raspi-owner
Posts: 63
Joined: Sun Aug 20, 2017 11:35 pm

Is it dangerous to leave the pi connected to the internet ??

Sat Dec 21, 2019 11:47 pm

Hi, i have a raspberry pi 3 b and i want to leave it connected to the internet for my needs, but i keep finding in forums that it's dangerous to do that since hackers can get access to it. Here is what i want to do :

1) leave the pi connected as i said earlier.
2) connect to it via ssh, only at home. (again i found posts saying that it's bad to do that)
3) dont do any update since it will be left alone.

I can't understand how it can be hacked with no port open in my router, and does enabling ssh open ports or something to the internet ??

W. H. Heydt
Posts: 12300
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Is it dangerous to leave the pi connected to the internet ??

Sat Dec 21, 2019 11:54 pm

raspi-owner wrote:
Sat Dec 21, 2019 11:47 pm
Hi, i have a raspberry pi 3 b and i want to leave it connected to the internet for my needs, but i keep finding in forums that it's dangerous to do that since hackers can get access to it. Here is what i want to do :

1) leave the pi connected as i said earlier.
Not a problem in and of itself.
2) connect to it via ssh, only at home. (again i found posts saying that it's bad to do that)
Not a problem in and of itself.
3) dont do any update since it will be left alone.
This is a problem. You should update regularly so that you are installing security patches as they are released.
I can't understand how it can be hacked with no port open in my router, and does enabling ssh open ports or something to the internet ??
If some other machine on your LAN gets hacked, or a pathway in comes through phishing scam or other means of compromising systems (either the Pi or some other system). Not opening ports on your router is the first, basic, security task. Putting good passwords on your WiFi as well as your Pi is the next step. You can research what to do from there to protect your Pi.

It's kind of like sex...you have effectively slept with everyone your partner has slept with.

raspi-owner
Posts: 63
Joined: Sun Aug 20, 2017 11:35 pm

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 12:08 am

Ok, so what about ssh it self, do i need to change the username and password even for home use, and after enabling it do i need to change it's conf file to strict the connection to my ip only or leave it as it is ??

User avatar
DougieLawson
Posts: 38756
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 12:59 am

You must change the password. Userid=pi with password=raspberry is known universally.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

raspi-owner
Posts: 63
Joined: Sun Aug 20, 2017 11:35 pm

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 1:34 am

DougieLawson wrote:
Sun Dec 22, 2019 12:59 am
You must change the password. Userid=pi with password=raspberry is known universally.
Ok, i got it thank's

W. H. Heydt
Posts: 12300
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 3:02 am

DougieLawson wrote:
Sun Dec 22, 2019 12:59 am
You must change the password. Userid=pi with password=raspberry is known universally.
Well... Yes, it's universally known to be the default, but "must" change it is a bit strong. It's rather highly recommended that you change it, *especially* if the Pi is connected to a LAN (let alone the internet).

W. H. Heydt
Posts: 12300
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 3:08 am

raspi-owner wrote:
Sun Dec 22, 2019 12:08 am
Ok, so what about ssh it self, do i need to change the username and password even for home use, and after enabling it do i need to change it's conf file to strict the connection to my ip only or leave it as it is ??
The basic problem is that access from the internet isn't the only problem. What else is on your LAN and what do those devices connect to? Incoming traffic looking for holes to get in isn't the only way a system can be compromised. The PC (or other Pi) you connect over ssh is also a way in if it gets compromised, as is any device brought in by friends or family. IoT devices are almost universally not properly secured. Many (most?) ISP supplied modems and routers are also not secure, sometimes deliberately (the ISP may have admin access from the outside, for instance, and--if known--that means there is a way in through your router).

Beyond checking that there are no ports open to inbound traffic on your router and changing the password on your Pi, how far you want to go depends on concerned you are about having data on the Pi you don't want to lose or to get loose in the world.

