Pi webserver, port forwarding and default credentials: risks?

[MarcelNL]

Hi to you all out here,

My son (13) is hosting a small website via a raspberry pi (via apache). To make sure others have access from outside (WAN) he made our router port forward any traffic to port 80 towards the LAN ip:80.

All very well an nicely working, but I just found out he is still using the well known original credentials the pi came with after installation...

Now, of course this all sounds a bit risky, possibly endangering everything in the LAN, I wonder if anyone out here could point out how exactly a hacker could gain access to the pi in its current state? Is there a particular script I could use to show him? I would like to use that information to educate him a bit.

Thanks very much in advance!

[MarcelNL]

Anyone care to put down some thoughts? Much appreciated! Thanks.

[DougieLawson]

https://www.raspberrypi.org/documentati ... ecurity.md

[rpdom]

If you have only forwarded port 80 you will be fine (as long as you are careful with any code on web pages).

The one you need to worry about is if you have forwarded port 22 for remote SSH access.

[MarcelNL]

Reading this discussion viewtopic.php?t=83391 I get the feeling there is not much risk in port forwarding port 80 alone towards an Apache installation serving up a simple static (non php) site and having SSH disabled (which would open a different port probably, i.e. if also port forwarded, not if just used on LAN).

Of course, I understand that it is best to change the user / password just in case.

Anyone?

[MarcelNL]

rpdom and DougieLawson, thanks very much!