rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 3:34 pm

I googled but I couldn't find a tutorial to disable password less sudo and I could find a tutorial to change the root account username.
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.

KeithSloan
Posts: 321
Joined: Tue Dec 27, 2011 9:09 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 3:42 pm

rpiswag wrote:I googled but I couldn't find a tutorial to disable password less sudo and I could find a tutorial to change the root account username.
Checkout https://www.digitalocean.com/community/ ... sh-keys--2

rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 3:45 pm

Thank you! That answers some of my questions now what about the other questions I mentioned like disabling password less sudo?
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.


rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 4:13 pm

Ok but can you find a tutorial on google because I looked and I couldn't find any.
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.

rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 5:26 pm

I learned how to delete user pi with the command sudo userdel pi but I still don't know how to create a new user with root privileges and I still don't know how to create a new user without root privileges.
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.

rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 7:38 pm

Do I need more security if I have a 40 character long password with Fail2Ban running? What is the chance of someone getting into my pi?
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Is My Pi Safe?

Sat Apr 04, 2015 7:42 pm

40 character long password ...
People in this thread keep mentioning something about key only ssh and abandoning passwords altogether.
Have you read about public / private key encryption like the RSA algorithm?
Very clever stuff.

hampi
Posts: 223
Joined: Fri May 31, 2013 11:29 am
Contact: Website

Re: Is My Pi Safe?

Sat Apr 04, 2015 8:00 pm

morphy_richards wrote:People in this thread keep mentioning something about key only ssh and abandoning passwords altogether.
Or using one-time passwords? Not really expert on this field.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Is My Pi Safe?

Sat Apr 04, 2015 8:02 pm

Me neither, its an education hanging about around here!

User avatar
rpdom
Posts: 16349
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Is My Pi Safe?

Sat Apr 04, 2015 8:11 pm

hampi wrote:
morphy_richards wrote:People in this thread keep mentioning something about key only ssh and abandoning passwords altogether.
Or using one-time passwords? Not really expert on this field.
That's what I use. Key based authentication for my normal logins, and a set of one-time passwords for the rare occasions I need to log in from another system.

rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 8:15 pm

My pi is directly connected to the internet with not router. I am currently using ufw as my firewall is that good enough or will a router make a better firewall. If I use a ssh key will I need any more security? Does Fail2Ban work with ssh keys?
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.

Heater
Posts: 14725
Joined: Tue Jul 17, 2012 3:02 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 8:24 pm

rpiswag,

Did they teach you any maths in school?

40 characters is 40 * 8 bits = 320 bits.

How many possible passwords is that?

2 to the power 320 minus one. Which in decimal is about 2E96. That is a 2 with 96 zeros after it. Quite many.

The estimated age of the universe, since big bang, is about 4E17 seconds.

So trying all the passwords of that length at one per second would take 2E96 / 4E17 seconds or about 5E78 times longer than the universe has existed!

To put in in perspective that is about as many universe life times as there are fundamental particles in the universe.

I guess you are quite safe from that respect.

What is more likely is that someone gets in by other means than guessing the password.
Memory in C++ is a leaky abstraction .

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: Is My Pi Safe?

Sat Apr 04, 2015 8:28 pm

Not if its 12345678910111213141516171819202122232425 :D
Last edited by morphy_richards on Sat Apr 04, 2015 8:49 pm, edited 1 time in total.

rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 8:43 pm

So a ssh key will not make me that much safer. I am running Fail2Ban and each ip address gets six attempts before it is banned.
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.

Heater
Posts: 14725
Joined: Tue Jul 17, 2012 3:02 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 11:24 pm

rpiswag,

Have a read of this page about ssh keys: https://wiki.archlinux.org/index.php/SSH_keys

The main point is that using the magic of public key cryptography when you use ssh keys the server knows that is you making the connection not some other random hacker or bot trying his luck.

It can do this because you have your private key on the computer you are using to connect from. The server has your public key. Therefore the server can issue a "challenge" that only your ssh client can answer correctly because it has your private key.

The down of using keys is that you have to have your private key on any machine that you want to connect from.

So for example, my google cloud services are subject to the risk that someone gets into my office and gets the key off of my hard drive.

That scenario is covered by the fact that you can set a pass phrase on the key.
Memory in C++ is a leaky abstraction .

rpiswag
Posts: 804
Joined: Mon May 19, 2014 10:04 pm

Re: Is My Pi Safe?

