Keep Fingers Out of your Pi

In my previous article , I explain how to setup the Raspberry Pi to be a web server.   I also demonstrate searching log files for “footprints” from the IP requests that have been made to your web server.  Now, I would like to discuss protecting your web server from becoming a victim to a potentially malicious attack.

Keep your Pi updated!

sudo rpi-update

The command will automatically update the Raspberry Pi’s firmware and then ask for a reboot.  If your Pi is already up-to-date, then you can continue with:

sudo apt-get update
sudo apt-get upgrade

Now, you’ve got the latest and greatest firmware and software!!

2016-11-04-092217_1920x1080_scrot

Pi Passwords

Ideally, we would disable the default pi account,  at the very least, set the default password for your pi account.  Another major in-security is that most users have SSH (Secure Socket sHell) and VNC (Virtual Networking Computer) enabled so that they can remote into their machines.  I don’t recommend allowing access outside of your network when running a publicly exposed web server.

Apache Web Server

If you are serving web content world-wide then you’ll eventually want to adopt some sort of blacklist, or exclusion list, where you can keep specific IP addresses from accessing your server.  However, if you want to tighten-down your security and only allow a select few access then you’ll need to make some changes.

cd /etc/apache2
sudo cp apache2.conf apache2.conf.bak
sudo vi apache2.conf OR sudo nano apache2.conf

Travel down the file until you reach this section that allows everyone access to your web server from the outside:

<Directory /var/www/>
 Options Indexes FollowSymLinks
 AllowOverride None
 Require all granted
</Directory>

The AllowOverride directive is set to None meaning we will not be using an .htaccess file to override these settings.  The next directive, Require is set to all granted, meaning allow anyone access.

UPDATE:  I have found a significant number of bot requests in my log files, snooping for those of Us using phpmyadmin, be sure to limit access:

<Directory /usr/share/phpmyadmin/>
Order Deny, Allow
Deny from All
# localhost
Allow from 127.0.0.1
# Local-Area Network
Allow from 192.168.x.x
</Directory>

Next, we can add a directory that we want to protect:

<Directory /var/www/html/hydroMazing/>
 Options Indexes FollowSymLinks
 AllowOverride All
</Directory>

The AllowOverride directive is set to All meaning we will be using an .htaccess file to override these settings.  We will provide the Require directive in our .htaccess file inside the directory we specified, in this case, “/var/www/html/hydroMazing/”   One last setting of importance before we save:

# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess

You could change the name of the .htaccess file here to something harder to guess.  Keep the dot at the beginning because it means hidden file.   Use your imagination 😉  Now you can use an .htaccess file as your whitelist, or inclusion list:

To create a .htaccess ( or whatever you’ve named it ) file:

cd /var/www/html/mydirectory/

sudo vi .htaccess OR sudo nano .htaccess
# Allow access to localhost 
Require ip 127.0.0.1

# Allow access to my cell phone
Require ip 98.97.34.23

Second entry is an example, change it to your IP address, or the IP address that your web server logged.  See my previous article for instructions on checking your log files.  Save and close the file.  You can add additional access as desired.

 

Build a Wallimg_20160814_195916221

Install the open-source firewall builder

Pop open a terminal from your Raspberry Pi’s desktop and type the following:

sudo apt-get install fwbuilder

After the installation has completed, you will have a new option under the Menu/Internet option from your desktop for the firewall builder GUI.

Add a new firewall and name it the same as your server.

 2016-11-04-090801_1920x1080_scrot

Select the “web server” template to load default rules.

Note that the default rules restrict your server from accessing the outside Internet.  In order to allow access, you’ll need to add a rule.  The easiest way to add a rule is to copy an existing rule that is similar to your needs.

2016-11-04-090900_1920x1080_scrot

Compile and Install

We can build our firewall through this interface, but we won’t be able to install it because we won’t have sufficient permissions to write to the file system.  Enter the following at a terminal window’s command line assuming you named your server the same as your DDNS name:

sudo mkdir /etc/fw
sudo touch /etc/fw/servername.ddns.net.fw
sudo chmod 777 /etc/fw/servername.ddns.net.fw

Now, you should be able to use the firewall builder program to compile and install the firewall.   You can either restart the apache web server or simply reboot.

Anything incorrect, missing, or not working?  Please let me know.

