Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

How to protect the RPI against Hackers?

Wed Mar 08, 2017 4:24 pm

A couple of days ago My provider blocked my IPadres because of sending SPAM mails.
At that time there was no laptop or pc connected to the network.
Only 2 NASses, 2 ip cams and 2 RPI's.
I checked the NASses on virus and mallware. Nothing found.
I checked the RPI's.
One had a strange line in the crontab file, starting a perl programm at reboot. It was not from me.
So I do think the RPI was hacked.
I blocked the forwarding in my router to the RPI for SSH and the Apache2 webpage.
I removed the immage from the RPI and installed a clean one from some time ago.

This is the second time this happened in the last 2 years with my RPI.

My question is how to protect the RPI to a maximum against hackers?
Forwarding to SSH is not realy necesarry for me and I will block the forwarding.
I did change the standard login to a new login and removed the standard login.
Entering the webpage without risk would be nice. Until Now I blocked it because I don't dare to approache it anymore.

Any advice will be welcome. Thanks!

runboy93
Posts: 352
Joined: Tue Feb 28, 2017 1:17 pm
Location: Finland
Contact: Website

Re: How to protect the RPI against Hackers?

Wed Mar 08, 2017 5:00 pm

Offline :)

Or "harden" security of the RPi with tweaks.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: How to protect the RPI against Hackers?

Wed Mar 08, 2017 5:23 pm

runboy93 wrote:Offline :)

Or "harden" security of the RPi with tweaks.
Yes but how to harden security??

S0litaire
Posts: 216
Joined: Thu Dec 29, 2011 4:24 pm
Location: Ayrshire, Scotland
Contact: ICQ Skype Twitter

Re: How to protect the RPI against Hackers?

Wed Mar 08, 2017 5:25 pm

basic for any web facing device is "Fail2Ban" https://www.fail2ban.org/wiki/index.php/Main_Page

It's a program that monitors login attempts for things like "imap" "pop3" "ssh" and if they fail a certain number of times the IP address is automatically banned for a set period of time (or till the device is rebooted!)

By default Fail2Ban is set to monitor SSH login attempts (which is the most common attempt to gain access) so no major configuration is required.

Other than that:
Changing the ssh port away from the standard one of 22 will stop 99% of attempts. I've only seen a single occurrence of anyone trying ports other than the default SSH port to gain access.

What are you running on apache2? their might be known issues with the type of webpages being served (php / SQL injection?! scripts.)
--
Laters

Bill "Solitaire" C

Anáil nathrach, ortha bhas betha, do cheol déanta

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: How to protect the RPI against Hackers?

Wed Mar 08, 2017 5:39 pm

Thanks for the advice.
I just changed the ssh port away from the standard.
Is there somewhere a tutorial how to install the the fail2ban program you mentioned?
I do run a mix on Apache2 the most is written in PHP and Java
Last edited by Canedje on Wed Mar 08, 2017 8:20 pm, edited 1 time in total.

S0litaire
Posts: 216
Joined: Thu Dec 29, 2011 4:24 pm
Location: Ayrshire, Scotland
Contact: ICQ Skype Twitter

Re: How to protect the RPI against Hackers?

Wed Mar 08, 2017 6:00 pm

first thing is set up a good .htaccess file.
its a standard way of stopping access to files and folders in the web server.
a very basic one would look a bit like this :

Code: Select all

//Prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

//Prevent directory listings
Options All -Indexes
Read a bit more here :
https://www.digitalocean.com/community/ ... ccess-file

Then it's a general tidy up of accounts making sure you've got strong passwords on every user account.
And making sure you cant log in remotely as "root".
--
Laters

Bill "Solitaire" C

Anáil nathrach, ortha bhas betha, do cheol déanta

User avatar
DougieLawson
Posts: 36541
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: How to protect the RPI against Hackers?

Thu Mar 09, 2017 12:39 pm

Before doing ANYTHING you MUST reformat that SDCard and re-image it or restore from a backup (known to be taken before your compromise). Do NOT ever use that SDCard without doing that (or you'll be a spam spewing zombie again in about a minute).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24129
Joined: Sat Jul 30, 2011 7:41 pm

Re: How to protect the RPI against Hackers?

Thu Mar 09, 2017 12:42 pm

May be preaching to the converted, but you MUST change the default password, or actually remove the Pi account completely and add a new one with strong password.

And what Dougie said - reformat and start from scratch.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

S0litaire
Posts: 216
Joined: Thu Dec 29, 2011 4:24 pm
Location: Ayrshire, Scotland
Contact: ICQ Skype Twitter

Re: How to protect the RPI against Hackers?

Thu Mar 09, 2017 1:10 pm

Just run in terminal:

Code: Select all

sudo apt-get install fail2ban
That's all you need to do to secure SSH.
For securing the Apache server take a read here :
https://www.digitalocean.com/community/ ... untu-14-04

(i tend to post a lot of links to Digital ocean, but it does have a good resource of howto articles for setting up Debian/Ubuntu systems from scratch with easy to follow language!)
--
Laters

Bill "Solitaire" C

Anáil nathrach, ortha bhas betha, do cheol déanta

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: How to protect the RPI against Hackers?

