Maritime_pi
Posts: 8
Joined: Fri Jan 24, 2014 2:42 am

Is my pi secure?

Sun Mar 16, 2014 4:20 am

I have a pi web server. I use port forwarding for 80 and 443 and I have fail2ban running. I have changed the user name and password on my pi and removed the test database from MYSQL. I have a domain name that points to my IP address given to me by my ISP. My iptables file has a default of INPUT DROP and only 80 and 443 are accepted. I thought that I had to expose my server in the DMZ, but I found that with port forwarding I do not have to do that. Is there anything more that I should do?

User avatar
DeeJay
Posts: 2027
Joined: Tue Jan 01, 2013 9:33 pm
Location: East Midlands, UK

Re: Is my pi secure?

Sun Mar 16, 2014 9:57 am

You have said nothing about your webserver itself. The security of your system depends absolutely on how well it was written and how carefully it has been configured.
How To Ask Questions The Smart Way: http://www.catb.org/~esr/faqs/smart-questions.html
How to Report Bugs Effectively: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

User avatar
DougieLawson
Posts: 37648
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Is my pi secure?

Sun Mar 16, 2014 10:05 am

The other thing you MUST do is
sudo apt-get update && sudo apt-get upgrade
EVERY WEEK to stay current with security fixes.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

Maritime_pi
Posts: 8
Joined: Fri Jan 24, 2014 2:42 am

Re: Is my pi secure?

Mon Mar 17, 2014 12:55 am

Thank you for the replies and constructive criticisms. I am weak on all of these technical subjects, but weakest on the subject of web servers. I will be doing more research and work on the LAMP stack as time goes by.

Regards

User avatar
iinnovations
Posts: 621
Joined: Thu Jun 06, 2013 5:17 pm

Re: Is my pi secure?

Mon Mar 17, 2014 1:51 am

One important thing is controlling who can log in remotely.

Add to /etc/ssh/sshd_config

Code: Select all

AllowGroups sshers
This restricts ssh access to members of the sshers group.

Add pi (or your preferred username), and whatever user you might use to upload web content, whatever, to the sshers group:

Code: Select all

sudo addgroup sshers

Code: Select all

sudo usermod -aG sshers pi
MAKE SURE to use the -a option and capitalize the G. Forgetting the -a will make sshers your only group. This includes sudoers. If you have a root password, this is easily undone. If not, it's not.

Restart sshd and you've disabled root ssh access.
CuPID Controls :: Open Source browser-based sensor and device control
interfaceinnovations.org/cupidcontrols.html
cupidcontrols.com

gkreidl
Posts: 6222
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Is my pi secure?

Mon Mar 17, 2014 6:42 am

Did you set a password for root? Otherwise any intruder can use sudo and has access to the complete system.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

rgrbic
Posts: 128
Joined: Thu Jun 12, 2014 1:07 pm
Contact: Website

Re: Is my pi secure?

Fri Jun 13, 2014 11:28 am

Here you can find small article with tips how to improve security of your Raspberry Pi. In essence, keep your system up to date, use key authentication and install some kind of software which parse your log files and automatically bans suspicious IP adresses (like fail2ban). However, services that are running on your Pi usually need some kind of tweaking. For example, ask yourself do you really need remote connection to mysql database or you need connection only from localhost? Make users with minimal required privileges, do you really need phpmyadmin and so on...
At 127.0.0.1
Twitter: @rgrbic
IoT-projects.com

LinuxUser42
Posts: 22
Joined: Sat Mar 16, 2013 5:28 pm

Re: Is my pi secure?

Fri Jun 13, 2014 4:21 pm

DougieLawson wrote:The other thing you MUST do is
sudo apt-get update && sudo apt-get upgrade
EVERY WEEK to stay current with security fixes.
Even then, that only helps with ones that are patched. Just pointing out some security fixes take longer then others, and bugs (like Heartbleed) may be out in the wild, just not openly published.
Security is unfortunately, never 100% and I hate it when people get that impression.

User avatar
cyrano
Posts: 714
Joined: Wed Dec 05, 2012 11:48 pm
Location: Belgium

Re: Is my pi secure?

Fri Jun 13, 2014 10:47 pm

Security is a state of mind.

Even good software isn't secure without good practices. Use a really long passphrase and only for one service. Change the passphrase every now and then.

Make sure to have an offline backup. If you suspect there's been a breach but can't prove it, taking the system offline and replacing with a backup gets you running again fast. And you can study the offline system at your ease, if you need to.

Keep every step documented. I got severely bitten last week because I added dotdeb to the repository list a year ago and forgot about it. I only needed one lib from dotdeb, but forgot to document it. A year later, I managed to eradicate php by patching/updating other stuff and landing in dependency hell...

Security may also mean protection from one's own idiocy.

Return to “Troubleshooting”