And i just explained to you why it doesn’t help.
If someone has compromised the pi as he has root on the device he can just delete the rules.
And for compromising the pi he will need to connect inbound so that he can still do.
What you are proposing just doesn’t help i’m sorry.
If you have a secure password on ssh or better still a secure file then that would prevent that.
When I mentioned about allowing incoming connections it is the port 30005 and related connections plus dump1090 web connections that I was referring to.
I suppose if you know exactly what ports FA, FR24 and others actually use then you could deny all connections and open them up.
Gets complicated.
Geffers
@send2gl
I’m just saying:
If the raspberry is compromised as in someone has gained access in whatever way: your suggestions don’t help
Also: your suggestions can’t stop the raspberry becoming compromised because for that you need to use an inbound connection anyway.
in conclusion: it doesn’t make a single bit of difference.
Not sure i can explain it any better.
Probably your best bet then would be to disconnect Pi from network altogether.
Every computer that is connected to a network is vulnerable in some way, especially if it is a server, which a Pi running dump1090 and PiAware is.
You can also have wifi routers that keep network devices apart.
Sensible security is the best option, a secure ssh password or secure keyfile is best bet.
Plus of course the router stops any uninvited inbound traffic.
Geffers
Unfortunately did not work for me.
Does not display current value on SkyView
Does not change gain by dropdown + “Set Gain” button
Does not change gain by command
sudo echo 16 > /var/html/setgain/newgain
-bash: /var/html/setgain/newgain: No such file or directory
(1) Created file /usr/local/sbin/setgain.sh and copy-pasted code from your post rev3
(2) Entry in cron
sudo crontab -e, and added following line
@reboot /bin/bash /usr/local/sbin/setgain.sh
(3) In file /usr/share/dump1090-fa/html/setgain.php, I have done following 2 changes:
Read file /var/www/html/setgain/newgain and displayed output in red as Current Gain:
<div><font color=#ff0000 face="'Helvetica Neue', Helvetica, Arial, sans-serif">Current Gain: <?php system('cat /var/www/html/setgain/newgain');?> </font></div>
Commented out following line
system("/var/www/html/setgain/setgain.sh $gain >> /tmp/gain.log 2>&1");
(4) Rebooted PI, Cleared browser cache, reloaded browser
@send2gl Blocking outgoing ports as you suggested is utter hogwash. I explained why that is the case.
The question is not if the pi is vulnerable.
The question is: If the pi is vulnerable, do your suggestions help?
The answer is: They do not.
You said you are no expert, so why not just accept that your suggestion is wrong or at least explain in which scenario exactly it might help?
I’m sorry i guess i should have explained better.
(3) to read the current gain it needs to read /var/www/html/setgain/currentgain
to set gain you need to do an system("echo 33 > /var/www/html/setgain/newgain")
with the gain value.
Now to the actual problem: the echo should be working and it should be working without sudo
as well as with sudo
the script is probably not running.
try sudo /bin/bash /usr/local/sbin/setgain.sh and see what it does.
probably needs an sudo chmod u+x /usr/local/sbin/setgain.sh 
(hmm no that’s not needed when starting it with bash)
All this was just an rough outline i kinda assumed you were a bit more familiar with all the scripting stuff as much as you have done.
But with these changes it should work. All that is for the piaware card.
For the sed version you would need to put that in the setgain.sh
sudo /bin/bash /usr/local/sbin/setgain.sh
/usr/local/sbin/setgain.sh: line 2: /var/html/setgain/log: No such file or directory
mkfifo: cannot create fifo '/var/html/setgain/newgain': No such file or directory
Nice thing about a suggestion is - you don’t have to take the advice.
Of course it helps, two padlocks on a door is more of a deterrent that one, why do you think the private/public key pairs also have an ‘option’ for a password. An extra lever of security.
Geffers
Yeah you should probably also put a note in your house asking burglars not to steal anything.
Just a suggestion.
I think i used the wrong directory. You were using /var/html/gain right?
Hmm no. To me it says /var/www/html/setgain does not exist.
Doooh i forgot the www
Why do you have to be so sarcastic, this is a friendly forum, I’ve made a suggestion, just a suggestion.
Geffers
I have noticed this very early and have used /var/www/html/ wherever you mentioned /var/html/. Please see my scripts I have sent you by PM.
I checked them the www is missing there too.
Probably you used the new version and didn’t change it again?
Oooops!
you are right. Originally I have inserted /www, but when I coped ver 3 of your script, I forgot to insert /www in it!
And I was trying these on Raspbian Stretch with (piaware + dump1090-fa) package install !!!
with the package install you will need to change it but you have probably already done that
Yes, two lines in your code I have changed as follows (commented out lines are from your code, uncommented are replacement I provided)
Still not working in package install.
Will now burn Piaware SD card image and try your script on it.
# piaware-config -show rtlsdr-gain > /var/www/html/setgain/currentgain # read current gain so it can be read out
awk '{for(i=1;i<=NF;i++) if ($i=="--gain") print $(i+1)}' > /var/www/html/setgain/currentgain # read current gain so it can be read out
# piaware-config rtlsdr-gain "$line" #set new gain
sed -i '/RECEIVER_OPTIONS=.*/c\RECEIVER_OPTIONS="--device-index 0 --gain '$line' --ppm 0 --net-bo-port 30005"' /etc/default/dump1090-fa #set new gainOne error i see you are missing something with awk. It still needs /etc/default/dump1090-fa as an argument like so:
awk '{for(i=1;i<=NF;i++) if ($i=="--gain") print $(i+1)}' /etc/default/dump1090-fa > /var/www/html/setgain/currentgain
sed -i '/RECEIVER_OPTIONS=.*/c\RECEIVER_OPTIONS="--device-index 0 --gain '$line' --ppm 0 --net-bo-port 30005"' /etc/default/dump1090-fa
Setting the gain looks correct so far.
Please provide the log so i can check in case something else is a problem in the script.
Running the script on the shell may be easier than via the cronjob at first.
Oh i just checked the php script:
system("echo $gain > /var/www/html/setgain/newgain >> /tmp/gain.log 2>&1");
This does not work. You need to cut the second redirect (everything after and including >>)
(you could just redirect errors with 2>/tmp/gain.log but i don’t really see the value)
system("echo $gain > /var/www/html/setgain/newgain");
This looks better
Yes, I have already discovered this and corrected it, but it it still fails. When I change gain, the dump1090-fa fails to start because for some reason the in file /etc/default/dump1090-fa, the value after --gain is blank. The $line seems to be empty. Either it is not read from newgain or the dropdown gain value is not passed to file newgain