pipuppy
Posts: 70
Joined: Fri Aug 24, 2012 12:51 pm

General server security question.

Sun Oct 01, 2017 11:47 am

Hi folks,

I have a small web-server project I have been working on for a few weeks and its just about ready to go "live" to the WWW via a forwarded port on my firewalled home router and (for the most part) I am as confident as I can be that it will be sucure from all but a professional hacker.

I am using Hiawatha which has an excellent reputation for security among professional IT people and have added a few basic security precautions including password protection and a few I.P. tables rules implemented via UFW to restrict access to anything other than the raspi webserver on port 80 So far so good.

Being paranoid I would like to add an additional firewall rule(s) such that it makes it impossible for anyone to somehow gain access to the WWW or my home network via my raspi server web-pages. For example, someone connected to port 80 should not be able to somehow use my raspi as a bridge to the WWW or my home network.

The problem is that I need the raspi server itself to retain access to the WWW for things like time-checking or updating software so my question is can I block any kind of unwanted bridge between my port 80 webserver and the wider Internet using ip-tables rules without breaking my existing set-up so my raspi can still check the time from the WWW and perform sudo apt-get update etc.

Regards,

pipuppy

SurferTim
Posts: 814
Joined: Sat Sep 14, 2013 9:27 am
Location: Miramar Beach, Florida

Re: General server security question.

Sun Oct 01, 2017 11:50 am

Besides a good firewall setting, you should be careful about SQL. Do you plan on using a SQL database? SQL injection attacks are a popular way of gaining control of a server.

pipuppy
Posts: 70
Joined: Fri Aug 24, 2012 12:51 pm

Re: General server security question.

Wed Oct 04, 2017 12:46 pm

Hi SurferTim,

Thanks for the tip regarding SQL injection attacks. I am not currently using SQL and following your post I will probably avoid it in the future ;-)

Regards,

pipuppy

SurferTim
Posts: 814
Joined: Sat Sep 14, 2013 9:27 am
Location: Miramar Beach, Florida

Re: General server security question.

Wed Oct 04, 2017 12:52 pm

The last time I used MySQL, there were PHP functions that prevented hackers from inserting SQL code into the input string. Just
be careful if you do use SQL.

epoch1970
Posts: 1058
Joined: Thu May 05, 2016 9:33 am

Re: General server security question.

Wed Oct 04, 2017 1:06 pm

With a sufficiently capable router, you would put the web server in some network zone separate from your LAN.
Then the attacker has to circumvent both the server and the router to get access to the LAN.

If you can't, adding rules directly in the server won't protect against anything if the attacker has gained control of the machine.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

IanS
Posts: 150
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: General server security question.

Thu Oct 05, 2017 10:18 am

You can put iptables rules in that 1) allow the local network to connect to the Pi, either using any protocol or locking it down further to specific protocols, 2) allow the PI to talk to anywhere, local or internet, 3) allow the outside world to talk to the Pi only on the required protocol(s), 4) block everything else.
You also should check that routing functions such as ip forwarding are turned off. The user being used for externally visible applications (e.g. www-data) should not have sudo privileges.

However, if somebody can hack the Pi itself and get as far as gaining root access, they can of course turn all the protections off so that they can get further. At this point you need to have protection on everything else on your network which blocks traffic from the Pi.

Check if your ISP router supports a DMZ. If it does, but the application on a 2nd Pi in the DMZ for additional protection. In fact, putting it on a dedicated Pi which can then be blocked by everything else on the network that supports a firewall is a good idea whether it is in a separate network segment or not.

Also look at various free scanning services such as mentioned by https://geekflare.com/online-scan-websi ... abilities/ or https://www.qualys.com/forms/freescan/.

Heater
Posts: 7737
Joined: Tue Jul 17, 2012 3:02 pm

Re: General server security question.

Thu Oct 05, 2017 11:58 am

pipuppy,

I can tell already that you have not even started to scratch the surface of setting up a secure web server.
...(for the most part) I am as confident as I can be that it will be secure ...
I think the first rule of security is not to be confident. Quite the contrary you should be paranoid, nervous and doubtful. Continually on the alert.
...from all but a professional hacker.
I see no reason to believe that amateur hackers have any less skill breaking in than professional hackers. You are basically saying that you suspect you have no security.
...password protection...raspi webserver on port 80 So far so good...
That implies to me that you are not using HTTPS which would normally be listening on port 443. That means that user names and passwords can be sniffed from the net by attackers. So far this is not so good, essentially you have no security at all.

Do set up Hiawatha to use HTTPS. Get yourself the required certificates and keys from letsencrypt: https://letsencrypt.org/ It's free and easy.
Being paranoid I would like to add an additional firewall rule(s)
Ah, good, paranoia. But as others have noted above firewall rules on the Pi will not help you. If an attacker gets in he can always change those.

