Which ASL distribution are you running? RPI2-3-4_V1.6-14-Allstar
Which Apache version are you running? Apache 2.4.18 as is provided with the image
How does the Apache version + proxy enable malicious requests? Malicious person can route web requests through the apache server to other servers. Among other things this can potentially allow inserting malicious code into other devices, with routers being a common attack point.
What other security issues can you describe? It looks like named is enabled by default. System should use the DHCP provided DNS server (or other local network server) to maintain control of DNS. The local named running on the AllStar node has already triggered security alerts on several of my systems and appears to bog down the network with named transfers which are not needed.
Also the provided apache enables user directories and aliasing both of which are potential security issues. But disabling these modules breaks supermon.
I was seriously hacked with my first deployment of this environment and have rebuilt my network and am now carefully checking each step of the security as I move forward.
Ahh. You seem to be using a HamVoIP distribution. We don’t distribute or support HamVoIP, but I’m sure there are many people on their mailing list that can assist you.
Ok, I can say from experience that letting the default Raspberry PI configuration for Allstar and Superman be subject to open access on the internet will allow malicious folk to cut through the security faster than a hot knife through butter.
I can also confirm that the problems I am facing occur as part of the normal Raspberry distribution of Raspian and are not limited to the VOIP distribution.
I believe I now have this under control. My steps were:
scan my ip provider’s router to ensure that the management port was not accessible;e for the internet: there is a potential compromise to this router that makes it vulnerable from external access
I configure this router only when it is not connected to the internet so as not to compromise the admin password: there is a password spoofing hack used to get the admin password and then compromise the router using this
I placed a second internal router inside the router provided by the internet service provider
I created a segregated network for the Allstar node
I provide port forwarding rules by IP address to the Allstar node so it is not visible to unauthorized systems
I disabled the volatile file system for /var/log my editing fstab
this ensures I have persistent logs so I can track problems as they occur
I need to put in log rotation: the Apache manual has a script to do this
I disabled the named daemon and configured the Rapsian to use the firewall for DNS
DNS spoofing is a classic hack
the ISP is better at securing DNS services than I am
I removed the mounting at start up of all apache modules involved with proxy: proxy is not needed for first order Superman operation
user directories and aliases are required, which is unfortunate
When I last opened Superman access to the internet I was attacked within minutes and hacked within probably hours. Securing apache with apache software access configuration provided only incomplete protection and was not sufficient.
This new configuration has seemed stable under test so far.
If anyone has other suggestions for hardening the system or apache, I would love to hear it!
Ok, I can say from experience that letting the default Raspberry PI configuration for Allstar and Superman be subject to open access on the internet will allow malicious folk to cut through the security faster than a hot knife through butter.
When I last opened Superman access to the internet I was attacked within minutes and hacked within probably hours. Securing apache with apache software access configuration provided only incomplete protection and was not sufficient.
Interesting. I run a few HamVoIP nodes so I might see about securing these further. Thanks for the info!
named/bind is used only as a local caching forwarder, but it does listen on all ports from the looks of it. This is a HamVoIP only thing though – ASL doesn’t do this. They should probably restrict that to only listen on local though.