Securing a Raspberry Pi Web Server

Team members: Snehpal Singh, Rohan Kapadia, Mandar Pednakar, Prathamesh Timse

First, we hardware configure the Raspberry Pi using the manual and by running the boot, making desired changes and setting up the password.

Now, we make the Raspberry Pi our webserver we use the following code:

First, we are going to update the clock, update our sources, then upgrade any pre-installed packages. Type the following at the command line (press return/enter after each line):

sudo dpkg-reconfigure tzdata

sudo apt-get update

sudo apt-get upgrade

Next, we want to install Hexxeh's RPI update tool to help keep Raspberry Pi up to date. To do this, run the following commands (press return/enter after each line):

sudo apt-get install ca-certificates
sudo apt-get install git-core

sudo wget https://raw.github.com/Hexxeh/rpi-update/master/r... -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

sudo rpi-update

sudo shutdown -r now

sudo apt-get install apache2 php5 libapache2-mod-php5

sudo service apache2 restart

sudo apt-get install mysql-server mysql-client php5-mysql

sudo chown -R pi /var/www

sudo apt-get install vsftpd

sudo nano /etc/vsftpd.conf

anonymous_enable=YES to anonymous_enable=NO. Uncomment local_enable=YES and write_enable=YES. go to the bottom of the file and add force_dot_files=YES.

sudo service vsftpd restart

Now, we set up iptables rule to prevent against common DoS attacks using following code:

# Reject spoofed packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP

iptables -A INPUT -s 169.254.0.0/16 -j DROP

iptables -A INPUT -s 172.16.0.0/12 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP

iptables -A INPUT -d 224.0.0.0/4 -j DROP

iptables -A INPUT -s 240.0.0.0/5 -j DROP

iptables -A INPUT -d 240.0.0.0/5 -j DROP

iptables -A INPUT -s 0.0.0.0/8 -j DROP

iptables -A INPUT -d 0.0.0.0/8 -j DROP

iptables -A INPUT -d 239.255.255.0/24 -j DROP

iptables -A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks

iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP

iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

iptables -A INPUT -p icmp -m icmp -j DROP

# Drop all invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans

# Anyone who tried to portscan us is locked out for an entire day.

iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list

iptables -A INPUT -m recent --name portscan --remove

iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.

iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"

iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

Now, we set up scripts for advanced firewall protection and brute force attacks:

wget http://rfxnetworks.com/downloads/apf-current.tar....
# tar xfz apf-current.tar.gz

# cd apf-*

# ./install.sh

Run it using:

# apf --start

BFD:

wget http://rfxnetworks.com/downloads/bfd-current.tar....
# tar xfz bfd-current.tar.gz

# cd bfd-*

# ./install.sh

Run it using:

/usr/local/sbin/bfd -s