NAS

BPi Pro Server - security concerns

6 3528
Edited by balli1187 at Wed Jan 21, 2015 13:05

Hello community,

i got a banana pi pro for christmas and really likes it There are so much projekts i could imagine and so much possibilities... woahhhhhhh!

One of the thinks i want to implement is a BaPi-Homeserver. And of course i want to access it from away. So far i know i have to use a service like DynDNS (i chose no-ip.com because its free) because of the changing IP-Address. My router does not support this service so i will implement it directly on the BaPi and use port forwarding on the router.

The access should be implemented via OpenVPN.  I'm not a network expert but as i understand it, i can easily access every other client in my Home-Lan (like my dreambox reciever) while using VPN. Secound reason for it is that it sounds quiet secure because of the VPN certificate. But never the less i'm not sure whether it is rellay safe or not.

So i can somebody please give me some hints and advices for my project? I'm worried about opening my home network to much and give access to everybody.
And of course: if i have a great misunderstanding of how the things work, please tell me ;-)

Greetings from Germany,
Stephan
Djee  
Hello Stephan,

I actually bought an banana pi (not pro) today and have a similar vision of using my BaPi as a standalone media / file server. As my current setup is using a physical PC, the power consumption is to high for these basic tasks, so it makes allot of sense to use a low-power solution to share my personal files.

The experiences I have so far with OpenVPN, FritzBox (which I assume you are using, living in Germany) and DynDNS No-IP.com, are shared below.

TL;DR: When setup OpenVPN correctly the security threats are really minimum to non existing as it is very difficult to intercept.

If you do want to be a bit more secure, as it is actually more security by obscurity, you can have a look at below tips.

Using DynDNS like no-ip.com
As this is it a very straight forward solution to a good cost friendly solution to forward your IP Address. It is also a very good way for hackers to look up for less secure home servers and exploit some security threats. They can use reverse DNS lookup, sub domains finders or use the crawlers from google to find your sub domain.

I my case I don't use domains but instead use my FritzBox to forward the new IP Address to my email address.

In case you do use domains
- Use your own domain
- Check your firewall settings (inbound open ports)

n.b.: I know that FritzBox has some default ports open (VOP, Backdoor for the ISP, ...), that's why I have 2 routers

Using default ports
As most hackers will look for default ports it makes allot of sense to use customized ports for your applications.

For OpenVPN I use my VPN IP subnet as port (eg. 10.120.60.x) 12060

Best Practice:
- Use non default ports for your applications

Hello Djee and thx for your post!

At the moment i'm using a standard router i got from my provider for free. Thats the reason why i have to install the dyndns-client on my BaPi Pro and not directly on my router.

So you say OpenVPN is quiet secure and the higher risk is by far the no-ip.com service. Is there a possibility to every conection but my VPN-Tunnel?
Another Question to your Case: You get your current IP from Fritzbox by mail. How do you use it further? I have read some Tutorials for using VPN on Raspberry/Banana Pi and as i understand it, the dyndns-domain will be used during the vpn-certificate build.
What do you mean by "Use your own domain"?

Thanks a lot for sharing your experiences and giving some advices!

Greeting, Stephan

Djee  
Edited by Djee at Fri Jan 23, 2015 15:09

Hi Stephan,

To anwser your questions:

Q: Is there a possibility to every conection but my VPN-Tunnel?
A: Not quite sure what you mean with this, the point is when using free DNS providers they provide you a sub address like stephan.hopto.org. What a hacker will do is try all sub addresses from hopto.org as they mostly are used by home users and are less secure.
Note: The risk is minimal when you configure your firewall correctly and even less when you only use OpenVPN to connect to your other services (like SSH/FTP/DLNA ect..) but just make sure to use a non-default port.

Q: You get your current IP from Fritzbox by mail. How do you use it further? ... the dyndns-domain will be used during the vpn-certificate build.
A: You don't need a domain if you use a self signed certificate. See below section certificates to explain more in details.

Q: What do you mean by "Use your own domain"?
A: Register an own domain like stefan.de, I see that no-ip.com also offers "Custom Domain" for 25 $ / Year

My personal advice is to follow the tutorial on the OpenVPN website. It explains everything very detailed in compared to many tutorials I've read so far.

