Protecting the PiAware Skyview public access

The last discussion I could find about PiAware firewall hardening was from May 2018 (a year ago from this post: PiAware Firewall Hardening - #7 by Wavedirect).

To help the community and ensure we don’t have a ton of folks running a PiAware botnet, I thought I’d put up an overview document for allowing public access to the PiAware Skyview dashboard securely. I have personally configured mine in the “great” option (last option) in the document leveraging Cloudflare, a firewall, and an Apache web server proxypass for my PiAware.

I have a mirror write up and the corresponding images and documents here (including a PDF and a Visio document that you can modify based on your setup): https://www.johndball.com/securing-the-flightaware-piaware-device-dashboard/

Because my account is new I am limited to one image. I’ve uploaded the overview image in this thread.

I’m happy to have the discussion in this thread or on my blog. Whichever helps you!

2 Likes

Hi John,

Welcome and thanks for the post.

That’s really interesting and as someone who is running your “Bad” option, I feel as though I should do more. Well, my router has a firewall so I suspect that I’m actually just about in the “Better” option.

Going to “Good” would be sufficient for me but I really wouldn’t know where to start when it comes to configuring that. How easy would it be for you to write a step-by-step guide to getting from Bad to Good? I think that would be appreciated by a lot of people.

73 Keith.

1 Like

Don’t think lighttpd is that big of a security nightmare.

Well some people install php-cgi, exposing lighttpd then might be a bad idea.
So i wouldn’t for example use the adsb receiver project and expose port 80.

1 Like

It shouldn’t be too big of an issue but you never know if some other service becomes exposed or somebody zero-days lighttpd and starts screwing around with the back end. I live in in the INFOSEC world so services exposed directly to the internet make me cringe.

I guess the same could be said for mechanics who see folks going double and triple over their oil change reminder. If you live in that world you probably become hyper-focused to the pitfalls and dangers.

1 Like

It depends on the level of complexity you want to add to the mix. If you are running a custom domain name (like KeithMa.com) and want to drive traffic to your PiAware via DNS (like PiAware.KeithMa.com) then getting started is really easy. If you are just running behind a firewall and are connecting to your PiAware via IP then the firewall-only route might be your best bet.

I could write up a PiAware-specific tutorial with Cloudflare but Cloudflare has done a much better job than I ever could when it comes to setting up an acocunt. https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website

There are a few ways to slice the pie. At the very least, a firewall sitting between the PiAware and the internet is a good first start!

1 Like

I’ll take a look at that link, thanks. What I’m mainly hosting here is the ADS-B receiver of my local radio group that you can see here. I’ve also got my own VRS on the web as well here. My firewall is pretty basic, just whatever’s built into the Netgear D7000 router with just one port forwarded over to each device.

It looks like you already have the domain names in place and that’s a good thing. All you would need to do is add the domain names to Cloudflare and set your redirects. Think of Cloudflare like another “firewall” (and DNS server due to DNS hosting) that sites in front of your Netgear.

There are other options out there besides Cloudflare. I only am mentioning that service because they have a free offering and it is darn easy to setup.

Hmm, it might not be quite so straightforward - The domain names I used there just forward to a dynamic DNS service although I am on a fixed IP. I’m about to sort out supper but will check out the Cloudflare stuff later.

I’d like to thank KN4OLA for posting this as well.

As a (retired) Computer Engineer with thirty years experience I often had to ‘pick up the pieces’ when users’ systems were compromised through an on-line attack of some sort.

IMHO, it is far too common that people with no understanding of the dangers to which they they may be exposing themselves are encouraged to punch a hole through the barely adequate firewall in their ISP supplied router to publish something or other to the web.

Don’t even get me started on UPNP!

FWIW, the default sdcard install should be fairly robust - it’s literally only serving files off disk, which is a fairly deliberate decision to try to minimize the attack surface. You’d need a major security hole in lighttpd to cause problems. (Not saying that it couldn’t happen, and do be cautious about exposing the system to the internet - but I’m not aware of any current problems)

3 Likes

I wasn’t making any particular judgment about FlightAware’s setup.

However, as @wiedehopf pointed out, installing other packages on your machine can change the situation. As a case in point, flightairmap installs php-cgi.

Over the years, I have seen too many cases where people have installed something like phpMyAdmin then having forgotten all about it, they publish something or other to the web and discover they have had their system compromised.

HTTP is known as the Universal Firewall Bypass Protocol for good reason and unless your router has Stateful Packet Inspection, whatever is on the inside needs to be very good at resisting attacks.

Setting up something like Cloudflare is not really practical when using a dynamic DNS address. My feeders are built with Stretch Lite and then the additional software installed with nothing else. Bearing in mind the comments above, I’m actually not too concerned.

Sounds good! If the situation ever changes at least you’ll have some context now.