Security: Difference between revisions

From Internet in a Box
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''''Some security tips — that will become more professional as time goes on:'''''
'''''Some security tips:'''''


# Please confirm your '''[[FAQ#What_are_the_default_passwords%3F|passwords are secured]]'''.
# Please confirm your '''[[FAQ#What_are_the_default_passwords%3F|passwords are secured]]'''.
Line 6: Line 6:
#* https://github.com/iiab/iiab/tree/master/roles/iiab-admin
#* https://github.com/iiab/iiab/tree/master/roles/iiab-admin
#* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
#* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
# ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar.  You can disable this feature by running: <code>sudo rm -f /root/.ssh/authorized_keys</code>.  NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.''
# ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar.  You can disable this feature by running:'' <code>sudo rm -f /root/.ssh/authorized_keys</code>.  ''NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.''
# If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme
# If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme


== OS "apt" Updates ==
== OS, Bootloader and Firmware Updates ==


* Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
* Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
Line 16: Line 16:
   apt dist-upgrade    (or "apt upgrade" if you do not want a new kernel etc)
   apt dist-upgrade    (or "apt upgrade" if you do not want a new kernel etc)
   apt clean          (may be more comprehensive than "apt autoclean")
   apt clean          (may be more comprehensive than "apt autoclean")
  apt autoremove      (remove packages that were auto-installed to satisfy dependencies, but are no longer needed)
<!--
<!--
* In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get":
* In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get":
Line 24: Line 25:


He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!) -->
He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!) -->
* Finally, remove packages that were auto-installed to satisfy dependencies, but are no longer needed:
  apt autoremove<!-- (some consider this last step risky, though no known IIAB/XSCE problems have resulted as of August 2024) -->


* Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#imager Raspberry Pi Imager], [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspi-config raspi-config], or [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#update-the-bootloader-configuration rpi-eeprom-update].
* Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#imager Raspberry Pi Imager], [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspi-config raspi-config], or [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#update-the-bootloader-configuration rpi-eeprom-update].
Line 45: Line 42:
== Security Blowback / Survival Tips ==
== Security Blowback / Survival Tips ==


* Please join the design discussion "[https://github.com/iiab/iiab/issues/1516 Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB"] and help us refine [https://wiki.iiab.io/go/FAQ FAQ.IIAB.IO] entry "[http://wiki.laptop.org/go/IIAB/FAQ#How_do_I_back_up%2C_shrink_%26_copy_IIAB_microSD_cards%3F How do I back up, shrink & copy IIAB microSD cards?]"
* If using an LMS, think carefully about "[https://github.com/iiab/iiab/issues/1516 Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB"] in context with duplication techniques like "[http://wiki.laptop.org/go/IIAB/FAQ#How_do_I_back_up%2C_shrink_%26_copy_IIAB_microSD_cards%3F How do I back up, shrink & copy IIAB microSD cards?]" in [https://wiki.iiab.io/go/FAQ FAQ.IIAB.IO]
<!--
<!--
* If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to http://box/admin '''> Install Content > Restart Kiwix Server''':
* If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to http://box/admin '''> Install Content > Restart Kiwix Server''':

Latest revision as of 07:50, 7 August 2024

Some security tips:

  1. Please confirm your passwords are secured.
  2. Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your IIAB, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
  3. Please read more about the iiab-admin Linux user and group, which allow you to log in to IIAB's Admin Console:
  4. If OpenVPN is installed, developers' ssh keys are also installed to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running: sudo rm -f /root/.ssh/authorized_keys. NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.
  5. If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme

OS, Bootloader and Firmware Updates

  • Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
  apt update
  apt dist-upgrade    (or "apt upgrade" if you do not want a new kernel etc)
  apt clean           (may be more comprehensive than "apt autoclean")
  apt autoremove      (remove packages that were auto-installed to satisfy dependencies, but are no longer needed)
  • Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider Raspberry Pi Imager, raspi-config, or rpi-eeprom-update.
  • Upgrading Raspberry Pi firmware is not recommended as the rpi-update command can be dangerous — it's far safer to wait for the next version of Raspberry Pi OS (available using the apt commands above).

Security Blowback / Survival Tips