rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Fundamental Security questions

Sat Sep 25, 2021 2:37 pm

So, I have had 2 RPi 3+'s in our chicken coop for several years. Still running Jessie (yup, I know what you are thinking). So, I have now installed Buster on a separate card and am configuring it for exchange of the current in use SD cards.

As for the RPi's in use: Running Python/ Flask app in each which is ported to allow HTML access to GPIO's: opening and closing coop doors, reading temps of air and water (for winter times).
Nothing else is on these two RPi's, no calendars/ important documents/ contact info. Also, they are running headless.

Currently I have my modem port forward the ports to the RPi's so I can connect to them when not at home (via web) using a static address via No-IP.biz.
So, I really only need security to prevent breeching my LAN (and thereby other computers on the LAN).

Questions:
1- Is it at all worth it to run the Flask app inside a VM? Since the RPi has nothing important, would that prevent LAN hacking?
2- Or, is a VM enough to prevent hacking into my LAN?
3- If more security is needed, will NGINX be advised (I have never used it and researching it is a tad overwhelming, but I can re-read and will understand it in time if need be),
TY in advance,
Rainer

epoch1970
Posts: 7029
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Fundamental Security questions

Sat Sep 25, 2021 3:36 pm

How and why are the machines on the LAN?
If you want to avoid a LAN breach, maybe removing them from there is the simplest solution.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Sat Sep 25, 2021 3:58 pm

epoch1970,
TY for reply!
I don't have a great reason for them to be on the LAN, except, I don't know how else to do it?
They are on a separate work group, but, they are connected, via switches, to the same router.
Is it possible to isolate them with one router?
Rainer

User avatar
thagrol
Posts: 5758
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: Fundamental Security questions

Sat Sep 25, 2021 4:03 pm

Speaking personally, the only ports I forward on my router are the ones needed to establish an incoming VPN link. In your case, I'd either use a TAP devivce (which AIUI is bruidgable) or have the VPN server do the port forwarding.
I'm a volunteer. Take me for granted or abuse my support and I will walk away

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Sat Sep 25, 2021 4:08 pm

thagrol,
TY for that as well. By VPN, do you mean utilization of venv, would that give enough security to isolate the LAN connected computers, or, would there be a way to isolate the two RPi's from the LAN as epoch is hinting to, if I read that right?

User avatar
thagrol
Posts: 5758
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: Fundamental Security questions

Sat Sep 25, 2021 4:41 pm

rfeyer wrote:
Sat Sep 25, 2021 4:08 pm
thagrol,
TY for that as well. By VPN, do you mean utilization of venv, would that give enough security to isolate the LAN connected computers, or, would there be a way to isolate the two RPi's from the LAN as epoch is hinting to, if I read that right?
VPN = Virtual Private Network

Instead connecting directly to the forwarded ports (which implies the porta are exposed to everything on the internet) you remote device(s) use an encrypted tunnel to reach your network. Popular options at the moment seem to be Openvpn and wireguard.

You don't expose your chicken coop Pi to the entire world, just to authorised devices.

Google et al will explain it better than I can.
I'm a volunteer. Take me for granted or abuse my support and I will walk away

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Sat Sep 25, 2021 5:00 pm

Yup, I have done Googling (DuckDucking) and now my eyes are round and not closing anymore :)

with venv, I was referring to python's inert VPN, hoping an outside, paid for VPN is not needed for your suggestion. I actually distrust VPN's from outside sources. (actually, venv is a virtual environment, so I would think functionally different than VPN)

So, would a python (venv) be sufficient to isolate from LAN

epoch1970
Posts: 7029
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Fundamental Security questions

Sat Sep 25, 2021 6:36 pm

What model/type of router do you have (the thing you call a "modem")?
Maybe it's capable of managing more than one downstream network interface (LAN + Coop). The user manual is a sure way to tell.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Sat Sep 25, 2021 6:49 pm

epoch
I have just found a little info on Router's separating LAN's - i.e.: adding a GUEST LAN? I am researching this.
My router is a Actiontec C1900A

Would that make it difficult for outsiders to hack into my home LAN from the guest LAN, yes?
Rainer

added: went into Actiontec Router and there is no configuration for guest or VLAN that I can see. Also went into documentation which does not have either

epoch1970
Posts: 7029
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Fundamental Security questions

Sat Sep 25, 2021 8:18 pm

rfeyer wrote:
Sat Sep 25, 2021 6:49 pm
Would that make it difficult for outsiders to hack into my home LAN from the guest LAN, yes?
Yes, the idea was that the guest LAN would be a rather boring place for attackers, and to get out of it they’d have to circumvent the router, which is normally quite difficult.

