Previous posts for this project:

 

 

Introduction

 

In this post I will document some basic, easy to implement changes to improve security of your (IoT) project.

Some may sound very obvious, but have you taken the time to apply them ?

 

Passwords

 

Disable root access

 

Disable root access. By default this is the case on the Raspberry Pi. I have however temporarily enabled it in order to easily update files, but this should not be left like that.

To remove the root password and thus remove root access, execute following command:

 

passwd -d root



















 

Change default password

 

Raspbian and other distros for the Raspberry Pi, all come with configured with a default user (and usually "pi" / "raspberry").

It is strongly recommended to at least change the default password and possibly change the user as well.

 

passwd pi



















 

Strong password

 

Finally, pick a strong password. Minimum eight characters, combination of letters (upper and lower case), numbers and special characters.

You can take a normal, easy to remember word and replace some letters, for example: "element14" could become "E!em3nT14".

 

This doesn't apply only to your user account on the Pi, but also to other applications requiring credentials, such as: MySQL, OpenHAB, etc ...

 

Access

 

Limit access

 

If the application allows it, you can limit access of certain applications to localhost, avoiding remote access.

 

In my project, I've applied this to two applications: motion and MySQL.

Screen Shot 2014-08-09 at 10.26.31.png

MySQL

 

As can be seen in the fragments below, MySQL binds to localhost and will only be accessible locally:

pi@webserver ~ $ netstat -ln | grep 3306
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN










 

Open the configuration file:

pi@webserver ~ $ less /etc/mysql/my.cnf










 

Ensure the "bind-address" option is set to "127.0.0.1":

[mysqld]
#
# * Basic Settings
#
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1










 

Motion

 

The same applies for motion:

pi@webserver ~ $ netstat -ln | grep 8081
tcp        0      0 127.0.0.1:8081            0.0.0.0:*               LISTEN










 

Open the configuration file:

pi@webserver ~ $ less /etc/motion.conf










 

Ensure the "stream_localhost" option is set to "on":

############################################################
# Live Stream Server
############################################################

# The mini-http server listens to this port for requests (default: 0 = disabled)
stream_port 8081

...

# Restrict stream connections to localhost only (default: on)
stream_localhost on










 

Enable login

 

If an application provides this option, you should enable having to log in.

 

OpenHAB

 

I have done so for OpenHAB, because I will keep it accessible remotely and I don't want anyone (too easily) controlling my home.

 

Edit the openhab.cfg to enable security:

# configures the security options. The following values are valid:
# ON = security is switched on generally
# OFF = security is switched off generally
# EXTERNAL = security is switched on for external requests
#            (e.g. originating from the Internet) only
# (optional, defaults to 'OFF')
security:option=ON















 

Edit users.cfg to specify credentials:

username=password















 

Restart OpenHAB. When loading the OpenHAB GUI, you will now be prompted for credentials.

Screen Shot 2014-08-09 at 09.37.27.png

The login can also be combined with support for HTTPS which is available out of the box in OpenHAB.

 

Just browse to:

 

https://<ip>:8443/openhab.app?sitemap=<sitemap>

 

You can find more about it on https://github.com/openhab/openhab/wiki/Security

 

Change default ports

 

Changing default ports can also help making your device less likely to be a target.

 

By editing the applications' configuration, the port can usually be changed to something else.

 

SSH

 

Edit the ssh server configuration file:

pi@webserver ~ $ sudo nano /etc/ssh/sshd_config



 

Change the port the the new desired value:

# What ports, IPs and protocols we listen for
Port 2222



 

Restart the SSH service in order to apply the change:

pi@webserver ~ $ sudo service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.



 

Logging on on port 22 (default) no longer works:

Fredericks-MacBook-Air:~ fvan1$ ssh pi@192.168.0.206
ssh: connect to host 192.168.0.206 port 22: Connection refused



 

The new port does:

Fredericks-MacBook-Air:~ fvan1$ ssh pi@192.168.0.206 -p 2222
pi@192.168.0.206's password:



 

Firewall

 

Finally, don't expose everything to the internet. If you have a firewall, only enable access to the services you want to be remotely accessible.

 

In my case, SSH might be accessible from inside the network, but it isn't from outside.

Screen Shot 2014-08-09 at 10.26.15.png

 

Conclusion

 

These are only some basic tips regarding security. There's plenty more things that can be done.

 

What have you done to secure your project ? Do you have any additional tips ?