Security: Difference between revisions
From Internet in a Box
| Line 9: | Line 9: | ||
# If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | # If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme | ||
== OS | == OS, Bootloader and Firmware Updates == | ||
* Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly: | * Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly: | ||
| Line 16: | Line 16: | ||
apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) | apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) | ||
apt clean (may be more comprehensive than "apt autoclean") | apt clean (may be more comprehensive than "apt autoclean") | ||
apt autoremove (remove packages that were auto-installed to satisfy dependencies, but are no longer needed) | |||
<!-- | <!-- | ||
* In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get": | * In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get": | ||
| Line 24: | Line 25: | ||
He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!) --> | He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!) --> | ||
* Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#imager Raspberry Pi Imager], [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspi-config raspi-config], or [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#update-the-bootloader-configuration rpi-eeprom-update]. | * Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#imager Raspberry Pi Imager], [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspi-config raspi-config], or [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#update-the-bootloader-configuration rpi-eeprom-update]. | ||
Revision as of 07:45, 7 August 2024
Some security tips — that will become more professional as time goes on:
- Please confirm your passwords are secured.
- Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your IIAB, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
- Please read more about the
iiab-adminLinux user and group, which allow you to log in to IIAB's Admin Console: - If OpenVPN is installed, developers' ssh keys are also installed to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running:
sudo rm -f /root/.ssh/authorized_keys. NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled. - If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme
OS, Bootloader and Firmware Updates
- Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
apt update apt dist-upgrade (or "apt upgrade" if you do not want a new kernel etc) apt clean (may be more comprehensive than "apt autoclean") apt autoremove (remove packages that were auto-installed to satisfy dependencies, but are no longer needed)
- Raspberry Pi 4, Raspberry Pi 5 and Raspberry Pi 400: Raspberry Pi OS automatically updates the bootloader for important bug fixes. If however manually updating the bootloader or changing the boot order proves necessary, consider Raspberry Pi Imager, raspi-config, or rpi-eeprom-update.
- Upgrading Raspberry Pi firmware is not recommended as the
rpi-updatecommand can be dangerous — it's far safer to wait for the next version of Raspberry Pi OS (available using theaptcommands above).
Security Blowback / Survival Tips
- Please join the design discussion "Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB" and help us refine FAQ.IIAB.IO entry "How do I back up, shrink & copy IIAB microSD cards?"
