Topics

sticky IMPORTANT: Security Issues


Howard Nurse, W6HN
 

Be sure to change all default usernames and passwords for RigPi BEFORE you set up port forwarding to open it to the Internet.  

If you don’t, anyone can access important and sensitive areas of RigPi unbeknownst to you.  This is extremely important!

Instructions for doing this are provided in RigPi Help.

73, Howard W6HN 


Larry
 

Hello,

As Howard stated, it's very important to properly secure your RigPi with a strong password prior to exposing it to the Internet.

I checked my router logs every day, and I found that yesterday someone in Bulgaria tried to access my RigPi.  Fortunately I had my RigPi disconnected from the Internet, so the intruder didn't gain access to anything.  Please make sure that you properly secure your RigPi prior to opening ports on your router!

73,

Larry
K0LEJ


Larry
 

Hi Harold,

This is good advice, and something I too recommend.

For some time I have used Gibson Research's Shields Up (www.grc.com)
to make sure my router(s) ports were not open. The only issue I have
with Shields Up is that it only scans the first 1056 ports rather than
all the ports, but they claim the first 1023 ports are the most likely
to be attacked.

73,

Larry
K0LEJ

On Fri, May 31, 2019 at 6:57 PM Harold Rosee <wa5zzt@...> wrote:

Larry,

Howard has also suggested you translate port 80 to something else in your router. Port 80 is widely is widely used to try and hack into a system.

Harold

________________________________
From: RigPi@groups.io <RigPi@groups.io> on behalf of Larry <k0lejham@...>
Sent: Friday, May 31, 2019 1:36 PM
To: RigPi@groups.io
Subject: Re: [RigPi] IMPORTANT: Security Issues

Hello,

As Howard stated, it's very important to properly secure your RigPi with a strong password prior to exposing it to the Internet.

I checked my router logs every day, and I found that yesterday someone in Bulgaria tried to access my RigPi. Fortunately I had my RigPi disconnected from the Internet, so the intruder didn't gain access to anything. Please make sure that you properly secure your RigPi prior to opening ports on your router!

73,

Larry
K0LEJ


Doug Rea
 

Hey Harold,
What is meant by “translate port?”

Doug
KX4IB


Larry
 

Hi,

For those who may not know, you specify a port in a Web URL by adding
a colon followed by the port number to the end of the TCP/IP address.
For example, let's say your external IP address is 172.217.3.174 (this
happens to be a Google IP that I'm using as an example), and you have
Port 8080 forwarded to a local device at 192.168.0.102, you would use
the following URL:

http://172.217.3.174:8080

Assuming you have the port forward configured in your router, the
Internet traffic coming in on Port 8080 would then be sent to Port 80
on your 192.168.0.102 internal device (RigPi, for example).

73,

Larry
K0LEJ

On Fri, May 31, 2019 at 9:18 PM Harold Rosee <wa5zzt@...> wrote:

You use port 80 routed to your RigPi when you set up port forwarding. In you router where you set this up you can specify and outside port. A number that is not used and not common. That is now what the port number looks like to the outside world. Let's say you used 4700. Then when you long into you RigPi from the outside world (non wifi) you would specify 4700 when you connect from a browser. When it hits your router it will forward that request to port 80.

Port 80 is used by a lot of hackers to get in and wipe your system out. When you port forward they can't get to Port 80 now because you don't have it open to the internet. Instead 4700 is open but know one would know that. If they tried 80 it would get rejected and not let them in.

Does that make sense? We also need to put a password in your admin account. I can't remember if we did that or not. Call me over the weekend and I'll take a look. I may be able to help you with the port forwarding if you cant figure it out by them.

Harold
W5ZZT

________________________________
From: RigPi@groups.io <RigPi@groups.io> on behalf of Doug Rea <Douglasrea@...>
Sent: Friday, May 31, 2019 9:09 PM
To: RigPi@groups.io
Subject: Re: [RigPi] IMPORTANT: Security Issues

Hey Harold,
What is meant by “translate port?”

