PiAware Firewall Hardening


#1

I noticed there is no firewall installed on PiAware. I wish to expose the unit to the public (friends family etc). I can firewall it upstream on one of my other routers. I prefer not to use a router for port forwarding as the routers we use are more for other services and I don’t want to mix. How is the web server designed as far as security? Is it run on apache, does it rotate logs? Is this designed to be public or private? My PI may not be able to handle the load of a lot of people looking in and worse should anyone try and hack it.

Just wondering if you’d recommend me opening it to the public?


#2

I’m also going through this ‘existentialist dilemma’, and interested in different opinions.:sweat_smile:

I port forwarded my Pi for a time, and was accessing it from the internet. The novelty wore off quickly. I wonder why the ‘general’ public, if that’s what you mean, would care about our ‘virtual radars’. After a half dozen ‘legitimate’ visits, the only ‘public’ left would be hackers and other mischievous characters, would it not?

I tried other alternatives, such RadarBox24, and OpenSky. They allow you to see the traffic received by your ‘radar’, minus the MLATed ones, without the risks to your equipment and network. Again, after a while, what for?

My interest is mainly the number of planes seen, and their registrations. This could be the reason why ‘interneting’ my ‘radar’ has not continued. I can see the results later, as opposed to a moment in time that does not reflect my long term interest.

Not criticizing anybody or anything, just one ‘wrong’ opinion/view, maybe?:wink:


#3

I run a WISP so I want to allow our customers access to it as well as the public. This will include many other services as well as a community service. It probably won’t get much use but I have ab abundance of resources that are unused. Might as well use them for something creative and fun.


#4

Ok…my take was strictly from a hobbyist point of view, using home resources and network.

What you describe has a lot more meaning and utility. It’s a different ‘ecosystem’.


#5

Yeah if it were at home I wouldn’t keep it on either :slight_smile:


#6

Did you check here for the firewall rules…
/etc/iptables/rules.v4

The web server is lighttpd. You can edit what you want to show on skyview by going to /var/www/html and editing the files.

I would disable password login and only allow SSH keys.
Remove the extra output ports and leave only the port 80 port.
It should be fine for security unless there is some lighttpd hack that is not patched.

Logs are rotated and kept in /var/log/.

The Skyview map is run on the connected browser and not on the Raspberry Pi. Only the plane data is handled by the Raspberry Pi and this requires minimal resources.


#7

Iptables is not installed. I checked for ufw, lfd, iptables firewalld etc. Nothing came with it.

Thanks for the lighttpd - yeah was wondering and the more I thought about this the more I don’t care really. If it gets hacked I just take it down reload the chip after I dump the logs patch whatever is wrong. They won’t be able to do much damage from the pi if I limit its firewall only to port 80.


#8

Maybe piaware doesn’t have iptables installed. I was looking at a FlightFeeder. Easy enough to install ufw or iptables.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -m comment --comment “Internal webserver”
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -m comment --comment “ssh maintenance access”
-A INPUT -p tcp -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
COMMIT

Also if you can put the device on a different subnet you should be fine. A lots of very cheap routers (in the ~$40) have subnets now.