Links

• Project Website
• Source Code on GitHub
• Taiga, a new open source project management tool with focus on usability
• Taiga: Free, Open Source Project Management Tool

These are my notes on the first steps of improving security on a new Raspberry Pi. The default configuration that an RPi comes with might be suitable for a development environment in a private or isolated network, but if you intend on exposing your RPi to the world then you need to tweak that configuration to be more robust. The commands mentioned here have been tested on a Raspberry Pi B+, running a fresh installation of Raspbian.

User configuration

1. This goes without saying: Change the default user's password. By default, the RPi user is pi and her password is raspberry. Change that as soon as you get your operating system runnning, either by running passwd as the pi user, or by running sudo raspi-config and selecting the option for password change.

2. Change the default user's sudo configuration. By default, the pi user can execute anything with sudo, without providing a password. As the pi user, do:

   sudo visudo
   

   ...and the change the line:

   pi ALL=(ALL) NOPASSWD: ALL
   

   ...to:

   pi ALL=(ALL) ALL
   

3. Additionally, you might want to disable the default pi user altogether, and create another user that you will use on your RPi. As the user pi, do:

   sudo adduser myuser
   

   ...and answer the questions. Only the password question is important, the rest can be left blank. Then, to make the new user a sudoer, do:

   sudo visudo
   

   ...and add this line in the end of the file:

   myuser ALL=(ALL) ALL
   

   Additionally, since login will be disabled for pi, you might as well comment out the line in /etc/sudoers that refers to that user. Finally, to disable login for the default pi user, logout from pi and login as the new user that you created, and do:

   sudo usermod --lock pi
   sudo usermod --shell /sbin/nologin pi
   

SSH Configuration

1. Forbid SSH login for user root. If your RPi is exposed to the world, it will get attacked with SSH attempts for common usernames and passwords, which is yet another reason to disable the default pi username. Another username that your RPi will be hammered with is root. Now, you can't disable the root account, but you can disallow logins for it. To do that, edit the file /etc/ssh/sshd_config, and change the line:

   PermitRootLogin yes
   

   ...with:

   PermitRootLogin no
   

   ...and then restart the SSH daemon:

   sudo service ssh restart
   

2. Restrict Incoming IPs for SSH, using entries in /etc/hosts.allow and /etc/hosts.deny. For example, I allow SSH on my RPi from my internal LAN subnets (192.168.x.x), and from one public IP only (1.2.3.4 in this example). To achieve that, put in /etc/hosts.allow:

   sshd: 192.168. 1.2.3.4
   

   ...and in /etc/hosts.deny:

   sshd: ALL
   

   Attempting to login to the RPi from a restricted host will return an error to the client:

   marios@wst ~ $ ssh [email protected]
   ssh_exchange_identification: Connection closed by remote host
   

   ...and will also create a log in /var/log/auth.log:

   Dec 13 11:40:48 rpi sshd[3456]: refused connect from 172.16.1.2 (172.16.1.2)
   

Firewall Configuration with iptables

On my RPi running a freshly installed Raspbian OS, iptables was already installed, and it was running with an empty rule set, i.e. all traffic was allowed in all directions. Furthermore, Raspbian does not include a SysV script for the iptables service, but this functionality is offered by the iptables-persistent package.

1. Install iptables-persistent, to help make the iptables rules survive a reboot:

   sudo apt-get install iptables-persistent
   

   If you accept the defaults during the installation, the currently running empty rule set of iptables will be saved in /etc/iptables/rules.v4. After the installation, you can manage your firewall with:

   service iptables-persistent {start|restart|reload|force-reload|save|flush}
   

   Here are the contents of that file, with the default configuration of the firewall:

   # Generated by iptables-save v1.4.14 on Sat Dec 13 14:23:03 2014
   *filter
   :INPUT ACCEPT [1291:113154]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [828:105910]
   COMMIT
   # Completed on Sat Dec 13 14:23:03 2014
   

2. Next, you will need to add some rules to the iptables configuration, to start blocking some traffic. There are two methods that you can apply:

   A. Replace the line :INPUT ACCEPT that defines a default policy to accept all incoming traffic), with :INPUT DROP, and then define rules that will only allow selected traffic through the firewall.

