Online Security

[mickjazz]

Hi Everyone,
please forgive what will seem like a very naive question to many of you, but I am a complete rookie with the Pi world.
I have just purchased a Raspberry Pi3, and for now I want to use it as a computer for online browsing/surfing. Could anyone advise me about online security - i.e. is it safe to do online purchases from websites and/or even online banking?! - or is there something I need to download etc?

Any advise will be gratefully received

Many thanks
Mickjazz.

[darkbibble]

first thing to do to secure a pi is to change the root password, as it the same password on all pi's.

[mthomason]

You're already safer on *Nix than on a Windows PC, due to security by obscurity - hackers tend to target the widest possible audience of victims. Not only that, but as an ARM device it isn't going to be executing any i386 malware code.

You're also safer because of the isolated user security (somewhat equivalent to Windows UAC which people, unfortunately, seem to love turning off to run everything as a local administrator rather than figuring out what the individual application needs to do - although I still place a lot of the blame on Windows software authors for most of that for insisting on writing things that need to write to places the end user has no place writing to... but, I digress!)

All of that said, don't go assuming you don't need antivirus whatsoever. Install something like ClamAV, although - and I'm sure I'll get some arguments here - you're probably safe not running anything in the background, just a scheduled check and a manual scan of anything you download.

Look at something like UFW as a firewall. Shutting down access to ports you're not expecting traffic on is never a bad idea.

(and purely coincidental thanks to Ron Nutter for the site linked above, I googled both pieces of software for Pi tutorials and his site came up first for both searches)

[rpdom]

first thing to do to secure a pi is to change the root password, as it the same password on all pi's.

There is no root password. You can't log in as root unless you set one.

You need to change the password for the "pi" user if you have the ssh port open and pointed to the Pi on your router, but it is probably a good idea to change it anyway.

[Heater]

rpdom,

There is no root password. You can't log in as root unless you set one.

True. But there might as well be.

But out of the box a Pi has a user set up with a default password. That user can us sudo. Effectively the default user password is a root password.

So first order of the day is to create a new user account, remove the pi user, be sure not to have sudo enabled and use a strong password.

Mind you I have never done that. I have heard rumour that using a new user account can cause issues on Raspbian. I have no idea why that would be.

It's interesting to see how many login attempts are made over ssh for user pi everyday here.

[JumpZero]

Shutting down access to ports you're not expecting traffic on is never a bad idea.

By default unused ports are closed, unless you have open some.

[Rive]

I use clamav and clamtk

Code: Select all

sudu apt-get install clamav
sudo apt-get install clamtk
sudo /etc/init.d/clamav-freshclam stop
sudo freshclam -v
sudo /etc/init.d/clamav-freshclam start

update:
https://www.clamav.net/downloads/produc ... 9.2.tar.gz


Be sure to schedule automatic updates and daily scanning

[ejolson]

first thing to do to secure a pi is to change the root password, as it the same password on all pi's.

Making sure you have secured all the root and user accounts with strong passwords is great advice before connecting any Pi to the internet. After that, the risks of using a Pi are not much different than any other computer. In particular, all web browsers employ the same encryption system for online transactions.

As mentioned, the Pi is (literally) a smaller target for criminals, so is less likely to be targeted. At the same time, your knowledge about security, the computer and how to use it helps more to prevent your banking credentials from being stolen than anything else. Along those lines, keeping software up to date using

Code: Select all

$ apt-get update; apt-get upgrade

and a well configured firewall are both good ideas.

At the same time, anti-virus software can give a false sense of security which may result in usage patterns that render your banking credentials less secure. Moreover, when run once a day as an intrusion detection system, it will only inform you of a security breach after the fact.

Note that no advice, including what I and others have mentioned above, can guarantee your banking credentials will be safe when using a Raspberry Pi.

[Heater]

I think a bigger risk is that some tea leaf will steal you Pi and hence have all your credentials.

[mthomason]

Shutting down access to ports you're not expecting traffic on is never a bad idea.

By default unused ports are closed, unless you have open some.

The problem being, of course, that malware might open some. Therefore it's more secure to firewall everything off and only open (in the firewall) the ones you know you need.

[markatlnk]

I have been using a Pi 2 as a server on the internet for several months. It is connected with a static IP address and 100Mb up and down pipe. I flipped the root partition to a 500 gig hard drive so the SD card is just used for /boot. It serves a Wordpress blog for me to post photos on as well as postfix and dovecot for a full email system.

For security, I removed the pi ID and use strong passwords. Watching the access logs, I get login attempts from robots all over the world but haven't been hacked yet. I do keep everything up to date and also use Wordfence plugin on the WP blog. It wouldn't be that tragic at this point if someone crashed the full system, I do keep backups. The amusing thing is the number of attacks. For awhile, I was getting attempts every 15 seconds or so. Not sure what it is now.

The important thing is to play with it, try things, even break it now and then. That is how you learn stuff.

Mark

[mickjazz]

Thank you all for your advice and suggestions - very kind of you all.
I'll see what I can manage/get working.
Cheers
Mickjazz