Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check system security #8

Open
3 of 6 tasks
dl1com opened this issue Jun 4, 2020 · 3 comments
Open
3 of 6 tasks

Check system security #8

dl1com opened this issue Jun 4, 2020 · 3 comments
Labels
moved from gitlab Moved from internal Gitlab
Milestone
2.0.0

Comments

@dl1com
Copy link
Contributor

dl1com commented Jun 4, 2020
edited
Loading

  • Disable SSH on tap device or secure it with a custom password
  • Update the manual and include a section on ssh config
  • Check IIO-daemon. Disable it at TAP device?
  • root password is shown in Pluto Info page (accessible at http://192.168.2.1)
  • Documentation about device_persistent_keys and device_passwd
  • Warn about default password in MOTD
@dl1com dl1com added the moved from gitlab Moved from internal Gitlab label Jun 4, 2020
@dj1an
Copy link

dj1an commented Jun 30, 2020

Should be improved with current buildroot version from GIT:
analogdevicesinc/plutosdr-fw#48

@dg8ngn
Copy link

dg8ngn commented Jul 6, 2020

Upgrading to plutosdr-fw 0.32 could close the issue: https://github.com/analogdevicesinc/plutosdr-fw/releases/tag/v0.32

@dl1com dl1com mentioned this issue Jul 6, 2020
Closed
@lukasostendorf
Copy link
Collaborator

lukasostendorf commented Jul 16, 2020
edited
Loading

The develop branch now works with plutosdr-fw v0.32, so I finally had the time to try this out. Works flawlessly!

# device_format_jffs2
# device_persistent_keys 
# device_passwd

The entered password remains after power-cycling the Pluto.

A next security issue could be the iiod daemon. By default it seems to be enabled at any network interface. Any HNAP client is able change transceiver settings of a basestation when accessing iiod via the TAP device.

iiod binds to tcp port 30431.

Another open port is for the iperf3 server (5201), this is not an issue. The device is furthermore accessible via port 80 / www, but I do not see any security issue here.

# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:5201            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:30431           0.0.0.0:*               LISTEN      
tcp        0      0 192.168.4.1:ssh         192.168.4.10:39370      ESTABLISHED 
netstat: /proc/net/tcp6: No such file or directory
udp        0      0 0.0.0.0:44860           0.0.0.0:*                           
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           
udp        0      0 0.0.0.0:5353            0.0.0.0:*

@dl1com dl1com added this to the 2.0.0 milestone Sep 17, 2020
dl1com added a commit that referenced this issue Nov 5, 2020
@dl1com
[#8] Show motd warning in case root passwd is default
116ffcd
dl1com pushed a commit that referenced this issue Nov 13, 2020
Show Version info (#49)
48b157d 
* Renamed path to firmware overlay data

* [#48] Show HNAP version in MOTD and website

* [#8] Show motd warning in case root passwd is default

* Redirect version checker to HNAP Github releases

* Remove obsole png files in buildroot msd/img folder

* Don't fail rm over nonexistant files

* Re-Add information about libiio usage as we still support this

* Fix version comparison for our version string format

* Insert HNAP version to version.js instead of firmware version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
moved from gitlab Moved from internal Gitlab
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@dl1com @dg8ngn @dj1an @lukasostendorf