Security: Difference between revisions
From Internet in a Box
mNo edit summary |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
'''''Some security tips | '''''Some security tips:''''' | ||
# Please confirm your '''[[FAQ#What_are_the_default_passwords%3F|passwords are secured]]'''. | # Please confirm your '''[[FAQ#What_are_the_default_passwords%3F|passwords are secured]]'''. | ||
Line 6: | Line 6: | ||
#* https://github.com/iiab/iiab/tree/master/roles/iiab-admin | #* https://github.com/iiab/iiab/tree/master/roles/iiab-admin | ||
#* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md | #* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md | ||
# ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running: <code>sudo rm -f /root/.ssh/authorized_keys</code>. NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.'' | # ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running:'' <code>sudo rm -f /root/.ssh/authorized_keys</code>. ''NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.'' | ||
# If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | # If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | ||
Line 42: | Line 42: | ||
== Security Blowback / Survival Tips == | == Security Blowback / Survival Tips == | ||
* | * If using an LMS, think carefully about "[https://github.com/iiab/iiab/issues/1516 Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB"] in context with duplication techniques like "[http://wiki.laptop.org/go/IIAB/FAQ#How_do_I_back_up%2C_shrink_%26_copy_IIAB_microSD_cards%3F How do I back up, shrink & copy IIAB microSD cards?]" in [https://wiki.iiab.io/go/FAQ FAQ.IIAB.IO] | ||
<!-- | <!-- | ||
* If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to http://box/admin '''> Install Content > Restart Kiwix Server''': | * If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to http://box/admin '''> Install Content > Restart Kiwix Server''': |
Latest revision as of 07:50, 7 August 2024
Some security tips:
- Please confirm your passwords are secured.
- Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your IIAB, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
- Please read more about the
iiab-admin
Linux user and group, which allow you to log in to IIAB's Admin Console: - If OpenVPN is installed, developers' ssh keys are also installed to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running:
sudo rm -f /root/.ssh/authorized_keys
. NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled. - If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme
OS, Bootloader and Firmware Updates
- Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
apt update apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) apt clean (may be more comprehensive than "apt autoclean") apt autoremove (remove packages that were auto-installed to satisfy dependencies, but are no longer needed)
- Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider Raspberry Pi Imager, raspi-config, or rpi-eeprom-update.
- Upgrading Raspberry Pi firmware is not recommended as the
rpi-update
command can be dangerous — it's far safer to wait for the next version of Raspberry Pi OS (available using theapt
commands above).
Security Blowback / Survival Tips
- If using an LMS, think carefully about "Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB" in context with duplication techniques like "How do I back up, shrink & copy IIAB microSD cards?" in FAQ.IIAB.IO