With the recent attack on Dyn, it might be a good idea to change the policy on how the password is issued with the FA turn-key disk images. Perhaps after it phones home and associates with an account, there is a forced process on the web site to change the Pi’s password. Of course, the concern isn’t with many on this forum. It’s for those who really have no idea what their doing and are following step-by-step instructions. These people are the type which will expose their Pi to the open internet with a default password. They don’t realize the full consequences of their actions. They need help.
Let the hackers hack my Pi. What they will steal from my Pi dedicated to adsb?
What maximum I will loose is an outage for couple of hours and my stats will be down. I dont care about my stats going down. If the malware corrupts my operating system or other software, no problem. I will format the microSD card and reinstall Jessie and all.
If you have port 22 open to the Internet (say forwarded by your router) then you should be concerned that it can become a BOT.
The thing most criminals and governments (CIA) are looking for, is getting onto your LAN. Once there, most people tend to trust everything on the LAN, and this is where the failure modes are.
They will use your PI to get to the PC’s, etc. Once they map out your network, they’ll send the BOT code in and you are now a worker bee for their worldwide network.
If you don’t let anyone into your LAN you are pretty safe, but every day people get thumbdrives in the mail, and go: wow a thumbdrive, let me plug it on, wow naked girls, wow… bzzzzt all your LAN now belongs to us.
I kid you not, thumb drives in the mail and people just plug them in! It’s the latest scam.
Port forwarding is what got me concerned. My logs were showing large numbers of attempts to acces my network through open ports. My initial solution was a simple PPTP VPN running on one of my Pi’s but the new Mac and iOS versions no longer support that protocol due to weakness in security. After failing a couple of times trying to set up OpenVPN I found this script:
There are a few other configuration steps but it’s working well at a couple of locations. Now I use TunnelBlick on the Mac and the OPenVPN app on my iDevices to connect and access my local network.
The above represents disregard for the user base and ignorance on security. PR → FA doesn’t consider using default passwords “as much of a concern” despite the extremely similar circumstances of the recent cyber attack on Dyn’s network. FA is following a security plan which security researchers refer to as “security by obscurity”. In laymen terms, it mean no security at all.
Maybe a simple thing here is stick with a well known default password, but add a config option in piaware-config.txt that controls ssh access, and have the standard image have that disabled by default. So you can still easily log in on the physical console but to enable network logins requires an explicit change (which you could do on the sdcard externally, if you’re running the Pi headless). I think that would catch 80% of cases while not inconveniencing power users too much?
That would be simple and effective. If someone wants SSH access, they are pushing to the level of handling changing the password. It might be good to put a note in the config to change the password if enabling SSH.
I did some experiments for about a month with with a Pi directly on the internet earlier this year, I was mainly interested in ssh and web remote access.
I used iptables and fail2ban to report incidents.
Both default ports 80 and 22 were scanned at least every hour and a few simple “default” password etc tried - I did not consider that I was ever attacked.
I suspect the scanners were simply building lists to sell on the people doing the next level.
By using non default ports the number of attempts were reduced dramatically. There are probably enough low hanging fruit to mean your site will not attract further attention.
Fortunately I have not yet been the subject of an attack.
Sadly, this ranks up there with the “I have nothing to hide” response to allowing increased government surveillance.
Yes, most Pi’s have nothing of concern on them. Except a CPU, some storage and network access. Large, dark players are amassing armies of these “nothing to lose” devices connected to the 'net. And they are using them for ever larger and larger attacks against core infrastructure.
So while you may have nothing personal to lose, do you want your Pi to be part of a botnet that cripples the 'net to the point that someone you care about can’t use their VOIP phone to call 911?
I’m not suggesting we all become 1337 haxr0s or white hats, but do take basic precautions like changing the default password and running apt-get update, etc on a regular basis.
Any open port can be used to exploit a device. It could be used in a DDOS attack to reflect bad packets, or if compromised, could even initiated them. It could be used to attack internal devices to multiply the DDOS effect.
That’s very true. I noticed some lag with my local DNS server that was publicly accessible (I had a reason but didn’t disable it after the test was over) and it became a reflector for a DDOS attack so much so that my poor i7 with 32GB of RAM was crawling. As soon as I killed the firewall rule that allowed the access, it went back to normal.
To be fair it is not “any open port”, it is “open ports with specific services”. If it can’t be used for an amplification attack then it’s not a DDoS problem. DNS is an example of a service that can be used for amplification attacks; an open ssh port on its own is not (though if you haven’t changed the default passwords all bets are off)
Sure, but if it’s not an amplification attack the attacker might as well send their traffic direct at the target. A SYN-ACK is no worse than a RST or a ICMP port-unreachable in terms of bandwidth.
The above represents disregard for the user base and ignorance on security. PR → FA doesn’t consider using default passwords “as much of a concern” despite the extremely similar circumstances of the recent cyber attack on Dyn’s network. FA is following a security plan which security researchers refer to as “security by obscurity”. In laymen terms, it mean no security at all.