pibob314
Posts: 4
Joined: Thu Jul 31, 2014 3:57 pm

Rasberry pi port forwarding security

Thu Jul 31, 2014 7:30 pm

I am running a server on my raspberry pi, and I understand that in order for people outside my network to access my server, port forwarding is required.

I also understand that hackers could use remote SSH to hack into my pi. Does this apply if I am just running a server?

In the event that a hacker gained access to my pi, is my pi isolated from the other computers in my home network, or could the hacker then gain access to that.

Thanks in advance!

lazarus78
Posts: 236
Joined: Thu Jul 25, 2013 5:16 pm

Re: Rasberry pi port forwarding security

Thu Jul 31, 2014 8:34 pm

Some things you could do.

Disable root login through SSH
Make your password long and complex so a brute force would be pointless.

There's probably not a lot someone could do if they managed to hack in to your Pi, unless you have it connected to something like a nas or have it linked to another computer. Plus, what good is a Pi to a hacker anyway?

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Thu Jul 31, 2014 8:50 pm

Hi,
pibob314 wrote:I am running a server on my raspberry pi
Which server are we talking about here ?
If it is web server, then you must do a significant mistake in order to lost the game with the attacker(s).
If it is SSH server, then you're more vulnerable and you must actively perform various actions in order to permanently survive attacks (and to sleep well).

One of the best protections is possible if your router is not a closed dedicated box, but it is a PC or a router box with some highly configurable/installable firmware. Then you have huge range of tricks and tools to keep the attackers away.

pibob314 wrote:In the event that a hacker gained access to my pi, is my pi isolated from the other computers in my home network, or could the hacker then gain access to that.
You haven't described details, therefore, I assume that your RasPi is an "ordinary peer" in your home network. Gaining access to it equals to a case when somebody enters your home and plugs-in his/her notebook to your network.


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
lmarmisa
Posts: 1227
Joined: Thu Feb 14, 2013 2:22 am
Location: Jávea, Spain

Re: Rasberry pi port forwarding security

Thu Jul 31, 2014 8:59 pm

First of all, ssh server is a very secure program if you define a good password.

But I would like to propose a couple of recommendations in order to improve security:

1) Define an external port different from standard port 22 in the port forwarding configuration. Use a port number above 1024 (for example, 13579). Hackers will try to attack to port 22.

2) Use a RSA key for ssh login and disable password authentication.

http://lani78.com/2008/08/08/generate-a ... tu-server/
https://help.ubuntu.com/community/SSH/OpenSSH/Keys

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Thu Jul 31, 2014 9:19 pm

Hi,
lmarmisa wrote:1) Define an external port different from standard port 22 in the port forwarding configuration. Use a port number above 1024 (for example, 13579). Hackers will try to attack to port 22.
Security through obscurity... I don't like it.

But let me briefly describe one technique how to improve this "hiding port" approach (when you have a router with ipchains, a RasPi could also be used to create rock-solid firewall).
One of the initial blind phases of the attack can be to perform port scanning - the attacker checks ports one after another, if there is a response (eg. SSH login prompt). When the port with a response (server listening behind it) is detected, your "protection" has vanished...
What you can do is to make traps on ports below and above your server port. When the firewall detects knock on the port before/after this server port, it immediately blocks the IP and the server will not respond when the attacker knocks on the server port. Therefore, they will not get the information about the server on a port.
Another "upgrade" is that you require port knocking to some port just to enable access to server port for this IP (you turn port from open by default to closed by default). A combination of required and denied ports increases the security drastically.
lmarmisa wrote:2) Use a RSA key for ssh login and disable password authentication.
I like this your item much more then the first one. ;-)


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

cpc464
Posts: 209
Joined: Tue Jul 08, 2014 5:10 pm
Contact: Website

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 1:24 pm

Hi Pibob314

You don't mention what access you want to give outside users to your Pi but I will assume it is web access.

If you forward port 80 at your router to the Pi, users outside will be able to see a website on the pi by surfing to your router's external IP address.