Doug
KX4IB


Joe NE2Z
 

It is HIGH risk to allow ANY Internet address to initiate a connection and be port forwarded by your consumer router
to a device internally such as the RigPi.

Ideally you want to limit the Internet addresses to static IP, specific dynamic DNS name, or GeoIP space that typically
travel within. Advanced topics one should investigate.

An advanced topic would be remote VPN setup using OpenVPN with a consumer router that supports it.

For what it's worth,

- Joe, NE2Z 


Les
 

I have been trying to create a write-up on VPN, but keep getting distracted.  I strongly agree that we should be encouraging this, rather than willy-nilly forwarding.  

VPNs are getting lots of press as tools to hide your personal information, and sometimes to conceal your questionable searches.  That's simply an application of VPNs, rather than their sole purpose. 

Terminology:

A "Private Network" is a purpose-engineered data circuit from point A to point B, like a dedicated phone line from a company headquarters to a branch office.  It is totally separate from the Internet.   The only data seen on that circuit belongs to the company, and nobody else can see it or mess with it.  The company doesn't have to define what ports are used, as ANYTHING shoved into one end of this "tunnel" pops out the other end.  It's expensive and assumes that the branch office is less mobile than we might be.

A VPN is a VIRTUAL Private Network, which is constructed between two points on the Internet. Its data is just as private and invisible to everyone else as is the data in a REAL private network, thanks to the wonders of encapsulation and encryption. Our remote shack application is a perfect use for this tool.

For us, one endpoint of our tunnel is in the router where our rig lives.  Most modern home-and-business routers support openVPN, which is an open source implementation of VPN.  The other end is our operating location.  That endpoint could be a router, or even just the client PC or smartphone we use for VNC and VOIP.  My mobile endpoint is the 4G/LTE router in my RV.  Any device on the wifi in my trailer can see right through the tunnel to my network at home where computers, NVR, DVR, home automation, printers, and mass storage is located.  If you use a client-based VPN (rather than a router one), then only the apps on that client device can see through to the rig subnet.

Configuring this requires creating credentials to make sure it's really us at each end, and a "shared secret" that permits automatic negotiation of the encryption key used to hide the data.  Subnets at each end get configured (a subnet at the rig, one for the VPN connection, and the one at the remote operating position).  Each router manufacturer will have instructions for VPN setup.

Please, someone with more time available, write a detailed guide for this.  Using VPN eliminates the constant addition of new forwarded ports as new goodies are created.  And, will shield us from those nasty Internet bandits who will see nothing but indecipherable noise. *grin*  
I'll be happy to help, but am totally committed at present.
73,
Les - AA5NA


Vic VE3JAR <vloewen2@...>
 

Totally aggree  with Joe

More information regarding the Security is needed  when connecting a device such as RigPi to the Internet
Looking forward to reading  comments & suggestion on the set-up pf such protection.

Thanks
Vic


W8DU Arnie
 

I use OpenVPN running on a RPi and it works perfectly. Very easy to install and access remotely. Have been using it for several years now. Lot's of youtube videos on how to set this up. I would guess that OpenVPN can run on the same pi that is running RigPi.
73 de Arnie W8DU


Clint Chron
 

Even though the risk may be high, there are situations where the risk is probably acceptable.  I have an IC-7100 located at my cabin and I control it with the Icom RS-BA1 software over the Internet.  The IC-7100 is connected to my Windows 7 PC via a USB cable.   I have a Windows 7 image of the PC.  There is no private data on the PC (PC is not used for Web browsing or email).  So even if the PC gets hacks, the hacker gets no info.  I actually was hit with Ransomware last fall (RDP hacking).  The PC was moderately secure.  Not sure how anyone got through the RDP port, but it is possible.  The PC was normally powered off when I was not using the radio, but for that particular scenario, I think the PC had been powered on for a couple of weeks.

 

In any case, I just reimaged the PC from my backup image and was up and running again.  I did apply some more security hardening on the PC.  The PC is powered off when I am not using the radio.

