Security

Question

Has anyone come across any interesting articles on securing the Edison?

shabaz · Answer

Everything you've mentioned are good steps. Depending on the value of what needs to be protected overall (in the home or otherwise - not talking about just equipment value, but also information value) some additional steps may be needed. HTTPS doesn't prevent MITM, in fact many commercial products do just that, because they locally terminate and create a new session to the requested resource. This has some useful purposes (e.g. determining if the user is getting good performance from the network or not), but we can't assume that there are no people out there that will do this for bad purposes. Local firewalls are good, but at the end of the day home equipment has a tiny processor and could fall over if it was overwhelmed, so blocking all incoming ports on the external router or FW is a good idea if possible. We all thought SSH was fine but that heartbleed attack vulnerability was present for years : ( And it was easy, and extremely severe.

Workshopshed · Answer

One thing that a lot of people forget to do with HTTPS is validating the certificate that is sent to you. Browsers do that automatically but often you need to configure your API calls to do so. But if your machine is compromised then that man in the middle can be sitting on your machine reading everything.

koudelad · Answer

I would say the rules will be pretty much the same as for any other GNU/Linux machine. Disabling unused services, user management, network security, physical security, ... Try googling for "linux security hardening".

koudelad · Answer

I just remembered that a few years ago I followed these HOWTOs from the Linux Documentation Project. They seem to be quite old now, however, the principles remain the same. Security Quick-Start HOWTO for Linux Linux Security HOWTO I would also recommend buying a reliable and updatable router and choose wisely, what services (ports) to publish to the internet. Nothing provides 100 % network security, but almost all the consumer brands provide many vulnerabilities that are updated after a few months (happy scenario) or never (common scenario). The situation is the same as with cell phones - only the most expensive get support (until a new product is released).

jasonwier92 · Answer

Agree on a good hardwall router/firewall, I like MikroTik, but they are not easy to setup if you are not used to them. Using IPTables on the Edison as a local firewall would be a good second layer of security (headache sometimes too).

If you are going to expose SSH, you need to block brute force attacks. SSHGuard is a good solution. It can watch your logs for SSH attacks and block the IP address. Another good solution is to also run SSH on another port than the standard 22. Like have it run on port 8002. This can be done by editing the /etc/ssh/sshd_config file and set the port like: "Port 8002". But if you do not need to expose SSH, that is best.

If you are going to expose your web interface to the population of the earth and where ever else the Internet reaches, you could run HTTPS as it will not let people in the middle study your packets.

koudelad · Answer

I also like Mikrotik devices. They now have a web interface called WebFig, which provides similar funcionality as Winbox, over web management interface. The first time setup is quite easy, as they embedded typical usage profiles, for example "Home AP". The truth is, there are still a few things to configure (disable services, remote access, set up NTP, ...). I installed three of the newer devices for home / office use and I am really happy about the way they work.

Security

Top Replies