Sat Apr 04, 2015 11:27 pm

I want to ssh into my pi from different computers so a long and complex password is the best option for me.
A computer's power can't be just measured Gigahertz. It is the same thing with us humans.

ame
Posts: 3172
Joined: Sat Aug 18, 2012 1:21 am
Location: New Zealand

Re: Is My Pi Safe?

Sat Apr 04, 2015 11:30 pm

rpiswag wrote:But does this really make the security better because each computer only gets 6 retries and after that they can't keep brute forcing? They could get the passwords in six tried but the chances of some being able to guess a password that is 40 character long and is completely random with numbers letters and and special characters. Thank you for the link.
You don't understand. I have a botnet with 1 million zombie PCs. I can instruct them to hack your system. Each one gets 6 tries, so that's 6 million guesses. Next week I'll have a new botnet with 1 million *new* addresses that you haven't blocked yet.

So, your 40 character random password is pretty strong, but you are not guarding against me using my PC (from my IP address), you are guarding against a single entity (some hacker, or hacker group) with an infinite number of IP addresses.

Heater
Posts: 14725
Joined: Tue Jul 17, 2012 3:02 pm

Re: Is My Pi Safe?

Sun Apr 05, 2015 12:06 am

ame,

I'm not sure you understand. See my calculation above.

Guessing a 40 character password, as suggested, would give you a one in 10 to the power 96 chance of being correct. Give or take a bit.

Let's say your bot net can make a million, million, million guesses some how. That 10 to the power 18. So now you have a one in 10 to power 78 probability of guessing correctly.

If you could make that many guesses every second, you would still need multiple times the age of the universe to stand a chance of getting it right. I'll leave that calculation to you.

Of course rpiswag would have banned every possible IPv4 address pretty soon. There is only 4 billion of them, not an infinite number. So I guess he'd be safe then :)
Memory in C++ is a leaky abstraction .

ame
Posts: 3172
Joined: Sat Aug 18, 2012 1:21 am
Location: New Zealand

Re: Is My Pi Safe?

Sun Apr 05, 2015 12:38 am

Yes, I understand. I was emphasising the fact that it's not a case of one guy with a PC getting six guesses.

40 characters is a great password, but an ssh key is better.

Also, I think you are an order of magnitude off with your calculations, since OP will not use all bit combinations (using only printable ASCII). So, only a few times the age of the universe, not several times.

Heater
Posts: 14725
Joined: Tue Jul 17, 2012 3:02 pm

Re: Is My Pi Safe?

Sun Apr 05, 2015 1:35 am

You make a good point in emphasising the many machines of a bot net that can be brought down on you.

I may be wrong but isn't banning troublesome IP addresses as much about alleviating the load of all that on processor, network and log files etc. Avoiding the DOS.

Yes, I'm sure there is room for adding or removing a few orders of magnitude from my estimates. As long as we have one age of universe left as a result I'm happy :)
Memory in C++ is a leaky abstraction .

User avatar
pluggy
Posts: 3635
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK
Contact: Website

Re: Is My Pi Safe?

Sun Apr 05, 2015 8:48 am

In my simplistic world, I don't have ssh open to the the internet at large. If there's no ssh port visible the bots just pass it by. I've had a Pi connected to the internet for 3 years, never once been hacked. I used to attract several attempts every day when ssh was generally open.

Waving the bait around and then trying to club whatever raises to the bait, seems like a stupid way of working to me. Better you don't wave the bait around in the first place.
Don't judge Linux by the Pi.......
I must not tread on too many sacred cows......

JimmyN
Posts: 1109
Joined: Wed Mar 18, 2015 7:05 pm
Location: Virginia, USA

Re: Is My Pi Safe?

Sun Apr 05, 2015 10:30 pm

rpiswag wrote:Thank you! That answers some of my questions now what about the other questions I mentioned like disabling password less sudo?
To require a password for sudo you have to edit the sudoers file.

Code: Select all

$ sudo nano /etc/sudoers
Scroll down the file (using the arrow keys) til you get to the 'pi' entry. Change NOPASSWD to PASSWRD. Then <CTRL+X> <Y> <ENTER> to save it.

You'll use your user password, not root, and it won't do much good to require a password if you leave it at the default 'raspberry', so change your password too. I think you only have to use it once per session. The first time you use sudo you'll have to provide your password, but as long as you stay in that terminal you won't have to enter it every time.

If you add a new user and want them to have sudo permissions then add them to the sudoers file.

ktb
Posts: 1447
Joined: Fri Dec 26, 2014 7:53 pm

Re: Is My Pi Safe?

Sun Apr 05, 2015 11:07 pm

JimmyN wrote:Change NOPASSWD to PASSWD

Return to “General discussion”