rPi basic config and securing against hackers

Notes for myself as much as anything…

Install from Noobs

Change pi password

passwd

 

Get wifi working

sudo raspi-config

Check that wlan0 is getting an ip address

iwconfig

ifconfig

 

Update the rPi

sudo apt-get update

sudo apt-get upgrade

 

Change the ssh port to something other than 22

sudo nano /etc/ssh/sshd_config

change

# Port 22

to

Port newportnumber

ctrl-x save and exit

Restart SSH

sudo service ssh restart

 

Amend port forwarding on the router to reflect the new port number

 

Install fail2ban – this will block IP addresses of bots attempting to access the Pi

sudo apt-get install fail2ban

It should run as a service and be running after a restart, to check if its running

sudo /etc/init.d/fail2ban status

***Note we need to amend the config file***

sudo nano /etc/fail2ban/jail.local

[ssh]
enabled  = true
port     = sshportnumberfromearlier
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

 

Install no-ip, to update DNS with any IP changes

mkdir /home/pi/noip

cd /home/pi/noip

wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz

tar vzxf noip-duc-linux.tar.gz

cd noip-2.1.9-1

sudo make

sudo make install

sudo /usr/local/bin/noip2 starts the service.  To check the status:

sudo /usr/local/bin/noip2 -S

Have No-Ip run on startup

sudo nano /etc/rc.local

add the line /usr/local/bin/noip2 just above the exit 0

fi

/usr/local/bin/noip2
exit 0

To check no-ip is running

sudo /usr/local/bin/noip2 -S

 

So now, we have installed Raspbian, changed the default password, got everything up to date, changed the SSH port to something more obscure than the standard port 22, secured that port with fail2ban, and made the Pi reachable from outside the network.  Restarting the Pi along the way to check things are still running.

Check fail2ban is running

sudo /etc/init.d/fail2ban status

Check no-ip is running

sudo /usr/local/bin/noip2 -S

 

Advertisements

iOS7 – A corporate nightmare?

So iOS7… Pretty, and some nice features. Having to visit a rack to find no lighting, I could get the ‘torch’ from the phone with a simple swipe n press. Nice!

However, there is a flaw, which affects business use more so then home use.  With the iPhone rapidly becoming the choice of weapon over the Blackberry offerings, more and more IT departments are finding themselves with ‘stock’ iPhones in their cupboards awaiting deployment.  And with the costs associated, re-deployment is where the smart budget savings are coming in. Especially businesses that have a high turnaround if short term staff.

All well and good. Employee receives phone, employee uses phone, 3 months later, employee leaves company and hands back phone. IT dept erase phone, clean it up and it’s ready to redeploy. Even if it has to be sent away for a new screen and reboxing with accessories, that’s still a £300 saving by re-using that device.

Then along comes iOS7, with its new security features, such as not being able to erase the device without having the Apple ID and password… Yes, you can see where I’m going with this!  Is this a ploy by Apple to reduce the re-use of devices?  Sure, it was too easy to wipe a locked iOS6 (and previous) which effectively made ‘find my iPhone’ quite pointless, but IT departments NEED a method to wipe iOS7 devices that have been locked by users. For data security reasons and for redeployment. But preferably WITHOUT needing to use Apple Configurator