Tzarls
Authorised Reseller
Authorised Reseller
Posts: 224
Joined: Tue Feb 26, 2013 6:59 am

About security, routers and intrusion detection on the RPi

Thu Aug 18, 2016 5:06 am

Hi. I have a couple of questions I hope someone can answer.

Let's say I have a properly configured router with strong password (whatever "properly configured" and "strong password" means - that's not the point here). This router has no port forwarding enabled. Let's say I connect a Raspberry to this router with a fresh instalation of Raspbian, but I don't change the default password. How safe would the RPi be from external attacks? Is the router effectively isolating the RPi from the world because of the port-forwarding ferature being disabled? Is there any other way in which an external attacker can reach the RPi?

Now let's say that I want to be hacked (if only for the chance to discover the bad guy's tricks), so I enable port forwarding (and any other option that makes me an attractive and easy target) and wait patiently until someone bites. What would the tools or places to look for be in order to find traces of an intrusion or attack? I know this can be quite difficult since, well, the attackers obviously want to be as invisible as possible for as long as possible, but there must be some ways to detect uninvited logins, unwated changes to the system and the like.

Not that I've been hacked (or left an unsecured RPi connected to the internet - yet ;) )

Heater
Posts: 13109
Joined: Tue Jul 17, 2012 3:02 pm

Re: About security, routers and intrusion detection on the R

Thu Aug 18, 2016 6:08 am

Set up a web server on your Pi. Say Apache. Have your router forward ports 80 and 443 for the web server and 22 for SSH connections.

Do change your password first.

Now sit back and watch your logs:

/var/log/auth.log
/var/log/apache/access.log

Soon you will see lots of login attempts and requests to your server for all kind of weird files.

Google for intrusion detection. It's a big subject.

ejolson
Posts: 3421
Joined: Tue Mar 18, 2014 11:47 am

Re: About security, routers and intrusion detection on the R

Thu Aug 18, 2016 7:40 am

Tzarls wrote:Let's say I have a properly configured router with strong password (whatever "properly configured" and "strong password" means - that's not the point here). This router has no port forwarding enabled. Let's say I connect a Raspberry to this router with a fresh instalation of Raspbian, but I don't change the default password. How safe would the RPi be from external attacks? Is the router effectively isolating the RPi from the world because of the port-forwarding ferature being disabled?
While a Pi without a password would be somewhat protected with port forwarding turned off, relying on a firewall--called egg shell security--is dangerous. If any device behind the firewall gets compromised, the shell is broken and everything inside the egg spills.

The router may have bugs that allow port forwarding to be turned on remotely. However, bugs in any device on your LAN such as bluray players, televisions, smart phones or other computers could be exploited to circumvent the router's security. The Pi might not seem a high value target, but if left unsecured it could be used to target any device behind your firewall or the firewall itself.

A machine with intentionally weak security used to detect intruders is called a honeypot. While they may have uses, I sure wouldn't want one on my LAN.

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: About security, routers and intrusion detection on the R

Thu Aug 18, 2016 9:59 am

Tzarls wrote:This router has no port forwarding enabled.
One thing to be aware of is that some routers have upnp configured which allows internal machines to request automatic port forwards. So even though you've not configured any port forwarding it might still be happening. Of course if you're assuming an ideal router then this would be configurable.
ejolson wrote:A machine with intentionally weak security used to detect intruders is called a honeypot. While they may have uses, I sure wouldn't want one on my LAN.
All of ejolson's points are good, and I'd re-iterate that what your asking about is a honey pot so that's the thing to go searching for.

However the general way to set one up is that you want to monitor all traffic going in and out of the honeypot (ideally packet capture on the router). The honeypot should also be on it's own dedicated network with no access to other internal systems and probably some DOS protection for outgoing traffic. You also want to remotely log all commands and access. I'd probably also have a copy of all file fingerprints (and potentially contents) so you can compare post any compromise.

In reality most of the attacks you'll see are fairly boring. Against a web server you'll see searches for the likes of phpMyAdmin, Wordpress and various other common frameworks. For SSH they'll look for poorly secured accounts. Anything that gets a shell they'll probably just install some scripts that let them control the device remotely and use it to scan other hosts for vulnerabilities or to take part in DDOS attacks.

Return to “General discussion”