Previous posts for this project:

• [CaTS] ForgetMeNot - Index
• [CaTS] ForgetMeNot - Week 0: Project Description
• [CaTS] ForgetMeNot - Week 1: EnOceanPi and Sensors
• [CaTS] ForgetMeNot - Week 2: Elro CoCo and Pi Cam with OpenHAB
• [CaTS] ForgetMeNot - Week 3: Data persistence and charts with OpenHAB
• [CaTS] ForgetMeNot - Week 4: Arduino-OpenHAB communication
• [CaTS] ForgetMeNot - Week 5: Getting familiar with EAGLE
• [CaTS] ForgetMeNot - 3D Printing: EnOcean sensor bracket
• [CaTS] ForgetMeNot - 3D Printing: EnOcean rocker switch and magnet holder
• [CaTS] ForgetMeNot - 3D Printing: Food dispenser prototype
• [CaTS] ForgetMeNot - 3D Printing: Weighing scale

Introduction

In this post I will document some basic, easy to implement changes to improve security of your (IoT) project.

Some may sound very obvious, but have you taken the time to apply them ?

Passwords

Disable root access

Disable root access. By default this is the case on the Raspberry Pi. I have however temporarily enabled it in order to easily update files, but this should not be left like that.

To remove the root password and thus remove root access, execute following command:

passwd -d root

Change default password

Raspbian and other distros for the Raspberry Pi, all come with configured with a default user (and usually "pi" / "raspberry").

It is strongly recommended to at least change the default password and possibly change the user as well.

passwd pi

Strong password

Finally, pick a strong password. Minimum eight characters, combination of letters (upper and lower case), numbers and special characters.

You can take a normal, easy to remember word and replace some letters, for example: "element14" could become "E!em3nT14".

This doesn't apply only to your user account on the Pi, but also to other applications requiring credentials, such as: MySQL, OpenHAB, etc ...

Access

Limit access

If the application allows it, you can limit access of certain applications to localhost, avoiding remote access.

In my project, I've applied this to two applications: motion and MySQL.

MySQL

As can be seen in the fragments below, MySQL binds to localhost and will only be accessible locally:

pi@webserver ~ $ netstat -ln | grep 3306
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN

Open the configuration file:

pi@webserver ~ $ less /etc/mysql/my.cnf

Ensure the "bind-address" option is set to "127.0.0.1":

[mysqld]
#
# * Basic Settings
#
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1

Motion

The same applies for motion:

pi@webserver ~ $ netstat -ln | grep 8081
tcp        0      0 127.0.0.1:8081            0.0.0.0:*               LISTEN

Open the configuration file:

pi@webserver ~ $ less /etc/motion.conf

Ensure the "stream_localhost" option is set to "on":

############################################################
# Live Stream Server
############################################################

# The mini-http server listens to this port for requests (default: 0 = disabled)
stream_port 8081

...

# Restrict stream connections to localhost only (default: on)
stream_localhost on

Enable login

If an application provides this option, you should enable having to log in.

OpenHAB

I have done so for OpenHAB, because I will keep it accessible remotely and I don't want anyone (too easily) controlling my home.

Edit the openhab.cfg to enable security:

# configures the security options. The following values are valid:
# ON = security is switched on generally
# OFF = security is switched off generally
# EXTERNAL = security is switched on for external requests
#            (e.g. originating from the Internet) only
# (optional, defaults to 'OFF')
security:option=ON

Edit users.cfg to specify credentials:

username=password

Restart OpenHAB. When loading the OpenHAB GUI, you will now be prompted for credentials.

The login can also be combined with support for HTTPS which is available out of the box in OpenHAB.

Just browse to:

https://<ip>:8443/openhab.app?sitemap=<sitemap>

You can find more about it on https://github.com/openhab/openhab/wiki/Security

Change default ports

Changing default ports can also help making your device less likely to be a target.

By editing the applications' configuration, the port can usually be changed to something else.

SSH

Edit the ssh server configuration file:

pi@webserver ~ $ sudo nano /etc/ssh/sshd_config

Change the port the the new desired value:

# What ports, IPs and protocols we listen for
Port 2222

Restart the SSH service in order to apply the change:

pi@webserver ~ $ sudo service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

Logging on on port 22 (default) no longer works:

Fredericks-MacBook-Air:~ fvan1$ ssh pi@192.168.0.206
ssh: connect to host 192.168.0.206 port 22: Connection refused

The new port does:

Fredericks-MacBook-Air:~ fvan1$ ssh pi@192.168.0.206 -p 2222
pi@192.168.0.206's password:

Firewall

Finally, don't expose everything to the internet. If you have a firewall, only enable access to the services you want to be remotely accessible.

In my case, SSH might be accessible from inside the network, but it isn't from outside.

Conclusion

These are only some basic tips regarding security. There's plenty more things that can be done.

What have you done to secure your project ? Do you have any additional tips ?