Now, that is a little scratch at the surface of web security, well, more like a gentle rub. Web security, or security in general, is a huge topic. What you need to do next depends on what you will be doing with your webserver. It's probably a good idea to start with a look at a web application security checklist. Like:

https://simplesecurity.sensedeep.com/we ... e4f43c9c56
https://www.owasp.org/index.php/Web_App ... heat_Sheet
https://www.upguard.com/blog/the-websit ... -checklist

There are many more.

pipuppy
Posts: 70
Joined: Fri Aug 24, 2012 12:51 pm

Re: General server security question.

Fri Oct 06, 2017 12:35 pm

Gentlemen, thankyou.

Your replies have been very helpfull and I now know my server is not really secure at all :-( I have been reading the links provided by Heater and see I have some work to do before I expose the server to the WWW though I will probably have to compromise at some point in order to move onto the main focus of the project and deploy the server warts and all.

One comment I regret in my original posting was ...

"I am as confident as I can be that it will be sucure from all but a professional hacker."

I regret the use of the word "professional" and as Heater pointed out many amateurs are quite capable hackers. My choice of words was poor and I perhaps should have said "expert" or "experienced" as oposed to "professional :-)

While some security holes will almost certainly be present I feel that the risks will be minimal given that the server will be on-line (at most) perhaps 1 hour in every 72 and with little chance of anything else being on the home network at the same time. The rest of the time the port will be locked-off and the server off-line. Indeed, chances of the same raspi image being used more than a couple of times is unlikely. One of the links posted by Heater contained a good bit of advice pointing out that the only secure server is one that is switched off so thats pretty much the main security feature my server will adopt :-)

Thanks again for pointing out some of the risks though happily no important data will be stored on the system and for the most part if anyone was really that interested to see what I was up to then I would just give them a URL and password, they would soon get pretty bored :-)

pipuppy

IanS
Posts: 150
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: General server security question.

Tue Oct 10, 2017 2:25 pm

You may have nothing of value or interest on the exposed Pi, but that should not be your main concern. Consider what else a hacker can reach on your network once they have a foothold via the Pi.
Having the Pi linked to the internet for only an hour every few days is no defence either. Some years ago, I set up an experiment where a virtualised Windows XP box was fully exposed to the internet with very careful defences around it. Anything could send any traffic to it, but it could not send anything to the rest of the internal network, and it was automatically cut off from everything after it had sent out 20 network packets so that it did not go on to infect (many) other systems. Once I had seen the defences clamp down, I analysed the system, took a copy of whatever nasty had arrived, rebuilt the system and started again. The average time the machine survived was under 30 seconds from finishing booting.
I have 15 years experience working in IT security, although my role is normally at the architectural rather than technical level these days, and I would be wary about exposing a web server to the internet from my home network. I do have exposed systems, but only once through a certificate based OpenVPN tunnel. I would not even expose an SSH server directly. The logs show I get VPN connection attempts (other than my own) only once every day or two, compared with the dozens or hundreds per day that an exposed SSH server gets, and most of the logged IP addresses can be traced back to security organisations running automated scanners.

Heater
Posts: 7737
Joined: Tue Jul 17, 2012 3:02 pm

Re: General server security question.

Wed Oct 11, 2017 9:34 am

I was going to comment on that as well. Having the thing exposed to the net for only a short time each day is no security.

I'm curious, is there any reason an SSH server is any less secure than a VPN? Especially when using ssh keys. Apart from the fact there will be more attempts to connect to ssh?

Anyway, I consider it a challenge. I put public facing web servers up at home. I try to cover as many of the items we find on security check lists as I can, starting from using HTTPS. I try to put some monitoring in place. Then set back an wait for something interesting to happen!

Of course, these experiments sit on a network behind their own router.

Tonny B
Posts: 1
Joined: Wed Oct 11, 2017 6:51 am

Re: General server security question.

Wed Oct 11, 2017 10:43 am

Heater wrote:
Thu Oct 05, 2017 11:58 am

That implies to me that you are not using HTTPS which would normally be listening on port 443. That means that user names and passwords can be sniffed from the net by attackers. So far this is not so good, essentially you have no security at all.

Do set up Hiawatha to use HTTPS. Get yourself the required certificates and keys from letsencrypt: https://letsencrypt.org/ It's free and easy.
I think this would help a lot to website owners who are looking for a SSL certificate but I found another ssl certificate provider (https://www.https.in) they are not providing free ssl certificate like LetsEncrypt. But what they said to me is they will help me install SSL certificate also they have insurance policy of around $ 10,000 in case of any data breach.
Can you confirm whether LetsEncrypt can give me protection from such breaches. I think your inputs will help me buying right ssl certificate.

Thanks.

