 Under Alerts menu click the “notifications” button top right. Edit ALL three of the notifications ( “Excessive port scanning”, “Suricata Event”, “Threat detected”) and change the IP address in the URL to your Home assistant IP address and port. Also click “Add to URL whitelist” for each one.
9.8 Graylog is now configured to receive messages, process them and fire webhooks.
Configure IPfire to send the logs.
10.1 Go into your IPfire gui, navigate to the log settings. Enable the remote syslog server. Enter the IP of your Windows PC running docker Graylog. Protocol must be set UDP. Note that your Windows PC must be in the green zone. I could not get the logs to go otherwise, not sure if this is a syslog limitation or ??.
10.2 IPfire, by default, is not set up to send the suricata logs. We need to edit the suricata.yaml file manually to change this. Using ssh or the console, log into your IPfire device. With the command line
cd /etc/suricata
cp suricata.yaml suricata.bkup
nano suricata.yaml ( you might need to install nano addon)
add the following lines right before the line “# Extensible Event Format (…).”
- syslog:
enabled: yes
identity: "suricata"
facility: local5
level: Info
Use CTL O to write and save. CTL X to exit.
then
/etc/rc.d/init.d/suricata restart
exit
Logs should start flowing into Graylog at this point. To verify this log back into Graylog, and go Search.
In a box where it shows “Select streams the search should include…” select “Ipfire firewall logs” from the drop down. Click by the green box should be log messages appearing. (you might have to change time to something greater than 5 minutes).
Finally set up Home assistant to accept the webhooks. Download template.yaml file from https://github.com/ijustlikeit/ipfire-graylog .
Copy and paste the sensors from this file into your configuration.yaml file under:
Very interesting!!! Just a question.
Grafana dashboard takes data directly from graylog or you have stored data into such a db? (mysql, mariadb, ecc).
Can you share also this informations?
Regards
You need to install the two addon HA packages called InfluxDB and Grafana. (Note that your default HA SQL data base MariaDB or whatever you use is still installed and used by HA as normal but not in play with my implementation.)
The data comes into Home Assistant via Webhook from Graylog. I place the data into two HA sensors…called sensor.threat_detected and sensor.ips_event. And then HA ultimately automatically stores this in InfluxDB . Then Grafana is used against the InfluxDB datastore to create graphs. So all done within Home assistant.
Here are the definitions for the two sensors that are template: yaml.
# Suricata IPS sensor
- trigger:
- platform: webhook
webhook_id: YOUR ID WEBHOOK FOR THIS TRIGGER(defined in Graylog)
sensor:
- name: ips_event
state: "{{ trigger.json.event.alert }}"
attributes:
ips_event_name: >-
{{trigger.json.backlog[0].fields.suricata_event}}
ips_event_type: >-
{{trigger.json.backlog[0].fields.Class}}
ips_protocol: >-
{{trigger.json.backlog[0].fields.Protocol}}
ips_ip_info: >-
{{trigger.json.backlog[0].fields.IP_info}}
ips_offending_ip: >-
{{trigger.json.backlog[0].fields.IPV4}}
ips_timestamp: >-
{{trigger.json.event.timestamp}}
# Threat found sensor
- trigger:
- platform: webhook
webhook_id: YOUR ID WEBHOOK FOR THIS TRIGGER(defined in Graylog)
sensor:
- name: threat_detected
state: "{{trigger.json.backlog[0].fields.src_addr_whois_country_code}}"
attributes:
threat_ip_address: >-
{{trigger.json.backlog[0].fields.SRC_IP}}
threat_dst_port: >-
{{trigger.json.backlog[0].fields.dst_port}}
threat_organization: >-
{{trigger.json.backlog[0].fields.src_addr_whois_organization}}
threat_country: >-
{{trigger.json.backlog[0].fields.src_addr_whois_country_code}}
threat_spam: >-
{{trigger.json.backlog[0].fields.spam_threat_indicated}}
threat_ransomware: >-
{{trigger.json.backlog[0].fields.request_ip_is_ransomware}}
threat_names: >-
{{trigger.json.backlog[0].fields.threat_names}}
threat_timestamp: >-
{{trigger.json.event.timestamp}}
# Port scanning
- trigger:
- platform: webhook
webhook_id: YOUR ID WEBHOOK FOR THIS TRIGGER(defined in Graylog)
sensor:
- name: port_scanner_detected
state: "{{ trigger.json.event.alert }}"
attributes:
scanner_ip_address: >-
{{trigger.json.backlog[0].fields.SRC_IP}}
scanner_extent_desc: >-
{{trigger.json.event.message}}
scanner_organization: >-
{{trigger.json.backlog[0].fields.src_addr_whois_organization}}
scanner_country: >-
{{trigger.json.backlog[0].fields.src_addr_whois_country_code}}
scanner_threats: >-
{{trigger.json.backlog[0].fields.threat_names}}
scanner_start_timestamp: >-
{{trigger.json.event.timerange_start}}
scanner_end_timestamp: >-
{{trigger.json.event.timerange_end}}
You can of course use these sensors for anything else you want besides the graphing component.
hi, i have a question about routing home assistant to access only flow or trusted user on ipfire, but my issues is that i use home assistant by import file vmdk to vm workstation and i dont know how to accept any user or device log in to home assistant must trusted by ipfire. Can you share or support me with this issues, thank you for interest integration.
Best regards.
I’m researching on the topic to be more secure on iot, I’m very interested in your project, but I’m new to HA, so I have a couple of questions that I need help with:
Can you give me more specific network architecture about Ipfire, iot devices, HA, how to communicate in the network?
What type of HA are you using to configure with the firewall: HA OS or HA Supervisor.
Can you summarize all the steps I need to take from a brand new system? I can’t find instructions to install Ipfire with HA, configure suricata, if possible can you help me.
If I understand you correctly, your HA instance is installed as a virtual client. This should be no problem as long as you install the Graylog docker instance( or however you choose to install Graylog) in the green zone. This is because IPFire can be configured to send it’s logs to the Graylog instance and then in turn Graylog will (using webhook) send the results to your virtual HA instance.
Firstly, welcome to the HA community. IMO it is a wise choice to run a firewall if you are going to install HA and thus provide protection for your iot devices. This will add considerable complexity to your setup though. And there isn’t one correct way of installing HA behind the IPFire firewall either.
IPFire is comprised of zones. The RED zone is the outside or internet (WAN). The Green zone is your LAN, perhaps your PC’s, mainly hard-wired ethernet devices. The Blue zone is your internal wifi network devices (WLAN). The Orange zone is your demilitarized server device zone. Each of these zones are protected from each other(by firewall rules). So a green zone device, a PC for eg, cannot “see” a blue zone device. Also most importantly anyone (from the Internet) in the RED zone cannot “see” anyone in the BLUE, GREEN zones. This is all setup by default and can be customized by using firewall rules.
Each zone is usually one subnet (so green might be 192.168.1.xx, blue 192.168.2.xx etc). Look at the IPFire wiki for a better explanation of this. https://wiki.ipfire.org/installation
The type of HA you select (OS or Supervisor) doesn’t matter as far as IPFire is concerned. What matters most is the zone you choose to put you HA instance into. So yours choices are BLUE or GREEN, which one is hard to say, depends. BLUE seems to make sense since it is the wifi zone and perhaps many of your IOT devices “live” there anyway. So for purposes of this discussion, lets say you select the BLUE zone.
So your HA instance and all your IOT devices are now on the same subnet, say 192.168.2.x., within the Blue zone. This makes it easy, since HA can directly find and configure all your iot devices almost automatically. If the external internet goes down HA is till up and running if you aren’t dependent on the cloud for anything. Where this may be difficult is if several of your iot devices, for some reason, are in the green zone. Opening up your firewall with pinholes to accomodate this can get complicated. Accessing your HA instance from the outside (red zone) is also complicated.
I guess what I am trying to say is that you will have to explore IPFire a bit before you can make your choice about your placement in zones.
Let me think about a guide that describes “How to” install IPFire with HA from scratch. This is a separate and LARGE undertaking that would take me some time to compose and document. I also think it would be best done as a separate topic, from this integration topic, because this one has a prerequisite working knowledge of both IPFire and HA.
Thanks for your questions, I think this opens up some interesting further work on using HA in a firewall environment such as IPFire.