OpenVPN Howto: https://openvpn.net/index.php/op ... entation/howto.html

Certificates

TL;DR
trusted Certificate Authorities: Validate your domain, in extended versions even your business, passport ect...
Self Signed Certificate Authorities: Is generated by yourself and doesn't matter if your domain exists or not.

When you generate a CA.CRT (as probably mentioned in the tutorial you are referring), you can choose whatever domain you want as its not important. You can connect to your server server.djee.de even when the certificate is registered for domain stefan.de. The important thing is the Root CA certificate and server certificate is on the actual server.

One thing you have to understand is if you don't have a certificated signed by a trusted Certificate Authority (CA) then it does not matter what you domain is (eg. stephan.de or MyCustomDomain.SomethingNotExisting), are called self signed certificates without domain validation and do not require a real existing domain. The only thing which is important is you have the CA.CRT which you generated on your server is located on your device where you launch the application.
If you don't have this ca.crt on the device you will see something like Certificate not trusted and optionally will be able to install this certificate.

Types of certificates

Server Only = Stays on Server
Client Only = Shared with clients
Server + Clients = Shared with both

FilenameNeeded ByPurposeSecret
ca.crtserver + all clientsRoot CA certificateNO
ca.keykey signing machine onlyRoot CA keyYES
dh{n}.pemserver onlyDiffie Hellman parametersNO
server.crtserver onlyServer CertificateNO
server.keyserver onlyServer KeyYES
client1.crtclient1 onlyClient1 CertificateNO
client1.keyclient1 onlyClient1 KeyYES
client2.crtclient2 onlyClient2 CertificateNO
client2.keyclient2 onlyClient2 KeyYES
client3.crtclient3 onlyClient3 CertificateNO
client3.keyclient3 onlyClient3 KeyYES


Sources:
Certificate Authority (CA): https://en.wikipedia.org/wiki/Certificate_authority
OpenVPN Howto: https://openvpn.net/index.php/op ... entation/howto.html
Certificate not trusted: https://www.sslshopper.com/asset ... ate-not-trusted.png

Djee replied at Fri Jan 23, 2015 14:57
Hi Stephan,

To anwser your questions:

Dear Djee,

And again loooooooootttttts of thx for your extensive Post.

It took  me someone days to answer cause i'm on vacation. I will read your recommended links and sites and hopfully will understand a Bit more.
To My first question: there is a word missing *D'oh* i want to block any but my vpn-connection in order to have only one gate to my home-network, which is secured by vpn.

Another question relating to the ports. I have read, that von-Tunnels are tied to https-Ports 1194 or 443 because most other ports are blocked in most networks (were the Clients are in). How did you solved that problem? If the port is blocked on the client-side I will not be able to get it working right?!?

Best regards from London,
Stephan

lmsilva  
I've once implemented a "dynamic dns service" that allows you to have dynamic dns features using your own domain...

Here's a blog post I wrote about it (it was in Portuguese, so I've used google translate to translate it for you):
https://translate.google.com/tra ... html&edit-text=

In a nutshell, here's what you have to do:
- you need to have a bind server up and running somewhere, hosting your domain name
- you setup an "allow-update" directive for the zone (e.g. domain) you want to dynamically manage
- and then you create a cron job that calls an update-dns script, which connects to bind and updates your hostname with the appropriate ip address

Its probably not want you want / need but...I thought I'd share it here (in case someone is interested)!

Hello,
The whole thing about securety got in the wrong direktion here.

1. Securety isnt a one time thing. It neede constantly work to stay secure.

if you use no-ip or another dynDNS provider or your own domain is not your problem. You got no securety trough this. The fact is that a port in your router is open and a server is listening on it.
To try to hide this isnt working. anybody who can read the man page of nmap is capable of finding the open port.

- first you shoud install a automatic updater for securety releases for your distribution on your pi/pro
- second update the firmware of you router constantly.
- best is to patch your router with ddwrt or openwrt and keep it uptodate.

@bali1187
openvpn is a mess to configure unless you realy understand it. If you concerned about securety try to use seafile as you personal cloud on the pi/pro. The risk to open your private network to the world is much smaler with this solution. And in germany the upload is limited so using of big files is much impossable from your dsl connection. If you like send me a PM (my german is much better)


LordSandwurm

You have to log in before you can reply Login | Sign Up

Points Rules