Possum
Posts: 28
Joined: Thu Mar 22, 2012 2:32 pm
Contact: Website

My Raspberry Home Server

Fri Jun 21, 2019 3:48 am

Hi

I have a static PI Address which I have Port forwarded thru my Router so I can go to my RP from any other computer on the net. I have two MariaSQL databases running. One is a search engine (SSEP) the other is a phpBB forum..

Also running Apache php goodness



The RP has been running for 144 days with no problems. In other words I have not (to my knowledge) been hacked.

I know Hackers are a real problem. But are they over emphasized. In your opinion do you think are RP home server is a achievable tool in the internet of today.
Last edited by Possum on Fri Jun 21, 2019 4:17 am, edited 2 times in total.

User avatar
HawaiianPi
Posts: 4596
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: My Raspberry Home Server

Fri Jun 21, 2019 4:07 am

In general the Raspberry Pi hardware is not inherently insecure (as far as I know it doesn't have the speculative execution vulnerabilities of x86 computers). So it's all about the software. Your server will only be as secure as the software and configuration permits.

If you do a good job of setting all that up you should be fine (unless someone finds an exploit in the software you are using).

If you do something boneheaded, like not changing the default password, then all bets are off.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

User avatar
rpdom
Posts: 15180
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: My Raspberry Home Server

Fri Jun 21, 2019 5:25 am

HawaiianPi wrote:
Fri Jun 21, 2019 4:07 am
If you do something boneheaded, like not changing the default password, then all bets are off.
If you do something boneheaded, like not changing the default password AND connecting the Pi to an insecure network or exposing it directly to the Internet (via port port forwarding or directly), then all bets are off.

A couple of mine still have the default password. They do not get exposed directly. They are only accessible from my local network.

However, generally I change the user as well as password, especially on the three that do have port forwarding pointing at them.

User avatar
HawaiianPi
Posts: 4596
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: My Raspberry Home Server

Fri Jun 21, 2019 8:55 am

rpdom wrote:
Fri Jun 21, 2019 5:25 am
... or exposing it directly to the Internet (via port port forwarding or directly), then all bets are off.
The OP says that's exactly what's been done.
Possum wrote:
Fri Jun 21, 2019 3:48 am
I have a static PI Address which I have Port forwarded thru my Router so I can go to my RP from any other computer on the net.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

Ernst
Posts: 1231
Joined: Sat Feb 04, 2017 9:39 am
Location: Germany

Re: My Raspberry Home Server

Fri Jun 21, 2019 9:15 am

Possum wrote:
Fri Jun 21, 2019 3:48 am
I know Hackers are a real problem. But are they over emphasized.
Untitled.png
Untitled.png (19.37 KiB) Viewed 575 times
Since about the 1st of May there have been almost 2500 attempts to access my network with the use of ssh.
This is not the complete truth because my fail2ban setup has no mercy and blocks forever at the first attempt.
The road to insanity is paved with static ip addresses

deepo
Posts: 86
Joined: Sun Dec 30, 2018 8:36 pm

Re: My Raspberry Home Server

Fri Jun 21, 2019 5:03 pm

Besides fail2ban I'd like to give a shout out to UFW Uncomplicated Firewall.
Really easy to setup.

Here are some of the commands you'll need to use:

Code: Select all

sudo apt-get install ufw

sudo ufw disable
sudo ufw enable

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 192.168.0.0/24
sudo ufw allow 8080/tcp
sudo ufw allow https

pi@raspberry:~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
443/tcp                    ALLOW IN    Anywhere
8080/tcp                   ALLOW IN    Anywhere
Anywhere                   ALLOW IN    192.168.0.0/24
443/tcp (v6)               ALLOW IN    Anywhere (v6)
8080/tcp (v6)              ALLOW IN    Anywhere (v6)
/Mogens

ejolson
Posts: 3548
Joined: Tue Mar 18, 2014 11:47 am

Re: My Raspberry Home Server

Sat Jun 22, 2019 11:39 am

Ernst wrote:
Fri Jun 21, 2019 9:15 am
Possum wrote:
Fri Jun 21, 2019 3:48 am
I know Hackers are a real problem. But are they over emphasized.
Untitled.png
Since about the 1st of May there have been almost 2500 attempts to access my network with the use of ssh.
This is not the complete truth because my fail2ban setup has no mercy and blocks forever at the first attempt.
What happens if you are traveling and dynamically get assigned one of the previously blocked addresses? Another idea is to turn off ssh authentication with tunneled passwords and use only cryptographic keys.

In my opinion, enabling ssh inside a local network behind a firewall without changing the default password is dangerous. Even if not directly exposed through port forwarding, a vulnerable machine on a local network can get infected when a virus comes into the local network through a cell phone or any other way. In particular, it should not be game over for all connected Raspberry Pi computers if the security of the local network is compromised.

Ernst
Posts: 1231
Joined: Sat Feb 04, 2017 9:39 am
Location: Germany

Re: My Raspberry Home Server

Sat Jun 22, 2019 2:06 pm

ejolson wrote:
Sat Jun 22, 2019 11:39 am
Ernst wrote:
Fri Jun 21, 2019 9:15 am
Possum wrote:
Fri Jun 21, 2019 3:48 am
I know Hackers are a real problem. But are they over emphasized.
Untitled.png
Since about the 1st of May there have been almost 2500 attempts to access my network with the use of ssh.
This is not the complete truth because my fail2ban setup has no mercy and blocks forever at the first attempt.
What happens if you are traveling and dynamically get assigned one of the previously blocked addresses?
No problem, just need to knock a few ports.
ejolson wrote:
Sat Jun 22, 2019 11:39 am
Another idea is to turn off ssh authentication with tunneled passwords and use only cryptographic keys.
This ssh gateway does not allow password authentication, only cryptographic keys.
ejolson wrote:
Sat Jun 22, 2019 11:39 am
In my opinion, enabling ssh inside a local network behind a firewall without changing the default password is dangerous. Even if not directly exposed through port forwarding, a vulnerable machine on a local network can get infected when a virus comes into the local network through a cell phone or any other way. In particular, it should not be game over for all connected Raspberry Pi computers if the security of the local network is compromised.
To be honest I am not really worried about the Raspberry Pi computers, the other devices on the network are more important to me, but I do agree with you.
The road to insanity is paved with static ip addresses

Return to “General discussion”