   B. Keep the default :INPUT ACCEPT policy for incoming traffic, but have one last rule that rejects all incoming traffic.

   I'm going with the second option, simply because of the convenience of copying rules from one of my CentOS machines :) Here it is then, my rules file, implementing only the restriction to SSH port to the same IPs that I mentioned earlier:

   *filter
   :INPUT ACCEPT [0:0]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [0:0]
   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   -A INPUT -p icmp -j ACCEPT
   -A INPUT -i lo -j ACCEPT
   -A INPUT -m state --state NEW -m tcp -p tcp --source 192.168.0.0/16 --dport 22 -j ACCEPT
   -A INPUT -m state --state NEW -m tcp -p tcp --source 1.2.3.4/32     --dport 22 -j ACCEPT
   -A INPUT -j REJECT --reject-with icmp-host-prohibited
   -A FORWARD -j REJECT --reject-with icmp-host-prohibited
   COMMIT
   

Summary

With these measures taken to improve the security of my Raspberry Pi, I am now more confident that I can assign it a public IP and expose it the the world, without it being a very easy target.

• So Server, tell me about yourself. An introduction to facter, osquery and sysdig

This is a list of noteworthy directories and files on Windows-based operating systems. Note that locations might differ between versions of Windows.

• C:\Windows\NTDS: On Windows 2008 R2, this is the default location for the Active Directory domain controller database and log files. The location can be on a FAT32 or NTFS partition.
• C:\Windows\SYSVOL: On Windows 2008 R2, this is the default location for the Active Directory domain controller SYSVOL. Requires NTFS.

• Static FFmpeg builds

• How to check hard disk health on Linux using smartmontools

• Setting Up Prerequisites for Oracle 12c Installation in RHEL/CentOS/Oracle Linux 6.5 – Part I
• Installing and Configuring Oracle 12c in RHEL/CentOS/Oracle Linux 6.5 – Part II

This is a quick tip on how to install the closed-source version of Virtualbox, currently at version 4.3.16, on a machine with Linux Mint 17.

This is a list of software tools that can be used to create presentations.

Installable

• LibreOffice Impress
• OpenOffice Impress

Web-based

• Reveal.js
• Bespoke.js
• Impress.js

See also

• 3 open source tools to make your presentations pop
• 3 tools to make creating presentations easy

RHEL can be installed from various different sources. One of them is over the network, from an FTP accessible repository. Here's how to create such a repository:

1. You will first need to install vsftpd from the RHEL DVD. See Install packages from RHEL DVD with yum on how to do that.

2. After you have installed vsftpd, enable it and start it:

   chkconfig vsftpd on
   service vsftpd start
   

   At this point, you should be able to open ftp://localhost/ from the same system on which you are working, which will show you the contents of the /var/ftp/pub directory, the default FTP directory on RHEL.

3. Create a directory for the repository:

   mkdir /var/ftp/pub/rhel
   

4. Copy all the files from the DVD to the repository. Assuming that either the DVD or the .iso image is mounted at /media/rhel:

   cp --recursive --archive /media/rhel/. /var/ftp/pub/rhel/
   

5. Change the SELinux context of the files in the repository:

   chcon --recursive --reference=/var/ftp/pub/ /var/ftp/pub/rhel/
   

6. At this point the repository is only accessible from the system on which it runs, since iptables by default does not allow FTP traffic from other hosts. To open this access, edit your /etc/sysconfig/iptables and add these lines before the COMMIT command:

   -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
   

   ...and reload the firewall:

   service iptables reload
   

   Alternatively, you can do from the command line:

   iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
   service iptables save