9 Replies Latest reply on May 17, 2017 9:55 AM by Andy Clark (Workshopshed)

    Security

    Andy Clark (Workshopshed)

      Has anyone come across any interesting articles on securing the Edison?

        • Re: Security
          koudelad

          I would say the rules will be pretty much the same as for any other GNU/Linux machine.

          Disabling unused services, user management, network security, physical security, ...

          Try googling for "linux security hardening".

          2 of 2 people found this helpful
            • Re: Security
              koudelad

              I just remembered that a few years ago I followed these HOWTOs from the Linux Documentation Project.

              They seem to be quite old now, however, the principles remain the same.

               

              Security Quick-Start HOWTO for Linux

              Linux Security HOWTO

               

              I would also recommend buying a reliable and updatable router and choose wisely, what services (ports) to publish to the internet. Nothing provides 100 % network security, but almost all the consumer brands provide many vulnerabilities that are updated after a few months (happy scenario) or never (common scenario). The situation is the same as with cell phones - only the most expensive get support (until a new product is released).

              2 of 2 people found this helpful
            • Re: Security
              jasonwier92

              Agree on a good hardwall router/firewall, I like MikroTik, but they are not easy to setup if you are not used to them. Using IPTables on the Edison as a local firewall would be a good second layer of security (headache sometimes too). 

               

              If you are going to expose SSH, you need to block brute force attacks. SSHGuard is a good solution. It can watch your logs for SSH attacks and block the IP address.  Another good solution is to also run SSH on another port than the standard 22.  Like have it run on port 8002.  This can be done by editing the /etc/ssh/sshd_config file and set the port like: "Port 8002".  But if you do not need to expose SSH, that is best.

               

              If you are going to expose your web interface to the population of the earth and where ever else the Internet reaches, you could run HTTPS as it will not let people in the middle study your packets. 

              2 of 2 people found this helpful
                • Re: Security
                  shabaz

                  Everything you've mentioned are good steps. Depending on the value of what needs to be protected overall (in the home or otherwise - not talking about just equipment value, but also information value) some additional steps may be needed. HTTPS doesn't prevent MITM, in fact many commercial products do just that, because they locally terminate and create a new session to the requested resource. This has some useful purposes (e.g. determining if the user is getting good performance from the network or not), but we can't assume that there are no people out there that will do this for bad purposes.

                  Local firewalls are good, but at the end of the day home equipment has a tiny processor and could fall over if it was overwhelmed, so blocking all incoming ports on the external router or FW is a good idea if possible. We all thought SSH was fine but that heartbleed attack vulnerability was present for years : ( And it was easy, and extremely severe.

                  3 of 3 people found this helpful
                  • Re: Security
                    koudelad

                    I also like Mikrotik devices. They now have a web interface called WebFig, which provides similar funcionality as Winbox, over web management interface. The first time setup is quite easy, as they embedded typical usage profiles, for example "Home AP". The truth is, there are still a few things to configure (disable services, remote access, set up NTP, ...). I installed three of the newer devices for home / office use and I am really happy about the way they work.

                    1 of 1 people found this helpful
                  • Re: Security
                    rsc

                    I've got mine all locked up.security