There will be no SSH access unless you also forward the SSH port. If you forward the SSH port, all outside users will have access to SSH. To make it as secure as possible, it is recommended to:

1. Change the port on which sshd runs from 22 (the default) to a very high number. Do this by editing /etc/ssh/sshd_config then restarting sshd.
2. For the account (user name) you want to use for logging in, create an ssh key pair with ssh-keygen or similar. Choose a very long pass phrase for the key. Install the key onto the computer(s) you want to give users access from. Access will not be possible from any other computers.
3. Choose a long password for the account.
Unix engineer since 1989

User avatar
RaTTuS
Posts: 10412
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 1:28 pm

1st step is to create a new user and use that for everything
make sure you can do all you need then disable the pi user completely
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

gkreidl
Posts: 6047
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 2:05 pm

FLYFISH TECHNOLOGIES wrote: Security through obscurity... I don't like it.
By choosing another port on a "real" web server I could get rid of 99% of all SSH attacks. You may not like it, but it is effective (and avoids a lot of useless traffic on the server).
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 3:13 pm

Hi,
gkreidl wrote:
FLYFISH TECHNOLOGIES wrote:Security through obscurity... I don't like it.
By choosing another port on a "real" web server I could get rid of 99% of all SSH attacks. You may not like it, but it is effective (and avoids a lot of useless traffic on the server).
I admin/maintain few "real" servers (web, ssh, vpn, dns, smtp, ...) for over 15 years now and the last thing I want to spread around is the feeling of false safety...

I could say that in the last decade I skim each day (yes, each day) log files and have a feeling what bad guys are doing and how to keep them away. I was abused once due to a mail relay security flaw (on Windows NT server, back in 1999) and about a year later with FTP server security hole. Those events resulted in even more effort spent to understand what is going on and what tools are available (and I like Linux more each day, by the way ;-) ).

The point of this response is that I feel confident discussing about the subject and I believe that the best message we could send to newbies is that a security is not something what can be explained in one HOW-TO or one thread in a forum, then you execute two "sudo something" commands and you're done...

So, is 99% good enough ?
With slight abuse of the statistics, it means that you're standing naked on a battlefield more than 3 days per year...

To conclude with an advice: If you want a secure system, use ipchains and ipset. They require their time, but are very efficient and powerful tools.


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

gkreidl
Posts: 6047
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 3:34 pm

FLYFISH TECHNOLOGIES wrote: So, is 99% good enough ?
With slight abuse of the statistics, it means that you're standing naked on a battlefield more than 3 days per year...
I didn't say anything about other security optimizations I'm using. Like you I've been studying log files for quite some years now.
I just wanted to say that using a different port helps keeping (the more stupid) attacks away and reduces traffic.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 3:50 pm

Hi,
gkreidl wrote:I didn't say anything about other security optimizations I'm using.
Feel free to do that... otherwise the thread might contain just reduced set of information.
gkreidl wrote:I just wanted to say that using a different port helps keeping (the more stupid) attacks away and reduces traffic.
Yes, I agree that this could be one piece in the complete puzzle. I already briefly mentioned ports-knocking idea which improves this ports hiding approach.


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
emgi
Posts: 357
Joined: Thu Nov 07, 2013 4:08 pm
Location: NL

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 4:07 pm

Couldn't agree more.
Since about two year's I'm running a web server on linux (not raspbian) and checking the logs is not a funny business.
I'm not doing it on a daily basis but every now and then. Lots and lots of attacks against PHP scripts. (fortunately I'm not using that :mrgreen: )
I used to be more vigilant in the past but as it is not a commercial thing, I can afford to relax a bit when I don't feel like it (or when I'm on vacation like right now 8-) ).

Anyway, when you are connected on the web, you are game (as in prey) so you'd better think about your security.
People from all over the globe (and from China) are most eager to abuse whatever you are making available.

One thing I still don't regret is that I have only opened port 80. As a technician I was tempted by the possibilities of having ssh as well but actually I can do just as well without. Using a non-default port will help because most of the port-scans are targetting the well-known ports. This means less people will find your open port but it is not an insurance and a determined attacker (with inside information) will have very little problems with it.
A very secure username/password is the best option you have and you can only hope it will be good enough.

