Notes on Raspberry Pi and BPQ Security
Many Hams are taking advantage of the low-cost, low power-consumption, flexible computing platform known as the Raspberry Pi. Unfortunately, not all are savvy when it comes to computing and network security. Yet, they forge ahead and place their new nodes, APRS, WinLink Gateway, or BBS on the Raspberry Pi, plug it into the internet, and they are off and running.
Anyone who plugs their Pi into a network needs to be aware of basic security issues.
Firstly, you should know that the Pi runs Linux, which provides for multiple users. If you load a "clean" distribution, for example, of the Rpi Debian, you know that it is configured with at least three users, "pi", "sync" and "root" (there are usually others as well, but let's start with the basics).
When a ham configures a Rpi system, the very first thing he/she should do is to change the passwords on these three user accounts, using the linux "passwd" command. If you are not loading a known-clean distribution, you need to be even more cautious about what's been installed on your system.
First, change the pi account password (write down the new password in a safe place!). Next change the sync and root passwords. Click here for instructions.
Next, please run your Rpi's behind a firewall. Most internet Access Points/Routers have nice firewalls which allow port forwarding. Use it. Computing access protocols like FTP, SSH, and Telnet use "standard" ports, which are favorite places for a hacker to look for your vulnerabilities. If you are going to open your firewall to access these ports from outside your LAN, for your own or your user's convenience, please have the foresight to hide these standard ports, by using port forwarding. Make them accessible from the "outside" by configuring your firewall to expose them on an unused and non-standard port.
For example, standard ssh port is 22. Have your firewall "forward" calls to a "secret" port of your choosing to port 22 on the LAN IP address of the Rpi you are addressing.
Next, if you've opened up one or more ports for FTP, SSH, telnet, or other external access, you may want to install an authentication-failure monitoring package, like fail2ban. Fail2ban will monitor your authentication logs for multiple failed attempts, and "firewall" that IP address for a specified period of time, making it more difficult for brute-force attacks, which for example may be trying to guess your passwords. This type of program is not infallible, but it provides another level of protection from malicious attacks.
Finally, if you are running specific applications in your ham-persuits, they may present their own vulnerabilities. For example, it is possible for non-hams to connect to your system over ham internet protocols and transmit using your equipment. This would obviously violate the terms of your amateur license. You therefore need to take steps to monitor those access points for unauthorized use, and take steps to stop or prevent it.
BPQ for example, provides L4 node connection monitoring which can be used to prevent such an occurance.
L4 Connections can be logged by being sure that your bpq32.cfg configuration file contains a line with the following text, beginning in column 1:
After you restart linbpq, it will begin logging AXIP connections in the linbpq startup directory. These can be monitored manually, or automatically with a cron (or other) script, for suspicious activity.
While we're at it, there is something else you should do. Be certain that your bpq32.cfg file does NOT contain a line like this:
If you have this line in your config file AND you have an AXIP port connected to the internet, you are opening your RF ports to any (possibly unlicensed) internet user!!!
Worse yet, if you have AXIP connections with other hams with RF ports (either directly or downstream), you potentially open THEIR nodes to unauthorized access to ham bands. Don't do it! Check now. Delete any such line.
If you choose to have RF ports, AND want to have AXIP connections, you can still do this by carefully mapping ONLY trusted, licensed neighbor nodes who understand and follow these guidelines. This is done by using the 'MAP' command in your config file. See G8BPQ's AXIP Configuration instructions.
The Raspberry Pi, and the rich Linux environment it provides, enables a wide-array of opportunities to the Amateur, but it must be used with full awareness of the potential pitfalls.
April 9, 2016
- Joe, AG6QO