How to make my GuruPlug secure

[mabuhay]

Hello

basically one question: How do I make my GuruPlug secure?

of course: change root password, make WiFi secure, good ssh and user passwords, ... but:

- should I disable the root-user (like it is default on Ubuntu)?
- If some FTP is needed, I guess only SFTP
- Is the GuruPlug (or also the Sheevaplug) secure by default or is anything running that I should take care of?

I know that I have to take care myself of any other applications that I install...

thanks for any answer. I am kind of scared just to allow "public access" (with which I mean that it is accessible though the internet) without knowing if it is secure

mfg

[sfzhi]

Well, there is no such thing as absolutely secure, short of disabling wireless and pulling the network cables out.
Seriously, it's more about how much security you find acceptable.

of course: change root password, make WiFi secure, good ssh and user passwords, ... but:

That's for sure, but in addition you should also delete all SSH keys that the plug was shipped with and generate new ones.

- should I disable the root-user (like it is default on Ubuntu)?

This is a matter of opinion. Many people consider it a good idea, but personally I believe it only gives false sense of security.

- Is the GuruPlug (or also the Sheevaplug) secure by default or is anything running that I should take care of?

No, it is not. For one thing, it has unencrypted wireless network activated automatically. Who knows what else.

I would strongly advise you to setup a firewall to block any communication except those you explicitly allow. There are lots of "how to" out there.

[mabuhay]

That's for sure, but in addition you should also delete all SSH keys that the plug was shipped with and generate new ones.

I would strongly advise you to setup a firewall to block any communication except those you explicitly allow. There are lots of "how to" out there.

Thanks, but where are the SSH-keys stored? I only know the .ssh-directory within the users home-path, but it is only used/created when I access another computer over ssh FROM the guruplug, and not TO the guruplug. Or do you mean other keys?

The firewall will follow later

mfg

[sfzhi]

Thanks, but where are the SSH-keys stored? I only know the .ssh-directory within the users home-path, but it is only used/created when I access another computer over ssh FROM the guruplug, and not TO the guruplug. Or do you mean other keys?

Yes, the keys in ~/.ssh are used only for outgoing connections, but they still should be replaced, because otherwise they are pretty useless as far as security is concerned. Since everyone has the same keys, everyone can pretend to be you when connecting to some server (if key authentication is used, of course).

There are also host keys, which are located in /etc/ssh. Those are used when accepting incoming connections to allow the client to verify the server's identity. They should be replaced too.

[mabuhay]

Alright, thx.
I never used the GuruPlug to connect to another host, so I dont even have the ~/.ssh directory.

How about the host keys in /etc/ssh? I have several files:
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub

Can I just delete these files or do I have to generate new ones with ssh? (don't remember how to do it right now, but I did that once as far as I remember)

[sfzhi]

Can I just delete these files or do I have to generate new ones with ssh? (don't remember how to do it right now, but I did that once as far as I remember)

I have seen those keys generated automatically by the sshd startup script if they don't exist. But that's up to the Linux distribution. I don't know if one on the Plug will do that.
It is always safe to create the keys manually:

Code:

ssh-keygen -t rsa -b 2048 -C hostname -f ssh_host_rsa_key
ssh-keygen -t dsa -b 1024 -C hostname -f ssh_host_dsa_key

[pietsnot]

GuruPlug Server Plus needs some major refactoring before it can be used.A recent publication suggested that the first step to wireless protection was to turn off the router broadcast. I tried it and it appears to work. But the next time I rebooted, Windows Vista Home Premium would not connect to the router.

that's a novice/stupid suggestion in that publication, 'cause :
http://synjunkie.blogspot.com/2007/12/bypass-hidden-ssid-mac-address-filter.html
..
Conclusion
Hopefully this demonstration has proven to you how simple it is for an attacker to bypass some of the more basic restrictions. Don't rely on a hidden SSID or MAC Address filtering as your only security measures. They may stop the average neighbor from using your internet connection but they will not prevent an attacker from breaking into your network and using your internet connection.
Posted by SynJunkie
Labels: Kismet, WiFi
..