User avatar
DougieLawson
Posts: 38756
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 3:22 am

W. H. Heydt wrote:
Sun Dec 22, 2019 3:02 am
DougieLawson wrote:
Sun Dec 22, 2019 12:59 am
You must change the password. Userid=pi with password=raspberry is known universally.
Well... Yes, it's universally known to be the default, but "must" change it is a bit strong. It's rather highly recommended that you change it, *especially* if the Pi is connected to a LAN (let alone the internet).
Raspbian Buster includes a check that presents an annoying popup if you don't change the password. So it is a MUST change.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

W. H. Heydt
Posts: 12300
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 3:39 am

DougieLawson wrote:
Sun Dec 22, 2019 3:22 am
W. H. Heydt wrote:
Sun Dec 22, 2019 3:02 am
DougieLawson wrote:
Sun Dec 22, 2019 12:59 am
You must change the password. Userid=pi with password=raspberry is known universally.
Well... Yes, it's universally known to be the default, but "must" change it is a bit strong. It's rather highly recommended that you change it, *especially* if the Pi is connected to a LAN (let alone the internet).
Raspbian Buster includes a check that presents an annoying popup if you don't change the password. So it is a MUST change.
That's like saying that if you get hit by a hammer, then you MUST be a nail. Popups can be ignored. Or one could change the password and then change it back. It's still highly recommended that the default password (on ANY system) be changed. And in "any system", I include routers (the most common "not--a-computer" that most people will encounter).

hippy
Posts: 7343
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 1:57 pm

raspi-owner wrote:
Sat Dec 21, 2019 11:47 pm
I can't understand how it can be hacked with no port open in my router
Exactly that. So long as hackers cannot get into or compromise your network you are safe. There is nothing wrong with running SSH on the home network, or Telnet, or Samba, using SMB 1.0, nor using default user names and passwords or even not using passwords.

It's not recommended, is leaving your Pi wide open if hackers do gain access to your home network but you'll probably have more to worry about if that happens than your Pi.

Unfortunately there are a lot of people out there who like to insist the world is how they say it is, rather than how it actually is.

To be generous to them, the risk is if you do open up your Pi to internet access or allow it to be compromised and haven't undertaken recommended actions, and they are probably unnecessarily worrying that you will be doing that when you won't.

monty
Posts: 13
Joined: Thu Jun 14, 2012 1:55 am

Re: Is it dangerous to leave the pi connected to the internet ??

Sun Dec 22, 2019 7:20 pm

hippy wrote:
Sun Dec 22, 2019 1:57 pm
raspi-owner wrote:
Sat Dec 21, 2019 11:47 pm
I can't understand how it can be hacked with no port open in my router
Exactly that. So long as hackers cannot get into or compromise your network you are safe. There is nothing wrong with running SSH on the home network, or Telnet, or Samba, using SMB 1.0, nor using default user names and passwords or even not using passwords.

It's not recommended, is leaving your Pi wide open if hackers do gain access to your home network but you'll probably have more to worry about if that happens than your Pi.

Unfortunately there are a lot of people out there who like to insist the world is how they say it is, rather than how it actually is.

To be generous to them, the risk is if you do open up your Pi to internet access or allow it to be compromised and haven't undertaken recommended actions, and they are probably unnecessarily worrying that you will be doing that when you won't.
That's the key thing - hackers not getting in to your system. If you use a desktop system (mostly windows) - then even without opening a port in your router, nefarious code can tunnel out and allow hackers in.
If they get in to your desktop, then they can get to other stuff on your network - including your pi.

W. H. Heydt
Posts: 12300
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Is it dangerous to leave the pi connected to the internet ??

Mon Dec 23, 2019 6:03 am

monty wrote:
Sun Dec 22, 2019 7:20 pm
That's the key thing - hackers not getting in to your system. If you use a desktop system (mostly windows) - then even without opening a port in your router, nefarious code can tunnel out and allow hackers in.
If they get in to your desktop, then they can get to other stuff on your network - including your pi.
Many, if not most, of the ways that Windows PCs get compromised aren't by external attacks looking for open router ports. They are by actions taken by person(s) using the PC such as clicking on links to malicious or compromised web sites or opening e-mail attachments that carry malicious payloads. People are the weak link in computer security.

To give a particularly nasty example of what can go wrong. This incident took place several years ago. At a large gaming convention, those running the registration system decided to be nice to the attendees by oping up WiFi access to the LAN that convention registration was using. Within 5 minutes, someone with a badly compromised laptop connected and multiple viruses immediately infected all of the convention registration system machines. The end result was 4 hour registration lines.

So... Bear in mind that even if you (and your family) are scrupulous about avoiding dicey web sites and you never open unexpected e-mail attachments and you have generally good security practices for all the machines in your house, all it takes is someone visiting with an infected machine that you allow to connect to your LAN and *everything* is at risk.

Return to “Beginners”