Security

<< Click to Display Table of Contents >>

Navigation:  RigPi Introduction >

Security

One of the primary uses for RigPi is to allow you to control your station when you are away from home.  Remote control requires that you open paths through your router to allow incoming data to establish a connection with RigPi.  Without further safeguards RigPi's password/account system is open to malicious attack that could render your RigPi useless.

 

While RigPi is technically capable to operate remotely across public networks like the Internet, it's design and development to date has been focused on use within trusted private networks (home and/or VPN.) 

 

RigPi was tested with the Joval vulnerability scanner and no vulnerabilities were found.

 

https://jovalcm.com/topics/open-source-oval-scanner/

 

OpenVPN

 

A technology called OpenVPN is one way to increase protection since it uses an encrypted key at both ends of a connection to prevent others who don't have the key from invading your system.

 

Two links to sites that show simple ways to install OpenVPN on the RigPi server are listed below:

 

http://www.pivpn.io/

 

https://www.youtube.com/watch?v=04EmeXSZo_0

 

The two approaches are similar, use either one.

 

Fail2ban

 

Fail2ban is installed on RigPi to help prevent intrusions. Fail2ban attempts to alleviate attacks by providing an automated way of not only identifying possible break-in attempts, but acting upon them quickly and easily in a user-definable manner.  Please Google Fail2ban for more details.

 

The maximum number of failed attempts and the length of time an associated IP is blocked can be set in Fail2ban.  RigPi allows three failed attempts after which the IP is blocked for one hour.  When one hour has lapsed the block is removed.  Fail2ban protects five services in RigPi:

 

RigPi Web access

Mumble

PhpMyadmin

Web bots

SSH access

 

Real VNC provides its own intrusion protection so it is not necessary to use Fali2ban for this purpose.

 

UFW

 

The UFW firewall is included with RigPi as an added security measure.  It can be enabled or disabled. See the UFW topic in Other Programs for further details.

 

UFW stands for Uncomplicated Firewall. It is a user-friendly command-line tool used to manage firewall rules on Linux systems. UFW provides a simple interface for configuring and managing the net filter firewall, which is built into the Linux kernel. It is designed to make the process of setting up a firewall easier for users who may not be familiar with complex firewall concepts.

 

Raspberry Pi Updates

 

It is critical to keep Raspberry Pi files up-to-date for security reasons.  When vulnerabilities are present your system can be hacked.  RigPi 4 shows when updates are available on the Raspberry Pi desktop in the upper right corner.  Click the update icon to start the process.

 

Remote RigPi Without Port Forwarding

 

RigPi normally requires ports to be opened on your router because that is the only way for remote browsers to connect to the RigPi server.  RigPi uses a web server for radio control and a VoIP server for Mumble.  By using a remote server you can forget about opening ports, port forwarding, and the security downsides to running a server on the Internet.

 

Real VNC (realvnc.com) provides the VNC software for the Raspberry Pi.  A VNC server is installed that allows you to use VNC Viewer to access the Raspberry Pi desktop.  Real VNC also provides a free way to use their server using a Home account limited to 3 computers.  You must set up an account with Real VNC, but once that is done, you can connect the server on your Raspberry Pi and any viewers to their server.  To establish the necessary connections simplified port forwarding with no knowledge of your Internet IP required.

 

In VNC Viewer you can connect to the Raspberry Pi desktop.  From there you can run RigPi or any of the digital mode programs.

 

You can find full instructions for using VNC on the Real VNC web site.

 

The other server running on RigPi that requires port forwarding is the Mumble server for two-way audio.  Murmur servers are also available on the Internet for little or no cost.  Rather than connect to the server on RigPi, by using a remote server you will not need port forwarding.

 

One popular Mumble server service is Mumble.com.  If you sign up for a 2-year account the cost is under $4 per month.  There are many other servers available (over 55 in the US alone), just check the list in Mumble>Public Servers.

 

ZeroTier (https://zerotier.com) is a secure service that eliminates the need for port forwarding in your router.  ZeroTier is installed on RigPi.