The Making of hydroMazing

 

It was two years ago when I decided to try using an Arduino Uno microcontroller to replace my individual Lux WIN100 Heating & Cooling Programmable Outlet Thermostat.  These outlets control an appliance, such as a small heater or, in this case, a ventilation fan.  A device that is plugged into the outlet turns on and off the appliance by using temperature settings that you manually program into each device.  This technique for controlling the ventilation fans is effective, yet uses several extension cords.  The temperature outlet controllers use old-fashioned relays to switch the state of the device.  My initial attempt was to hack an extension box inserting my own relays into it and connecting them to the Arduino Uno.  It wasn’t very long before there was a mess of wires with lots of connector nuts and I was left feeling discouraged.

A home automation idea that I had bouncing around in my head for a 20150412_104406while was to use wirelessly controlled AC outlets that use a hand-held remote-control.  Hacking the remote control to send the signal for the ON or OFF button selected by a corresponding pin on the Arduino Uno shouldn’t be too difficult, right?  The nagging concern that was preventing me from testing this idea was the fear that the signal would not be reliable and the Uno might “think” it had turned on a device when it actually failed.  Eventually, I was able to convince myself that the best way to find out is to just try and see what happens.  Unfortunately, the results of this test wasn’t much better than the relay attempt.

A search on the web for nearly any sensor or electronic doo-dad with “Arduino” will result in a number of products being sold for a few bucks.  In this case, I found the 315Mhz and 433Mhz transmitter and receiver pairs that are within the frequency range of most commercial wirelessly controlled outlets.  The greatest advantage to using the Arduino family of microcontrollers for these types of projects, is that you can find open-source software to get started.  Another search on the web for an “Arduino library” and in this case, transmitter and receiver or tx/rx pair.  Now, it was getting exciting for me.  I could read the codes coming out of the remote-control, record them, and then program the Arduino to control the corresponding outlets.  Designing the software to operate on the Arduino Uno became the challenge.  The examples that come with the Arduino software and the examples included with libraries are an excellent start to a project.  In my experience, once you start combining and making modifications to the examples it doesn’t take very long before you hit a wall.  I don’t think I’m a good programmer, I think I’m a stubborn perfectionist.

In one of my favorite books, Zen and the Art of Motorcycle Maintenance the author, Robert Pirsig, speaks of the gumption trap.  Essentially, the gumption trap is an event or mindset that can cause a person to lose enthusiasm and become discouraged from starting or continuing a project.  Knowing when to push through the discomfort and frustration and when to take a break and walk-away from the project are personal challenges.  There have been times when if I had taken a break, I might not have come-up with an excellent solution to a conflict in my source code.  Contrary, there have been times when I have walked-away for a month and worked on a completely different type of project feeling reinvigorated.   Perhaps, if the project is important enough, we will be compelled to return to work on it.  The trap is convincing ourselves that the project isn’t worth returning to even when it could be amazing.  Maybe it really isn’t worth returning to complete and this is where many projects end.

 

The software I have developed has been programmed into the microcontroller and features a set of base parameters for timing, managing, transmitting, and receiving “sensor” objects and “appliance” objects.  Control of appliances is achieved through a set of algorithms I have named “TheDecider,” which makes decisions based on sensor readings and pre-programmed thresholds and prompts the microcontroller to turn on or off the wirelessly controlled outlets.  I wanted the system to be easily modified to work with other environments including aquaponics, growing mushrooms, and anything where control is achieved by reading sensors and operating appliances based on programmed rules.

 

The wirelessly controlled outlets proved to be a etekcity_outletsreliable method of controlling the fans using the Arduino to send the signals depending on the temperature sensor’s readings.  It didn’t take long for the source-code to evolve into a beast.  The Arduino family of microcontrollers is limited in how many instructions it can run and hitting the program size limit doesn’t take very long when you want to control more than a few blinking LEDs.  I have found that the size limitation has forced me to write better, more efficient code than I initially do.  Even with creative variable handling and custom libraries, eventually, there is a need for another microcontroller or to move to a larger one.  There are several ways that the microcontrollers can communicate with each other.  The least expensive wireless method I could find is the nRF24L01 wireless radio transceiver.  The module is a low-power, lightweight variety of bluetooth giving hydroMazing the ability to communicate with a monitoring unit.fpzexmwi7vqs7mr-medium

I decided to add another Arduino Uno with an Liquid Crystal Display shield so that I could display what the sensors were reading and state of appliances.

I made my own open and adaptable platform that can be custom tailored to a wide variety of gardening needs and conditions; yet, also a self-contained wireless system.  The open-architecture of the system allows for ease of integrating Internet connectivity and web services.

hydroMazing outside the box
hydroMazing outside the box

Today, the project, I named, hydroMazing uses a listening Raspberry Pi for logging and communicating via email and text messaging.  In addition to the main system, I have further developed hydroMazing to include solar-powered ‘nodes’ offering even greater flexibility to scale in size accommodating outdoor gardens and industrial greenhouses.