/emgi

rgrbic
Posts: 128
Joined: Thu Jun 12, 2014 1:07 pm
Contact: Website

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 7:06 pm

If you are running ssh, use key based authentication and disable password authentication. Permanently ban ip addresses after unsucessfull login.
At 127.0.0.1
Twitter: @rgrbic
IoT-projects.com

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 8:06 pm

Hi,
emgi wrote:I'm running a web server on linux ... Lots and lots of attacks against PHP scripts.
Ok let me present one weapon I use against crackers. I'll focus just on its web role, but I use it also elsewhere. ;-)

Goal: Blacklist IP address which an abuse web attempt was detected from.
Goal details:
- real-time monitoring
- when a defined attack pattern is observed, the IP is immediately blacklisted and all requests from this IP dropped for some time (eg. few days)
- after the timeout period this IP is deleted from the blacklist and its traffic is allowed again (till next abuse attempt ;) )

Use case: Let's detect crackers' scanning of two very interesting targets: phpMySQL and /admin/ subpage
Overall idea:
- web server error log is monitored in real-time. When a predefined pattern appears there ("phpMySQL" or "/admin/"), we parse the IP and add it to the blacklist.
- our firewall blocks blacklisted IPs (by dropping their packets)
Tools used:
- ipchains
- ipset
- bash scripting

Required setup (next to installation and basic setup of mentioned tools):
- we create a blacklist set:

Code: Select all

ipset create www-attack hash:net timeout 500000
- we set firewall to check packets against originator IP being listed in the blacklist set

Code: Select all

-A INPUT -i eth0 -m set --match-set www-attack src -j DROP
Operation:
- real-time monitoring (apache example):

Code: Select all

#!/bin/bash

tail -Fn0 /var/log/apache2/error_log | \
while read line ; do

 echo "$line" | grep "phpMySQL" | awk '{ print $8 }' | cut -d "]" -f 1 | awk '{ printf "/usr/sbin/ipset add www-attack %s >/dev/null 2>&1\n", $1 }' > /tmp/ipchains.submit
 echo "$line" | grep "/admin/" | awk '{ print $8 }' | cut -d "]" -f 1 | awk '{ printf "/usr/sbin/ipset add www-attack %s >/dev/null 2>&1\n", $1 }' > /tmp/ipchains.submit

 if [ -f /tmp/ipchains.submit ]
 then
  echo "#!/bin/bash" > /tmp/ipchains.add
  echo >> /tmp/ipchains.add
  cat /tmp/ipchains.submit >> /tmp/ipchains.add
  chmod 700 /tmp/ipchains.add
  /tmp/ipchains.add
  rm /tmp/ipchains.submit
 fi
done
That's all.

Note: the code above is extracted, so it is definitely not optimized and also a typo could be present somewhere... use this content as a suggestion of listed items you shall understand in order to improve your server protection... and then create your own setup and code to meet your needs.
Good luck. :-)


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
DougieLawson
Posts: 35798
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 8:34 pm

Ivan,

What you're proposing is one of the functions that's built in to Fail2Ban.

I've got F2B set-up so that you get one chance, fail that and you're banned until the system gets rebooted. F2B is also tracking /var/log/auth.log so that it can ban every ssh penetration attempt. The system has been booted for 13 days and 200+ attempts have been blocked.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 8:46 pm

Dougie,
DougieLawson wrote:and you're banned until the system gets rebooted.
This is not the feature which I'd like to have (hopefully this setting can be changed)... the banned record must expire at some predefined timeout.


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
DougieLawson
Posts: 35798
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 8:58 pm

FLYFISH TECHNOLOGIES wrote:Dougie,
DougieLawson wrote:and you're banned until the system gets rebooted.
This is not the feature which I'd like to have (hopefully this setting can be changed)... the banned record must expire at some predefined timeout.
They do expire after some days. I've amended my system to ban forever.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 10:02 pm

Hi,
DougieLawson wrote:Fail2Ban..
In the meantime I took a look about it... nice tool,... although I'm not sure I'd be able to "port" all features I currently have to F2B.

Maybe it can be done, but I wasn't able to locate description in the related official documentation. Let me mention what I mean with just one simple example. There is a page where the visitor can gain 20-minutes exclusive access to a model train control and observe it via web cam (http://www.flyfish-tech.com/scratch/). This is implemented with ipchains + ipset, the visitor's IP is added in the ipset if it is empty (= none applied within last 20 minutes).
I'm not sure this kind of feature can be implemented with F2B. (?)

More "usable" usage of this feature is when you need to knock one port to open another one, for example (what I mentioned earlier as one of protection techniques).