Unfortunately your router, for what I’ve seen online, provides a “21st century security” feature but not much else in particular.
Except it can apparently turn to simple “modem” mode. That would allow you to install a decent router behind it, and manage networks the way you want.
Openwrt runs on plenty of consumer devices and I’m pretty sure multiple LANs are no problem. Otherwise you can find relatively inexpensive prosumer hardware that will do what you want.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Sat Sep 25, 2021 8:44 pm

greatly appreciated! And TY for double checking on the router!

Not sure at this time if I want to change the router and purchase another behind it, though I will research it. It is used as a DSL router, and, I don;t know what it would do to the DSL set-up. I imagine you know it can be done, so, I will research first how it's done specifically with this router and the DSL company I am using (if that is both possible).
In the meantime:

Questions:
1- Is it at all worth it to run the Flask app inside a VM? Since the RPi has nothing important, would that prevent LAN hacking?
2- is a VM enough to prevent hacking into my LAN? (somewhat redundand question to #1, but more direct)
3- If more security is needed, will NGINX be advised (I have never used it and researching it is a tad overwhelming, but I can re-read and will understand it in time if need be),

User avatar
thagrol
Posts: 5758
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: Fundamental Security questions

Sat Sep 25, 2021 9:22 pm

rfeyer wrote:
Sat Sep 25, 2021 5:00 pm
Yup, I have done Googling (DuckDucking) and now my eyes are round and not closing anymore :)

with venv, I was referring to python's inert VPN, hoping an outside, paid for VPN is not needed for your suggestion. I actually distrust VPN's from outside sources. (actually, venv is a virtual environment, so I would think functionally different than VPN)

So, would a python (venv) be sufficient to isolate from LAN
Sorry, guess I was about as clear as mud...

What I'm suggesting is that you run your own VPN server for the incoming connections.

Your router only port forwards to the VPN server. Remote devices first make a VPN connection, once that is made your VPN server takes care of the routing/port forwarding to the chicken Pi.

Your Pi are not directly exposed to the internet and all traffic between them and the remote device is encrypted. Use strong keybased (rather than password) authentication for the VPN and you'll stop almost all attackers before they even get to the Pi.
I'm a volunteer. Take me for granted or abuse my support and I will walk away

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Sat Sep 25, 2021 9:38 pm

Great, TY,

I will spend some time on researching local VPN for the RPi, that should greatly limit the number of hits!
Most of the time it is the one step forward.... But your direction should help.
Rainer

IanS
Posts: 291
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: Fundamental Security questions

Mon Sep 27, 2021 10:59 am

Having a VPN server running on a Pi is a good way to have a gateway from external threats. It could be one of the coop ones or a new dedicated device. Depending on what sort of VPN you choose (e.g. OpenVPN, IPSec, Wireguard) you will need to forward one or more ports from the router to the gateway, but only the VPN port, not any web interface port. These can usually be set up to use just a username/password to allow access or can require the client to have a specific certificate too. This can be tricker to set up, but is worth it for the addition security and there are plenty on on-line guides. It is an inconvience when the device with it on is unavailable (e.g. flat phone battery) and you are using a temporary access method - do you get the backup copy from an email you sent yourself when you set it up and install it on the temporary device? How do you remove it again afterwards?

Many domestic level routes which support what they call a guest network only allow devices on that to connect outwards, not have the outside initiate a connection to them, so using that facility may or may not work.
If your router can support multiple LAN-side network subnets then isolating externally access devices from the other home devices is good practice. If all the internal devices do need to be on the same subnet then use a firewall on the coop devices (iptables is enough, but there are friendlier front end configuration interfaces available). Use it to stop those device connecting to any other internal device. Obviously any attacker that gets a foothold on those devices can try to disable the firewall, but that requires root privileges, so restrict the use of sudo.

Looking at my own router logs, I get a lot of probes on common ports such as http, rdp, etc, quite a few on more secure ports such as ssh, but very few on the VPN ports. You still get some - there will be misconfigurations such as weak username/passwords that might be exploitable.

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Mon Sep 27, 2021 12:08 pm

TY VM for the detailed explanation!
Now I can go forward and search specifically for 'how-to' install and configure open-VPN etc. Yesterdays search also pointed toward open-VPN being a great solution!
Again, TY

bls
Posts: 1748
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Fundamental Security questions

Mon Sep 27, 2021 1:48 pm

I run a VPN at home between two networks (long story). It works really great, and keeps my system on the "outside" of my primary LAN fully connected like it's on my network.