Heater
Posts: 7737
Joined: Tue Jul 17, 2012 3:02 pm

Re: General server security question.

Fri Oct 13, 2017 2:44 am

Tonny B,

I'm no expert on SSL certificates or certificate authorities so I cannot really advise.

But that won't stop me...

I found that installing certificates from letsencrypt.org to be very easy. They have excellent documentation and clear instructions. They provide easy to use tools to obtain and renew certs. So I see no reason why you would need to be paying for help with cert installation.

letsencrypt certs are only valid for 90 days. Then you need to renew them. Sounds like a pain but I found it easy to automate that.

Almost certainly letsencrypt is not offering any insurance.

I don't know what such an insurance policy might cover. My gut tells me it's not worth the paper it's written on.

It may cover some failure of their certificate system some how. This should be very unlikely. I'd rather trust letencrypt in that regard.

Almost certainly such a policy does not cover breaches of your web site otherwise. Having HTTPS in place does not in anyway make your site secure. It's just a tool to help you secure things. One part of a very complicated puzzle. Any part of that puzzle can be a security failure from your web server, to server side application code, to the way you store user names and passwords, etc, etc. All of that stuff is far more likely to be breached.

Read the small print.

pipuppy
Posts: 70
Joined: Fri Aug 24, 2012 12:51 pm

Re: General server security question.

Sun Oct 15, 2017 1:48 pm

Hi again,

When I started this thread I had no idea it would generate such a response. Some very helpful tips and links to improved server security have emerged.

Reality check:
However, I am concerned that any younger pi users might read this thread and be "put off" from experimenting and self learning. If I am understanding correctly what we are in fact saying is that it is generally unwise to open-up a port on a home router to expose a homebrew server unless extreme precautions are taken? As a 60+ year old who is simply trying to self-educate I have sufficient wisdom to see that as an "amateur" it is perhaps safer to abandon this line of research and move on to something else with less risk or wait until my knowlege is sufficient to reduce the risks.

However, I am left wondering about younger experimenters for whom the pi was intended. Youthfull enthusiasm is not likeley to stop he or she from opening up a port to a less than secure server and I wonder if we are sending out the wrong messages here? Yes, lets encourage safety by all means but reading some of the comments posted would lead us to believe "dire" consequences may result from a less than secure home server exposed to the wider web. Of course risks exist and it would be silly to ignore them but reading this thread reminds me of my own youth when everyone said riding a motorcycle was "dangerous" and while this (was and still is) true I found it much more helpfull when an older "biker" told me "yes, very dangerous" but then went on to explain how to reduce those risks.

The problem I have is that in my own case I followed raspberrypi.orgs advice from here.

https://www.raspberrypi.org/documentati ... ecurity.md

*** Sample quote ***
"What level of security you need depends on how you wish to use your Raspberry Pi. For example, if you are simply using your Raspberry Pi on your home network, behind a router with a firewall, then it is already quite secure by default.

However, if you wish to expose your Raspberry Pi directly to the internet, either with a direct connection (unlikely) or by letting certain protocols through your router firewall (e.g. SSH), then you need to make some basic security changes. "
*** End quote ***

From comments posted here it would seem that the precautions listed in that page may be insufficient. While I accept no server can ever be fully secure (unless switched off) surely its possible to achieve a reasonable level of security such that a keen young experimenter can expose a homebrew server to the WWW without bringing his or her world crashing down?

This is just my 2p worth but it seems what is perhaps required is a more comprehensive "how-to" page on server security aimed at the less experienced experimenter. The raspberrypi.org page is pitched just right but it seems it does not go quite far enough. I only wish I had the knowledge and experience to write such a page myself.

Dont get me wrong, its right to be cautious but as a person who spent a number of years working in a school I fear the cautious approach can go to far stopping people from doing something creative.

Regards,

pipuppy

Heater
Posts: 7737
Joined: Tue Jul 17, 2012 3:02 pm

Re: General server security question.

Mon Oct 16, 2017 6:21 pm

I don't disagree with you particularly.

The Pi security page is pretty good as afar as it goes. Which is as far as using SSH to log in to your Pi from the public internet.

Problem is that there are so many tings one might want to do after that. How about a web server on there? Or anyone one of a thousand other services a Pi could perform.

Anyone of those will have security issues of it's own that need taking care of. For example the security checklists for just a web server are huge.

For the Pi Foundation to try and document ways to cover everything would be a huge undertaking. And it would need updating continuously as new vulnerabilities and exploits are coming along all the time.

I'm all for kids experimenting with these things. As long as we can get them to be aware of the dangers. As long as their Pi or whatever is not on the local LAN, is not able to get to their family PC that dad uses to do online banking.

Return to “Networking and servers”

Who is online

Users browsing this forum: pbillet and 9 guests