 

I plan to replace the PC with a Pi computer and RigPi software.  I will make an image backup of the SD card.  I am not a Linux expert, but I have always heard that Linux computers are much more secure than Windows computers.

 

Doing the VPN setup is a good safeguard.

 

73

Clint

W7KEC

 

From: RigPi@groups.io [mailto:RigPi@groups.io] On Behalf Of Joseph Cupano
Sent: Friday, June 14, 2019 7:47 PM
To: RigPi@groups.io
Subject: Re: [RigPi] IMPORTANT: Security Issues

 

It is HIGH risk to allow ANY Internet address to initiate a connection and be port forwarded by your consumer router
to a device internally such as the RigPi.

Ideally you want to limit the Internet addresses to static IP, specific dynamic DNS name, or GeoIP space that typically
travel within. Advanced topics one should investigate.

An advanced topic would be remote VPN setup using OpenVPN with a consumer router that supports it.

For what it's worth,

- Joe, NE2Z 


Joe NE2Z
 

Thanks Vic,

I hope people read my message as something that is not unique to the RigPi, but for any IP addressable device
being connected to the Internet. I don't think anyone wants to see RigPi as target on Shodan or show up as a
tweet on the Internet of Sh**

What is best practice in dealing with consumer IoT ?  Well, it starts with . . .

- Raise your awareness of what is going on in your home network

- Know your threat profile. When you let anything connect in or out of your home network, what are the
potential opportunities for it's misuse?

- Practice "layered security" aka "belt and suspenders" approach in protecting your home network and
the devices connected to it.

For that last bullet, sadly a home router with it's minimal security capabilities PLUS security software on your PC
is not enough. IoT devices typically only have just enough resources to function and little additional to protect
themselves. For IoT devices that do not offer transparency AND ease of use in configuration in how they behave
on the network, further network segmentation (VLANs) is necessary which often involves upgrading your home
network if it lacks that feature/functionality.

What is one way of doing this right ?

Happy to write up a general Iot Security "How to" and/or one more specific to the
RigPi if one ends up on my desk from MFJ (hint MFJ.)


73,

- Joe, NE2Z




Joe NE2Z
 

OpenVPN with firewall rules for VPN traffic, static IP restrictions, and internal network segmentation is an ideal scenario. The first compromise is to go from
static IP to GeoIP to allow for thos who travel for work. You update the GeoIP before and after travel for the geo you are traveling to.

Agree on OpenVPN a preferred route but since it is a daemon with threats akin to SSH, restricting IP limits the risk

For what it's worth,

- Joe, NE2Z


Joe NE2Z
 

Hi Clint,

Good point on the topic of acceptable risk. But to make a decision on what is acceptable starts with understanding what
the potential threats (aka threat profile) are to your setup. Excellent that you have no data on the PC you care about. But do you
care about theft of use such as someone using the PC as a Bitcoin miner, Bot attack etc.

In my travels I have found no operating system more secure than the other, same with open and closed source. Everything is
compromised in one way or another. The technology may always change but the tradecraft changes little.

For what it's worth

73,

- Joe, NE2Z


Alan James <alanmjames@...>
 




On Sat, Jun 15, 2019 at 1:36 PM, Joseph Cupano
<joe@...> wrote:
OpenVPN with firewall rules for VPN traffic, static IP restrictions, and internal network segmentation is an ideal scenario. The first compromise is to go from
static IP to GeoIP to allow for thos who travel for work. You update the GeoIP before and after travel for the geo you are traveling to.

Agree on OpenVPN a preferred route but since it is a daemon with threats akin to SSH, restricting IP limits the risk

For what it's worth,

- Joe, NE2Z


Vic VE3JAR <vloewen2@...>
 

You bring up good points ............
The following document hat tip regarding setting consideration of the RASP PI
   https://makezine.com/2017/09/07/secure-your-raspberry-pi-against-attackers/

Question  :  
Does the RigPi software on the SD card / RaspPi have some of these tips/suggestion  already confurured and or even considered.?
Vic


Clint Chron
 

Hi Joe,

 

Do you have a recommended link for setting up OpenVPN for use with RigPi?  I see lots of different articles on setting up OpenVPN.

