Keep Fingers Out of your Pi

In my previous article , I explain how to setup the Raspberry Pi to be a web server.   I also demonstrate searching log files for “footprints” from the IP requests that have been made to your web server.  Now, I would like to discuss protecting your web server from becoming a victim to a potentially malicious attack.

Keep your Pi updated!

sudo rpi-update

The command will automatically update the Raspberry Pi’s firmware and then ask for a reboot.  If your Pi is already up-to-date, then you can continue with:

sudo apt-get update
sudo apt-get upgrade

Now, you’ve got the latest and greatest firmware and software!!

2016-11-04-092217_1920x1080_scrot

Pi Passwords

Ideally, we would disable the default pi account,  at the very least, set the default password for your pi account.  Another major in-security is that most users have SSH (Secure Socket sHell) and VNC (Virtual Networking Computer) enabled so that they can remote into their machines.  I don’t recommend allowing access outside of your network when running a publicly exposed web server.

Apache Web Server

If you are serving web content world-wide then you’ll eventually want to adopt some sort of blacklist, or exclusion list, where you can keep specific IP addresses from accessing your server.  However, if you want to tighten-down your security and only allow a select few access then you’ll need to make some changes.

cd /etc/apache2
sudo cp apache2.conf apache2.conf.bak
sudo vi apache2.conf OR sudo nano apache2.conf

Travel down the file until you reach this section that allows everyone access to your web server from the outside:

<Directory /var/www/>
 Options Indexes FollowSymLinks
 AllowOverride None
 Require all granted
</Directory>

The AllowOverride directive is set to None meaning we will not be using an .htaccess file to override these settings.  The next directive, Require is set to all granted, meaning allow anyone access.

UPDATE:  I have found a significant number of bot requests in my log files, snooping for those of Us using phpmyadmin, be sure to limit access:

<Directory /usr/share/phpmyadmin/>
Order Deny, Allow
Deny from All
# localhost
Allow from 127.0.0.1
# Local-Area Network
Allow from 192.168.x.x
</Directory>

Next, we can add a directory that we want to protect:

<Directory /var/www/html/hydroMazing/>
 Options Indexes FollowSymLinks
 AllowOverride All
</Directory>

The AllowOverride directive is set to All meaning we will be using an .htaccess file to override these settings.  We will provide the Require directive in our .htaccess file inside the directory we specified, in this case, “/var/www/html/hydroMazing/”   One last setting of importance before we save:

# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess

You could change the name of the .htaccess file here to something harder to guess.  Keep the dot at the beginning because it means hidden file.   Use your imagination 😉  Now you can use an .htaccess file as your whitelist, or inclusion list:

To create a .htaccess ( or whatever you’ve named it ) file:

cd /var/www/html/mydirectory/

sudo vi .htaccess OR sudo nano .htaccess
# Allow access to localhost 
Require ip 127.0.0.1

# Allow access to my cell phone
Require ip 98.97.34.23

Second entry is an example, change it to your IP address, or the IP address that your web server logged.  See my previous article for instructions on checking your log files.  Save and close the file.  You can add additional access as desired.

 

Build a Wallimg_20160814_195916221

Install the open-source firewall builder

Pop open a terminal from your Raspberry Pi’s desktop and type the following:

sudo apt-get install fwbuilder

After the installation has completed, you will have a new option under the Menu/Internet option from your desktop for the firewall builder GUI.

Add a new firewall and name it the same as your server.

 2016-11-04-090801_1920x1080_scrot

Select the “web server” template to load default rules.

Note that the default rules restrict your server from accessing the outside Internet.  In order to allow access, you’ll need to add a rule.  The easiest way to add a rule is to copy an existing rule that is similar to your needs.

2016-11-04-090900_1920x1080_scrot

Compile and Install

We can build our firewall through this interface, but we won’t be able to install it because we won’t have sufficient permissions to write to the file system.  Enter the following at a terminal window’s command line assuming you named your server the same as your DDNS name:

sudo mkdir /etc/fw
sudo touch /etc/fw/servername.ddns.net.fw
sudo chmod 777 /etc/fw/servername.ddns.net.fw

Now, you should be able to use the firewall builder program to compile and install the firewall.   You can either restart the apache web server or simply reboot.

Anything incorrect, missing, or not working?  Please let me know.

Security through Obscurity

 

Security and Obscurity

“In security engineering, security through obscurity (or security by obscu58688968_1920_1080rity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.”  https://en.wikipedia.org/wiki/Security_through_obscurity

We often rely on our security being through some sort of obscurity.  “If they don’t know about it, they can’t use it to get in.”  Common household door locks only have so many combinations, yet we can rely on the lock of our front doors because we know that a thief would have to try every combination or break-the-door-down.  However, on the Internet, who is watching your front door, so a thief cannot try every combination?  Fortunately, our web-server has an access.log file that is automatically updated and archived for us.  Let’s start there and see if anyone has left their “footprints” on your web server.

Is anyone trying to gain access?

wget-shellshock-johnIf you are running a LAMP setup on a Raspberry Pi , open-up a terminal window and type in the following:

cd /var/log/apache2/
zcat access.log* | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20

 

The output should be a list with two columns, one containing the number of entries counted, and the second column is the IP address associated with each web request made.  The easiest way to get the most information from a reverse IP lookup is by using the following command:

curl ipinfo.io/REPLACE.WITH.IP.ADDRESS.TO.LOOKUP

13117907603_3cce4123de_z

Rather than rely on an external web service, you can do some digging after you install some tools that are not included by default with the Pi:

sudo apt-get install geoip-bin
geoiplookup IP.ADDRESS

Here is a good article on using geoiplookup.  Even more advanced digging not included by default with the Pi:

sudo apt-get install dnsutils
dig -x IP.ADDRESS

Does the location seem suspicious?  Try grepping for the activity, the zgrep command includes the compressed files:

zgrep 'IP.ADDRESS' access.log* -1

By looking at the web requests that were made from the IP address, you can determine whether the activity is suspicious.  Typically, you will find that these IP addresses are from bots looking for vulnerabilities in your security.  You can manually block IP addresses to your blacklist or you can just deny all and allow select IP addresses.  If you haven’t already, you’ll want to install and setup a firewall.

hydroMazing Connected

This slideshow requires JavaScript.

Plants don’t need access to the Internet to grow.pi2modb1gb_-comp

So what can a Raspberry Pi 3 with built-in WiFi and bluetooth do for hydroMazing?  A connected hydroMazing can let us know what is going on inside our garden through a web-interface, email, or even, text-messaging.

 

58688968_1920_1080

Over the years, I’ve come across UNIX and then Linux environments through previous employers, so the Raspberry Pi’s default Raspbian OS is familiar to me.  By default, there is a graphical windows interface so that the user isn’t left alone in the darkness of the command-line.

 

img_20161001_145206012

The hydroMazing system uses nRF modules for wireless communications, offering long transmission distances.  The software running on the Arduino microcontroller manages “sensor” objects and “appliance” objects by transmitting and receiving to the controller which makes decisions using a preconfigured decision tree to turn on and off wireless AC outlets.

A little Internet research leads me to adding communication with the nRF24L01 wireless radio transceivers that I’ve used for the hydroMazing Controller and the hydroMazing Monitor. Using some open-source libraries for nRF devices  I was happy to find I could reuse some of my Arduino C code to compile on the Raspberry Pi.  The biggest challenge I had was finding datatypes that both the Arduino and the Raspberry Pi would agree upon.  After much trial and error, I was able to get my C program to listen for incoming transmissions and then write that data out to a few files.  First, a log file that captures all communications between the Pi and the hydroMazing Monitor.  Next, I have the program write out the current state of all sensor objects and a file for all of the appliance objects.  When an alert occurs the progrhydromazing-liveam will create a file containing that alert.

I then added a PHP script to read in the data object’s from their respective files and display live on the Pi’s Apache server.

 

hydromazing-alert

 

 

Next, I wrote a Python script to read the directory for the alerts file and if it exists, read the file, parse out the pertinent information and then email or through SMS text the user.  In addition to sending an email or text alert, the python script moves the alert file into position for the PHP script to read and display.

Using the log files that are created, I am able to import the data into a database.  Once the hydroMazing’s data is recorded into a database residing on the Raspberry Pi we can start performing analytics and generate some reports.

The hydroMazing controller is designed to operate ventilation fans for air circulation, water pumps, occasionally a humidifier, heaters, or any other appliance that is necessary to maintain an ideal environment for plants to grow.  Monitoring and controlling the system is mostly done for us, but when the hydroMazing needs to alert us to a problem it can now by using the Raspberry Pi.

Checkout my article on Instructables:  Private Web Serving With the Raspberry Pi