Security: Difference between revisions
From Internet in a Box
No edit summary |
mNo edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
'''''Some security tips | '''''Some security tips:''''' | ||
# Please confirm your '''[[FAQ#What_are_the_default_passwords%3F|passwords are secured]]'''. | # Please confirm your '''[[FAQ#What_are_the_default_passwords%3F|passwords are secured]]'''. | ||
| Line 6: | Line 6: | ||
#* https://github.com/iiab/iiab/tree/master/roles/iiab-admin | #* https://github.com/iiab/iiab/tree/master/roles/iiab-admin | ||
#* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md | #* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md | ||
# ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running: <code>sudo rm -f /root/.ssh/authorized_keys</code>. NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.'' | # ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running:'' <code>sudo rm -f /root/.ssh/authorized_keys</code>. ''NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.'' | ||
# If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | # If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | ||
== OS | == OS, Bootloader and Firmware Updates == | ||
* Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly: | * Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly: | ||
apt update | apt update | ||
apt dist-upgrade (or "apt | apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) | ||
apt clean (may be more comprehensive than "apt | apt clean (may be more comprehensive than "apt autoclean") | ||
apt autoremove (remove packages that were auto-installed to satisfy dependencies, but are no longer needed) | |||
<!-- | <!-- | ||
* In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get": | * In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get": | ||
| Line 24: | Line 25: | ||
He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!) --> | He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!) --> | ||
* Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#imager Raspberry Pi Imager], [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspi-config raspi-config], or [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#update-the-bootloader-configuration rpi-eeprom-update]. | * Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#imager Raspberry Pi Imager], [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspi-config raspi-config], or [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#update-the-bootloader-configuration rpi-eeprom-update]. | ||
* Upgrading Raspberry Pi firmware [https://www.raspberrypi.com/documentation/computers/os.html#upgrade-your-firmware not recommended] as the <code>rpi-update</code> command can be dangerous | * Upgrading Raspberry Pi firmware is [https://www.raspberrypi.com/documentation/computers/os.html#upgrade-your-firmware not recommended] as the <code>rpi-update</code> command can be dangerous — it's far safer to wait for the next version of Raspberry Pi OS (available using the <code>apt</code> commands above). | ||
<!-- == For CentOS and Fedora servers == | <!-- == For CentOS and Fedora servers == | ||
| Line 45: | Line 42: | ||
== Security Blowback / Survival Tips == | == Security Blowback / Survival Tips == | ||
* | * If using an LMS, think carefully about "[https://github.com/iiab/iiab/issues/1516 Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB"] in context with duplication techniques like "[http://wiki.laptop.org/go/IIAB/FAQ#How_do_I_back_up%2C_shrink_%26_copy_IIAB_microSD_cards%3F How do I back up, shrink & copy IIAB microSD cards?]" in [https://wiki.iiab.io/go/FAQ FAQ.IIAB.IO] | ||
<!-- | <!-- | ||
* If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to http://box/admin '''> Install Content > Restart Kiwix Server''': | * If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to http://box/admin '''> Install Content > Restart Kiwix Server''': | ||
Latest revision as of 07:50, 7 August 2024
Some security tips:
- Please confirm your passwords are secured.
- Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your IIAB, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
- Please read more about the
iiab-adminLinux user and group, which allow you to log in to IIAB's Admin Console: - If OpenVPN is installed, developers' ssh keys are also installed to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running:
sudo rm -f /root/.ssh/authorized_keys. NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled. - If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme
OS, Bootloader and Firmware Updates
- Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
apt update apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) apt clean (may be more comprehensive than "apt autoclean") apt autoremove (remove packages that were auto-installed to satisfy dependencies, but are no longer needed)
- Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider Raspberry Pi Imager, raspi-config, or rpi-eeprom-update.
- Upgrading Raspberry Pi firmware is not recommended as the
rpi-updatecommand can be dangerous — it's far safer to wait for the next version of Raspberry Pi OS (available using theaptcommands above).
Security Blowback / Survival Tips
- If using an LMS, think carefully about "Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB" in context with duplication techniques like "How do I back up, shrink & copy IIAB microSD cards?" in FAQ.IIAB.IO