How can you tell if your Internet router supports OpenVPN?

 

73

Clint

W7KEC

 

 

 

From: RigPi@groups.io [mailto:RigPi@groups.io] On Behalf Of Joseph Cupano
Sent: Friday, June 14, 2019 7:47 PM
To: RigPi@groups.io
Subject: Re: [RigPi] IMPORTANT: Security Issues

 

It is HIGH risk to allow ANY Internet address to initiate a connection and be port forwarded by your consumer router
to a device internally such as the RigPi.

Ideally you want to limit the Internet addresses to static IP, specific dynamic DNS name, or GeoIP space that typically
travel within. Advanced topics one should investigate.

An advanced topic would be remote VPN setup using OpenVPN with a consumer router that supports it.

For what it's worth,

- Joe, NE2Z 


Howard Nurse, W6HN
 

I'm really pleased to see so many excellent suggestions about improving RigPi security.  It can't be stressed enough how important this is.

Since RigPi is using the standard Raspbian operating system, there is no reason why installing OpenVPN should be more than following a few steps.  I hope someone in the RigPi community will write up something for us to follow.

73, Howard W6HN


Joe NE2Z
 


Excellent article to reference, Vic !


Vic VE3JAR:

You bring up good points ............
The following document hat tip regarding setting consideration of the RASP PI
   https://makezine.com/2017/09/07/secure-your-raspberry-pi-against-attackers/

Question  :  
Does the RigPi software on the SD card / RaspPi have some of these tips/suggestion  already confurured and or even considered.?
Vic


Joe NE2Z
 

Hi Clint,

I am not aware of any links specific to the RigPi. Once I have a RigPi on my desk happy to write one up. (Hint to MFJ.)

OpenVPN needs to be an explicit option on your router. Some people update the firmware on the routers
with OpenWRT, DD-WRT, other firmware variants that include OpenVPN support. Note these firmware updates
will void warranty/support of your router.

As mentioned, Geo limiting the IP address space that can connect to your RigPi (or any other device) reduces
alot of noise and threat. Again, the firmware variants are your friend but me mindful OpenVPN and GeoIP has
resource costs.

Personally, I have went away from off the shelf home routers and build open source firewalls on used PCs.
If not on my own blog, may post some related articles on the Hudson Valley Digital Network blog.


73,

- Joe, NE2Z





Clint Chron:

Hi Joe,

 

Do you have a recommended link for setting up OpenVPN for use with RigPi?  I see lots of different articles on setting up OpenVPN.

How can you tell if your Internet router supports OpenVPN?

 

73

Clint

W7KEC

 

 

 

From: RigPi@groups.io [mailto:RigPi@groups.io] On Behalf Of Joseph Cupano
Sent: Friday, June 14, 2019 7:47 PM
To: RigPi@groups.io
Subject: Re: [RigPi] IMPORTANT: Security Issues

 

It is HIGH risk to allow ANY Internet address to initiate a connection and be port forwarded by your consumer router
to a device internally such as the RigPi.

Ideally you want to limit the Internet addresses to static IP, specific dynamic DNS name, or GeoIP space that typically
travel within. Advanced topics one should investigate.

An advanced topic would be remote VPN setup using OpenVPN with a consumer router that supports it.

For what it's worth,

- Joe, NE2Z 



Joe NE2Z
 
Edited

Hi Howard,

The weakest link in security is always the human element. That is why security should be "built-in"
rather than "bolted-on"

Punting security as a feature to be added by the community for any product is simply irresponsible.

What would really make the RigPi standout in both demonstrating how Amateur Radio contributes
to setting standards in technology adoption is to include OpenVPN as part of the image and support
of it.

It would not only benefit the community but providing an ease of use OpenVPN setup would be a
differentiator between someone buying a RigPi or trying to build a clone when security is
important to them. MFJ maintain it's margins and less sales erosion over time as clones develop.

Do-able right ?


73,

- Joe, NE2Z