[Triumf-linux-managers] Security of Linux SBCs

[Andrew Daviel]

In the distant past (1990's), there was a variety of Unix and Linux 
computers at TRIUMF, running things like Telnet service and NFS3 over the 
internet, with DES3 passwords in /etc/passwd for anyone to see.
So we had security guidelines for updating and securing them, published 
online.

Over time as we adopted Scientific Linux and kickstart installations, 
RedHat tightened security so that SL out-of-the-box was, for most 
purposes, adequately secured and updated automatically with yum, and our 
default installations added e.g. syslog forwarding. With web 
reorganizations, our security guidelines became outdated and became lost.

In recent years, there has been a proliferation of non-RedHat systems at 
TRIUMF, not using kickstart and unable to use our RPM packages. This 
includes SBCs (single-board computers) such as Raspberry Pi and 
BeagleBoard. These devices are full Linux systems in their own right, are 
just as vulnerable as normal desktop or server systems, and are not exempt 
from normal good security practices.

Recently, a Raspberry Pi computer was found which had been placed on the 
public internet, where it was attacked on multiple occasions and used to 
host phishing websites and a network scanner.
Unlike RedHat systems which create a strong password during installation, 
this device uses a widely published default password out-of-the-box, and 
an open sudoers file (so that root access is trivial).

Please ensure that such devices are not placed on the open TRIUMF network, 
or that if they are, that they are adequately secured:

https://ccn.triumf.ca/security/linux.security
https://ccn.triumf.ca/security/linux.security.other/


Any discussion on TRIUMF Linux Users <triumf-linux-users at lists.triumf.ca>, 
please.


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager