IPFire is a Linux distribution, which focuses on ease of equipment, easy operation and high level of security. It is an intuitive web-based interface for operational management, the interface for the novice and experienced system administrator to provide a lot of intuitive configuration options. IPFire is maintained by a group of developers who are concerned about security and frequently update the product to keep it safe. IPFire comes with a custom package manager called Pakfire, which can also be extended with a variety of attachments.
IPFire 2.25 – Core Update 142 releases.
This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.
This update brings a new kernel which is based on Linux 4.14.171.
For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.
This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities. More on this in a later blog post.
Support for Marvel’s Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in fireinfo using this any more.
Suricata 5 – Our Intrusion Prevention System
suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.
This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.
This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can – by design of the language – not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.