If you're looking for a VPN solution, OpenVPN is certainly the worst choice when considering performance. See https://www.wireguard.com/performance/, for instance.

I chose my VPN technology pre-Wireguard, and went with strongSwan, which is an ipsec/ikev2 VPN server. There are built-in clients on iOS, Windows, and MacOS, in addition to Linux (Android requires a separate client application).

Since I end up rebuilding my systems sometimes, but less frequently than the length of my retained memory, I built a tool to make it super-easy to install and configure the VPN.

If you're not wed to OpenVPN, have a look at https://github.com/gitbls/pistrong. There is an installer tool that makes installing the VPN trivial, scripts to configure an endpoint VPN server and/or a LAN-to-LAN VPN, and the main script, pistrong, which is used to manage the certificates.

pistrong can help you install and configure your VPN in less than an hour. I've used it in several other configurations, including one that runs over satellite internet from a house in the middle of the mountains. The performance is really good, with top-notch security. fail2ban can be used to monitor/block/report both breakin attempts and successful connections if desired.
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Mon Sep 27, 2021 4:57 pm

Great!
That, again, saves me a lot of addition research. It is amazing how contradictory some of the main blogs/ write ups are, beyond the 'there is a different tool for different needs' kinda thing.
I went from almost ordering a VPN router to tripple Routers to VLAN.
TY again all of you! I will be able to research your Git this evening (well, 3 hours before your evening as I am in the east coast-TN).

bls
Posts: 1748
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Fundamental Security questions

Mon Sep 27, 2021 5:22 pm

rfeyer wrote:
Mon Sep 27, 2021 4:57 pm
Great!
That, again, saves me a lot of addition research. It is amazing how contradictory some of the main blogs/ write ups are, beyond the 'there is a different tool for different needs' kinda thing.
I went from almost ordering a VPN router to tripple Routers to VLAN.
TY again all of you! I will be able to research your Git this evening (well, 3 hours before your evening as I am in the east coast-TN).
Excellent. LMK if you have any questions. Happy to help.
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Mon Sep 27, 2021 6:49 pm

There will be, no doubt, questions! TY all for your time
Rainer

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Tue Sep 28, 2021 1:37 pm

OK, so I did some reading on StrongSwan and it truly sounds like a great solution.
Again, just a fundamental question:

Having two RPi's in the chicken coop running GPIO manipulating apps (to be accessed via LAN or web) and having one Windows PC running 12 IP cameras, and then having two other main computers running Linux Mint20,

does the following make sense:

1- Install StrongSwan Server on each RPi, and the Windows PC with the IP Cams
2- Having each StrongSwan server accessable with individual port forwards from the router

Rainer

bls
Posts: 1748
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Fundamental Security questions

Tue Sep 28, 2021 3:00 pm

rfeyer wrote:
Tue Sep 28, 2021 1:37 pm
OK, so I did some reading on StrongSwan and it truly sounds like a great solution.
Again, just a fundamental question:

Having two RPi's in the chicken coop running GPIO manipulating apps (to be accessed via LAN or web) and having one Windows PC running 12 IP cameras, and then having two other main computers running Linux Mint20,

does the following make sense:

1- Install StrongSwan Server on each RPi, and the Windows PC with the IP Cams
2- Having each StrongSwan server accessable with individual port forwards from the router

Rainer
Most (all?) routers only allow a single port to be forwarded to a single server, and AFAIK strongSwan does not allow the ports to be changed.

Which side of the router are the Windows PC and two other main computers on? Coop or house?

You can certainly have a single VPN server in the coop and have all traffic from the coop to the house route through that single VPN server.

In this configuration the VPN "client" would be in the house, and initiate the VPN connection to the server in the coop, for security reasons. I have a small service (that I can make available) that tries to keep the VPN connection up. You'd run this on the VPN endpoint in your house.
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Tue Sep 28, 2021 3:17 pm

Wow, again, the more reading I do the more confusing it gets!

So, I currently have one Router modem (Actiontec1900) which serves the RPI's and the Linux PC's and the Windows PC (which has the IPCams, which I am most worried about).

I am currently routing (from Router/Modem) into the Windows PC's Camera software (BlueIris, irreplacable in Linux as I have 12 cams).

So, I am looking to separate the RPI streams and the IPCam streams, i.e., protecting the Linux boxes which have all the important info on it.

Would a Swan server on each RPi and the Windows make sense to isolate from the Linux boxes?
Rainer

bls
Posts: 1748
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Fundamental Security questions

Tue Sep 28, 2021 4:02 pm

rfeyer wrote:
Tue Sep 28, 2021 3:17 pm
Wow, again, the more reading I do the more confusing it gets!

