Nice tutorial. I can add a few more steps for security. I’m actively working on securing my Pis right now.
- where possible run all of your services as non-privlidged and non-loginable users
- remove all unused users, particularly remove the pi user and create a different one if you need to
- Edit
/etc/sysctl.confand uncomment the following lines. The comments around these lines explain what they do and why it is a good idea:
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
- Install and configure ufw which is way easier to use and configure than iptables.
sudo apt-get install ufw
# Deny all by default
sudo ufw default deny incoming
# Allow ssh from LAN
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp
# Open ports for openHAB and any other service you need access to
# Allow web access for updates
sudo ufw allow from any to any port 80 proto tcp
sudo ufw allow from any to any port 443 proto tcp
- Install and configure a Host Intrusion Detection package. I use Tripwire.
sudo apt-get install tripwire
sudo tripwire --init
sudo sh -c 'tripwire --check | grep Filename > checkResults.txt'
# Comment out the entries in checkResults.txt in /etc/tripwire/twpol.txt
# Then comment out:
/var/lock
/var/run
/proc
/etc/rc.boot
# Add under /proc
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/misc -> $(Device) ;
# Add under /dev
/dev/pts -> $(Device) ;
# Add under /etc
!/etc/fake-hwclock.data ;
sudo twadmin -m P /etc/tripwire/twpol.txt
sudo tripwire --init
sudo tripwire --check
# Make sure there are no more errors and no violations
# delete the twpol.txt
sudo rm /etc/tripwire/twpol.txt
# To regenerate twpol: sudo sh -c 'twadmin --print-polfile > etc/tripwire/twpol.txt'
# To incrementally update the DB: sudo tripwire --check --interactive
# To blindly accept all the changes: sudo tripwire --update -a
- configure tripwire to send daily reports (replace stuff in < > with appropriate values for your setup
sudo apt-get install ssmtp
# Edit /etc/ssmtp/ssmtp.conf to look like this:
root=<youremail>@gmail.com
AuthUser=email
AuthPass=<gmail app pass as set up in Google Accounts>
mailhub=smtp.gmail.com:587
UseTLS=YES
UseSTARTTLS=YES
rewriteDomain=gmail.com
hostname=localhost
FromLineOverride=YES
# Edit /etc/ssmtp/revaliases to contain:
root:<myaddress>@gmail.com:smtp.gmail.com:587
root@<hostname>:<myaddress>@gmail.com:smtp.gmail.com:587
<user>:<myaddress>@gmail.com:smtp.gmail.com:587
<user>@<hostname>:<myaddress>@gmail.com:smtp.gmail.com:587
# Test with: echo -e "Subject: `uname -n` test \n\n This is a test" | /usr/sbin/ssmtp -s <youremail>@gmail.com
# Add a cron job to run daily
sudo crontab -e
55 11 * * * bash -c `echo -e "Subject: Tripwire report for `uname -n` \n\n `/usr/sbin/tripwire --check`"' | /usr/sbin/ssmtp <youremail>@gmail.com >> /dev/null 2>&1
-
Where possible, run your HA devices on a segregated network. This can mean setting up a vlan or a separate guest network in your router and putting your HA devices on one and your more sensitive computing on an another. You can bridge between the two using an always on VPN or putting one of your devices on both networks (the OH server perhaps). Allow your HA devices to reach out to the Internet only through a proxy running on your bridge server.
-
On a related note, where possible use TLS, ssh tunnels, or VPN to communicate between your devices (e.g. set up Mosquitto to require TLS) to encrypt your network traffic, particularly if they are on wifi.
I admit I’ve not yet done 6. And there are other things you can do to secure your HA device but these are the ones I’m currently working on.