Security: Difference between revisions
From Internet in a Box
mNo edit summary |
mNo edit summary |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''''Some security tips | '''''Some security tips:''''' | ||
# Please confirm your '''[[FAQ#What_are_the_default_passwords | # Please confirm your '''[[FAQ#What_are_the_default_passwords%3F|passwords are secured]]'''. | ||
# Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your | # Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your IIAB, and are willing to take certain risks with packages/versions occasionally/potentially colliding. | ||
# Please read more about the | # Please read more about the <code>iiab-admin</code> Linux user and group, which allow you to log in to IIAB's Admin Console: | ||
#* https://github.com/iiab/iiab/tree/master/roles/iiab-admin | #* https://github.com/iiab/iiab/tree/master/roles/iiab-admin | ||
#* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md | #* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md | ||
# ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/ | # ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running:'' <code>sudo rm -f /root/.ssh/authorized_keys</code>. ''NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.'' | ||
# If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | # If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | ||
== | == OS, Bootloader and Firmware Updates == | ||
* Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly: | * Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly: | ||
apt update | apt update | ||
apt dist-upgrade (or "apt | apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) | ||
apt clean (may be more comprehensive than "apt | apt clean (may be more comprehensive than "apt autoclean") | ||
apt autoremove (remove packages that were auto-installed to satisfy dependencies, but are no longer needed) | |||
<!-- | |||
* In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get": | * In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get": | ||
apt update | apt update | ||
apt full-upgrade (similar to above "apt-get dist-upgrade") | apt full-upgrade (similar to above "apt-get dist-upgrade") | ||
apt | apt clean (may be more comprehensive than "apt-get autoclean") | ||
He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!) --> | |||
* Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#imager Raspberry Pi Imager], [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspi-config raspi-config], or [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#update-the-bootloader-configuration rpi-eeprom-update]. | |||
* | * Upgrading Raspberry Pi firmware is [https://www.raspberrypi.com/documentation/computers/os.html#upgrade-your-firmware not recommended] as the <code>rpi-update</code> command can be dangerous — it's far safer to wait for the next version of Raspberry Pi OS (available using the <code>apt</code> commands above). | ||
<!-- == For CentOS and Fedora servers == | |||
== For CentOS and Fedora servers == | |||
* Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code> (this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services). | * Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code> (this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services). | ||
Line 40: | Line 38: | ||
** yum updateinfo list security available | ** yum updateinfo list security available | ||
* Many with high-bandwidth run more complete system updates, as follows: <code>yum update</code> or <code>yum -y update</code> (followed by <code>yum clean all</code> among those who were daring). Even if arguably this installs far too many untested and diverse updates/upgrades across the board, adding too many features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!) | * Many with high-bandwidth run more complete system updates, as follows: <code>yum update</code> or <code>yum -y update</code> (followed by <code>yum clean all</code> among those who were daring). Even if arguably this installs far too many untested and diverse updates/upgrades across the board, adding too many features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!) --> | ||
== Security Blowback / Survival Tips == | == Security Blowback / Survival Tips == | ||
* | * If using an LMS, think carefully about "[https://github.com/iiab/iiab/issues/1516 Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB"] in context with duplication techniques like "[http://wiki.laptop.org/go/IIAB/FAQ#How_do_I_back_up%2C_shrink_%26_copy_IIAB_microSD_cards%3F How do I back up, shrink & copy IIAB microSD cards?]" in [https://wiki.iiab.io/go/FAQ FAQ.IIAB.IO] | ||
<!-- | |||
* If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to | * If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to http://box/admin '''> Install Content > Restart Kiwix Server''': | ||
iiab-make-kiwix-lib | iiab-make-kiwix-lib | ||
systemctl restart kiwix-serve | systemctl restart kiwix-serve | ||
* If ownCloud updates itself to 8.1 or above, users visiting http://schoolserver.lan/owncloud from unknown IP addresses may face error message "You don't have permission to access /owncloud on this server." <strike>Fix guideline forthcoming from Tim Moody.</strike> NEW PROGNOSIS FEB 2017: Josh Dennis hopes to move IIAB to http://Nextcloud.com, which has stronger community support than ownCloud. Mnemonic http://box/docs stands to greatly ease field usage among young children and less literate teachers around the world. | * If ownCloud updates itself to 8.1 or above, users visiting http://schoolserver.lan/owncloud from unknown IP addresses may face error message "You don't have permission to access /owncloud on this server." <strike>Fix guideline forthcoming from Tim Moody.</strike> NEW PROGNOSIS FEB 2017: Josh Dennis hopes to move IIAB to http://Nextcloud.com, which has stronger community support than ownCloud. Mnemonic http://box/docs stands to greatly ease field usage among young children and less literate teachers around the world. --> |
Latest revision as of 07:50, 7 August 2024
Some security tips:
- Please confirm your passwords are secured.
- Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your IIAB, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
- Please read more about the
iiab-admin
Linux user and group, which allow you to log in to IIAB's Admin Console: - If OpenVPN is installed, developers' ssh keys are also installed to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running:
sudo rm -f /root/.ssh/authorized_keys
. NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled. - If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme
OS, Bootloader and Firmware Updates
- Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
apt update apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) apt clean (may be more comprehensive than "apt autoclean") apt autoremove (remove packages that were auto-installed to satisfy dependencies, but are no longer needed)
- Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider Raspberry Pi Imager, raspi-config, or rpi-eeprom-update.
- Upgrading Raspberry Pi firmware is not recommended as the
rpi-update
command can be dangerous — it's far safer to wait for the next version of Raspberry Pi OS (available using theapt
commands above).
Security Blowback / Survival Tips
- If using an LMS, think carefully about "Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB" in context with duplication techniques like "How do I back up, shrink & copy IIAB microSD cards?" in FAQ.IIAB.IO