So, I currently have one Router modem (Actiontec1900) which serves the RPI's and the Linux PC's and the Windows PC (which has the IPCams, which I am most worried about).

I am currently routing (from Router/Modem) into the Windows PC's Camera software (BlueIris, irreplacable in Linux as I have 12 cams).

So, I am looking to separate the RPI streams and the IPCam streams, i.e., protecting the Linux boxes which have all the important info on it.

Would a Swan server on each RPi and the Windows make sense to isolate from the Linux boxes?
Rainer
Sorry, I must be thick this morning…I’m not sure that I understand your network topology. Would this be it?

House network——modem——router——Windows,Linux,Pi systems

If the above is correct, where would you like to have the VPN server on each of the coop side and the home side?

I also don’t understand what you mean by “separate the RPi streams and the IPCam streams”, and “protecting the Linux boxes”.

Would you be so kind as to correct my picture of your network, and explain what you mean by those two phrases?
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

rfeyer
Posts: 125
Joined: Sun Nov 23, 2014 9:25 pm

Re: Fundamental Security questions

Tue Sep 28, 2021 5:57 pm

Hey,
the 'thickness' is truly on my side - I am trying to wrap my head around VPN isolation, if that is even correct terminology (Medical terminology I know:))
Router/Modem
| |
Netw. Switch Netw Switch (both unmanaged)
| \ \
\ \
WinPC(IPCams) Linux PC's (Data) RPi's

So, I would like to prevent the WinPC AND the RPI's from being hacked and then steal information from the Linux PC's/

I am not so worried about anyone stealing the IPCam streams and I don't have anything important on the RPi's, except logs showing when doors opened and closed and what temperature the water is in the winter hour by hour.

I will need the ability to, via internet, connect to the WinPC (to check on home and animals in our absence) and connect to the RPI's (to turn on GPIO's such as water heater / close doors check current tems).
The WinPC runs BlueIris and the RPI's are running Python/ Flask apps. The WinPC and the apps have ports which are ported from router for web access.
Sorry for my dense brain on this

bls
Posts: 1748
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Fundamental Security questions

Tue Sep 28, 2021 6:34 pm

rfeyer wrote:
Tue Sep 28, 2021 5:57 pm
Hey,
the 'thickness' is truly on my side - I am trying to wrap my head around VPN isolation, if that is even correct terminology (Medical terminology I know:))
Router/Modem
| |
Netw. Switch Netw Switch (both unmanaged)
| \ \
\ \
WinPC(IPCams) Linux PC's (Data) RPi's

So, I would like to prevent the WinPC AND the RPI's from being hacked and then steal information from the Linux PC's/

I am not so worried about anyone stealing the IPCam streams and I don't have anything important on the RPi's, except logs showing when doors opened and closed and what temperature the water is in the winter hour by hour.

I will need the ability to, via internet, connect to the WinPC (to check on home and animals in our absence) and connect to the RPI's (to turn on GPIO's such as water heater / close doors check current tems).
The WinPC runs BlueIris and the RPI's are running Python/ Flask apps. The WinPC and the apps have ports which are ported from router for web access.
Sorry for my dense brain on this
I think that helps :roll:. Where would you envision the VPN being? Running across between your house and the router/modem, or in the coop to isolate the Linux system from everything else? Or both? Maybe you need two VPNs?

Stepping back from your particular situation, this doesn't seem much different than any home LAN network, where one of the systems (say the Linux system) has important stuff on it. In such a case, one would typically lock down the network at the door (your router/modem), and make sure that all the systems behind that router/modem are locked down as well.

So, of course I have a few more questions now :lol: :

Are the network and systems in the coop secure so that no undesirable people can get on that network, either wirelessly or with physical access by plugging into a network switch?

You said initially that you want to be able to access your coop network when you're not at home. Presumably this would be over a VPN from a device you have with you (phone, whatever). Is that correct?

How do you access the coop network today from home, and remotely, and how do you think about accessing it in your new implementation?

If the Linux system has some sort of crown jewels on it, why is it in the coop instead of on your house LAN? Seems to me that would be more secure, both physically and from a network perspective.

Based on the information you've provided so far, that's what I'd do. I'd put the Linux system on your house LAN, and use a VPN between your house and the coop, and use that same VPN server on the coop LAN to provide access to the coop systems when you aren't home. Why would this configuration not work for you? (not challenging you, just trying to help you figure out the best network topology).
Pi tools:
Quickly and easily build customized-just-for-you SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

Return to “Networking and servers”