Thu Mar 09, 2017 3:03 pm

Before wiping the hacked SD card you might want to boot up a clean Linux install (Pi or LiveCD) and mount the compromised SD card to see if you can determine when and how the Pi was compromised. Don't boot from the Compromised card and don't run software on it.

If you had removed the standard Pi user (as your first post seems to suggest) then it might be SSH wasn't the route in.

If the compromise was some time ago then comparing binaries with a known clean version might be worthwhile. You might be able to get an idea of when the compromise happened by using the stat command on the script added to cron e.g.

Code: Select all

pi@hermione:~ $ stat /usr/sbin/sshd
  File: ‘/usr/sbin/sshd’
  Size: 752616          Blocks: 1472       IO Block: 4096   regular file
Device: b302h/45826d    Inode: 13246       Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-11-25 17:55:38.227313801 +0000
Modify: 2016-07-24 10:59:42.000000000 +0000
Change: 2016-11-25 17:55:38.227313801 +0000
 Birth: -
The change date should give an idea of when the file was actually written to the disk (assuming correct clock), The modify time can be easily adjusted. (From the above you should be able to easily guess which release date of raspbian I grabbed that from!)

321
Posts: 94
Joined: Mon Feb 13, 2017 7:26 pm

Re: How to protect the RPI against Hackers?

Thu Mar 09, 2017 3:47 pm

If you have any devices on your network which supports hardware level virtualisations, and you dont use virtualisation, disable it, most PC's have it enabled by default.

If your bios/uefi gets hacked then you need to wipe & reinstall that using an external programmer of sorts, either by desoldering the chips or using a clip that attaches to the pins of the bios and to the GPIO pins on a raspberrypi, with flashrom. Just make sure your programmer is not compromised before hand otherwise you'll spread malware again.

Zero days in a variety of software can be used to gain access to your bios, and just look at how easy it is to update your bios from a running OS.

Worth checking your router as well, Lizard squad used this method to hack Sony game servers sometime back, by using hacked off the shelf routers and who checks the data going done the phone line from their router?

Sometimes its worth double natting firewall/routers together to see what one firewall/router is sending out, made easier with ISP's who provide routers that also have a fibre port as you use the fibre port from a suspect router plugged into another device acting like a fake isp and you can find out whats leaving that.

Check and monitor all packets passing over your lan. If you cant account for each and every packet, your system is arguably not secure. Use a proxy server to do a Man In The Middle attack to log encrypted data, and modify the proxy to listen in to all ports and other protocols, not just https, so you could modify it to listen into the encrypted email communication for example.

One word of warning, I know of one very popular opensource firewall which hides messages from the syslog that would otherwise show the malware leaving this opensource firewall/router and DNS lookups which only the ISP's/Spooks would use which gives out your manufacturers details, eg http://www.php.net indicates HP devices behind the firewall. I havent seen if its built into the source code of the bsd platform in question or whether one of the main developers machine is the source of this malware, but burning everything to dvd gives me an audit trail of sorts. But even when burning to DVD, even when selecting the option to close the disc after burning so it cant be used like a USB device, still leaves it open, so there is code hiding in plain sight which lets DVD's be updated by compromised systems later on.

The stuff I've seen works at the hardware level, hacking firmware because AV doesnt check firmware, some AV dont even go beyond a certain number of iterations when checking zip files , so you could send a zip file which contains another zip much like a Russian Doll and at the last zip theres something malicious, hiding beyond the reach of the AV scanner.

Systems allowing virtualisation can then boot up a compromised OS before the main OS boots and then you can bypass fail2ban easily, plus because you are on the inside, its quickest to bruteforce crack the passwords. The fact its happened a couple times with a significant gap between both suggests a local brute force method could be used which would suggest disabling any virtualisation that might exist on any of your devices. I think even the arm chip on the pi's might have some sort of virtualisation.

So whilst you can log anything on the pi, and other devices on your network, as messages can be hidden, rsyslog drops a message repeatedly in a particular order on the pi's then you can lull someone into a false sense of security. Although these are not the only techniques used by the spooks. Other offline methods exist as well and starts from when you go to school.

Considering firmware can be updated, some of the stuff I've seen sits in the spare space on these firmware chips working in a distributed fashion, and not all manufacturers admit to their devices having updateable firmware, so breaking open devices, and finding out what chips can be updated could be a clue.

Good luck, I think you will enjoy the puzzle.

I think the fact that section 56.4 exists in the UK Snoopers charter demonstrates I might be on the money when considering even you mobile phone can used to track you on your way to a weekend at Newquay cornwall speeding down the M5. :)

Even right now, I know this pi I'm using is compromised, but I need to devise a test to prove it and out the spooks ala a TalkTalk Nov 2015 hack/coverup.

Edit.

Dont think your SD card cant be hacked either.
http://www.bunniestudios.com/blog/?p=3554

Return to “Troubleshooting”