Hi,
Something I do sometimes is make things with web UI's only accessible
from localhost - E.G. only from the Pi or whatever device is serving
them. That way the only way of accessing them is to connect to the
device over SSH and tunnel your connection through it.
This is especially useful if you're dealing with something that
incists on sending credentials over HTTP.
Cheers,
Ben.
On 12/12/16, Mike Ray <mike@xxxxxxxxxxxxxxx> wrote:
===========================================================
Maybe I should write a 'security tips for your Pi' page for the site.
With your permission Tim I'll use your post below as the basis for this.
Mike
On 12/12/2016 03:29, Tim Chase wrote:
On December 10, 2016, Tom Fowle wrote:
In reading up on ssh, some have mentioned that leaving ssh enabled
on the pi, and presumably on any computer, can pose a security risk.
Any opinions on how seriously such should be taken?
Can someone outside one's local network get into a computer on that
local network with just a password?
Depends on the threat model and your local network configuration.
If your router doesn't forward external (WAN) traffic to port 22 of
your RPi, the only threat is internal. If something is compromised
on your local network (which these days could be your toaster,
refrigerator, or your phone if you've got smart home), it could jump
to your RPi if you leave things open.
If your router *does* forward a WAN port to your RPi, you'd want to
take greater security measures.
A couple of things I'd recommend either way (but especially if your
RPi is accessible from the internet bad-lands):
1) change your port number from the default port 22. Reading the logs
of my internet-exposed server, I see a regular barrage of probes on
my SSH port trying to get in and try various common
username/password combinations. You can either just remap some
non-22 port externally to the internal port (this would let you use
the standard port on your local network, but access it via your
non-standard port when you're remote), or you can change external
port *and* the internal port. I personally use a non-standard port
externally but the standard port internally. To do this, change
your /etc/ssh/sshd_config file and search for a line that reads "Port
22" and set it to your desired port number, uncommenting it by
removing the hash at the beginning if needed. For example, you can
change it to port 2345 with
sed -i '.bak' '/^ *[Pp][Oo][Rr][Tt]/d;$aPort 2345' /etc/ssh/sshd_config
which will delete any existing Port line and append a line at the
bottom specifying "Port 2345", leaving the
original backed up as /etc/ssh/sshd_config.bak
2) Don't permit root login. Again, edit the /etc/ssh/sshd_config
file and add/edit it to contain the line
PermitRootLogin no
This way, you have to log in as a user and then "su" or "sudo" to use
your root powers.
3) Change the default password for the "pi" user or whichever login
you use. The "passwd" command will prompt you for your old password
and then prompt twice for your new password.
4) Change "sudo" so that it requires a password. Some systems have
this as the default, while others default to allowing you to sudo
without a password for any command. To do this, you want to change
either
/etc/sudoers
or possibly a file like "01local" in
/etc/sudoers.d/
to remove the "NOPASSWD" flag from your account. I'm of the school
that, if I want to do something requiring root powers, I should have
to type a password to authenticate my authority. I've got a couple
small exceptions (and they're NOPASSWD'ed on a per-command basis,
such as 'iftop'), but I never want wide-open root access without
typing in a password.
Finally, if you want to get really locked down, you can forego
password authentication and use a public/private key-pair for
authentication. You'd put your public SSH key on in your
~/.ssh/authorized_keys file on the RPi and then disable password
login in your /etc/ssh/sshd_config file. I don't usually go this
far, but it's one more thing you can lock down if you feel the need.
-tim
===========================================================
The raspberry-vi mailing list
Archives: //www.freelists.org/archives/raspberry-vi
Administrative contact: <mike.ray@xxxxxxxxxxxxxx>
-----------------------------------------------------------
Raspberry Pi and the Raspberry Pi logo are trademarks of the Raspberry Pi
Foundation.
This list is not affiliated to the Raspberry Pi Foundation and the views
and attitudes expressed by the subscribers to this list do not reflect
those of the Foundation.
Mike Ray, list creator, January 2013
--
Michael A. Ray
Analyst/Programmer
Witley, Surrey, South-east UK
Eyes-free Linux:
http://eyesfreelinux.ninja/
Raspberry VI:
http://www.raspberryvi.org/
===========================================================
The raspberry-vi mailing list
Archives: //www.freelists.org/archives/raspberry-vi
Administrative contact: <mike.ray@xxxxxxxxxxxxxx>
-----------------------------------------------------------
Raspberry Pi and the Raspberry Pi logo are trademarks of the Raspberry Pi
Foundation.
This list is not affiliated to the Raspberry Pi Foundation and the views and
attitudes expressed by the subscribers to this list do not reflect those of
the Foundation.
Mike Ray, list creator, January 2013