Best wishes, Ivan Zilic.
Last edited by FLYFISH TECHNOLOGIES on Fri Aug 01, 2014 10:13 pm, edited 1 time in total.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
DougieLawson
Posts: 35798
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Rasberry pi port forwarding security

Fri Aug 01, 2014 10:12 pm

You may be able to do something by writing your own /etc/fail2ban/action.d/ script. But you're probably going to have to read and understand all of the /usr/share/fail2ban python code.

I'm happy with the basic function of trap an offender (with the supplied regexes) and add an iptables rule.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
emgi
Posts: 357
Joined: Thu Nov 07, 2013 4:08 pm
Location: NL

Re: Rasberry pi port forwarding security

Sat Aug 02, 2014 7:32 am

Hi Ivan,

That for sure is a nice idea, thank you for spending so much time on writing this down.
You are however making one assumption which my setup does not meet: Assuming the router/firewall is also a linux box.

As I am professionally engaged in networking, I'm using a well-known brand of networking equipment from California, USA (although most of their production is based in Asia 8-) ) When I get thoroughly annoyed with someone I do blacklist the guy but it's a manual process for now. It is technically possible to do something similar via SNMP or through an ssh session but I haven't yet bothered to make something like that working.
As my server does not run PHP I'm essentially not vulnerable to these attacks so I can let it go with a smile in the knowledge it is currently them who are wasting their time. 8-)

/emgi

User avatar
A1i2T3R
Posts: 99
Joined: Sat Apr 13, 2013 1:08 pm
Location: England - Kent

Re: Rasberry pi port forwarding security

Sat Aug 02, 2014 9:29 am

im a noob but i would think providing you dont forward port 22 (for ssh) then they cant ssh in. Correct me if im wrong.
Enthusiastic pi user, with a hoby for modding everyday objects and using the pi as the brain!

rgrbic
Posts: 128
Joined: Thu Jun 12, 2014 1:07 pm
Contact: Website

Re: Rasberry pi port forwarding security

Sat Aug 02, 2014 10:03 am

FLYFISH TECHNOLOGIES wrote:Hi,
Let me mention what I mean with just one simple example. There is a page where the visitor can gain 20-minutes exclusive access to a model train control and observe it via web cam (http://www.flyfish-tech.com/scratch/). This is implemented with ipchains + ipset, the visitor's IP is added in the ipset if it is empty (= none applied within last 20 minutes).
I'm not sure this kind of feature can be implemented with F2B. (?)
The Fail2ban is supposed to be just a log file parser which bans suspicious ip address (add to iptables). However, It can parse webserver log so you can make appropriate action when user requests your webpage (ban all other for 20 minutes).
At 127.0.0.1
Twitter: @rgrbic
IoT-projects.com

gkreidl
Posts: 6047
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Rasberry pi port forwarding security

Sat Aug 02, 2014 10:39 am

A1i2T3R wrote:im a noob but i would think providing you dont forward port 22 (for ssh) then they cant ssh in. Correct me if im wrong.
Yes, of course. But if you are running a web server you usually have to be able to log in via SSH for configuration, maintenance etc.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Rasberry pi port forwarding security

Sat Aug 02, 2014 11:20 am

Hi,
rgrbic wrote:It can parse webserver log so you can make appropriate action when user requests your webpage (ban all other for 20 minutes).
There is always next 'but'... ;-)
With my current implementation you get a nice text that the functionality is currently in use by somebody else (you're not ban, you're just not allowed to use one subpage and an explanation is displayed).

I guess that with some coding this might be achieved also with F2B (what might not be their planned use case), but then I have doubts if F2B makes sense - instead of taking base building blocks and implement something by using them, I'd add another layer and then try to find various custom paths through it... more risky approach. ;-)

I assume that further discussion might not be interesting for the wider audience. 8-)


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
pluggy
Posts: 3635
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK
Contact: Website

Re: Rasberry pi port forwarding security

Sat Aug 02, 2014 3:16 pm

I have the router forwarding everthing to the Pi and have the Pi firewalled to accept only http from anywhere and ssh only from local IPs. A homebrew script parses the weblogs every minute and turns on SSH for a limited time via the firewall to an individual IP address if an obscure web page is accessed. Foxes the Shanghai boys and their scripts.......

Expect several attempted intrusions a day if SSH is open.
Don't judge Linux by the Pi.......
I must not tread on too many sacred cows......

Return to “Beginners”