Hi Paul, thank you for the thoughtful and thorough response. Security is foundational to any system and without it, you have nothing, as you have alluded to. However, I am glad to have this discussion now and I will do my best to address the issues you have raised concern with.
Like every project, it brings certain freedoms and with freedoms comes responsibilities. This project is no different. To be fair, this tutorial, if it was not clear, is intended to be the first step in setting up a personal web server not a completely scalable system. If I had the autonomy to include my entire personal web server setup in this article I would have. I get into more sophisticated personal server security techniques in later tutorials on my blog where the bulk of this project resides: https://mitchellmclaughlin.com/server.html as linked to in the original article.
What I can point to immediately is after the first boot in this article it explicitly states:
"Select the 'Expand Filesystem' option and hit the Enter key [3]. Also, I recommend selecting the second option, 'Change User Password.' It is important for security. It also personalizes your Raspberry Pi."
This change to a secure password occurs before the device is connected on the internet. So, in the improbable scenario, where an immediate brute-force attack was launched on the server upon entering the internet, a strong password would be sufficient to negate any immediate intrusion. Now, we can discuss how and what a strong password looks like. However, that lies outside the immediate steps of this tutorial. I'd refer to: http://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strong-…
Out of brevity, I did not mention in the article, but I wanted to, is installing 'fail2ban'. Fail2Ban blocks suspicious requests coming from the internet. For example, if there are too many attempts to guess the password, it will block that IP address. To anyone reading this, I recommend installing this package and I can revise the original article to include it. It can be installed by typing into Terminal:
$ sudo apt-get install fail2ban
I will reiterate changing the default password and installing Fail2Ban is the minimum someone can do for basic security of the server. Failure to do so is an assumption of risk.
As always, keeping the operating system, applications, and software packages up to date is good practice for security. I explain this on my blog, but it's worth repeating. This will prevent any recently fixed bugs from being exploited. To make sure the system is up to date, type in Terminal:
$ sudo apt-get update
$ sudo apt-get upgrade
Raspbian operating systems (Jessie and PIXEL) are flavors of Linux Debian, and Debian comes preinstalled with a firewall. If I remember correctly, both ufw (uncomplicated firewall) and iptables (another firewall package) are both preinstalled on Debian. And in later and more advanced tutorials on my blog, you will find explicit instructions for configuring iptables & Apache (web server software) where it reads:
One thing I purposefully have not mentioned in this response is 2-factor authentication. This is the next logical step in securing a personal web server, however I have not yet found documentation on the web that implements it correctly. If I find it, I will update it here.
I want to further specifically address two comments you made.
You mention, "firstly you MUST change all default passwords, in fact you should delete the "pi" user and replace it with another username." As I said, I do recommend that as a minimum for security. However, I can't force any reader to do something they don't want. So, it’s discretionary.
You mention, "You should also remove the 'sudo' capabilities for that user." Let me elaborate. That is more secure, but I defer this decision to the user. Some prefer the convenience of using sudo over the added security even though it may not be best practice.
Permissioning and ssh keys can increase security, but I won't further discuss those topics in this response.
I think it's important to step back and keep in mind the big picture. Security is very important, yes. But personally, I caution myself from over-protecting a system. The extent to which a system administrator becomes overly paranoid or unintentionally locks him or herself out can be equally problematic (Unfortunately, I have experienced it, and it's not fun). In that extreme case, security can become paralyzing and I do not advocate for that. Balancing security principles with flexibility is difficult, but I tend to leave it up to each person. Said another way, we are debating philosophy, but I think it's clear we agree on the facts.
I also hope you are sensitive to fear mongering about security. Security can be a complex issue in targeted attacks, but speaking about it with sophisticated language to the average user can be unfavorable. To anyone reading, I'd say, basic security on the web is not extremely complicated. Taking basic steps, such as having a strong password, will prevent most intrusions and that should be the goal.
In the end, I think we agree on many things Paul. And if everyone can takeaway something from the discussion, it's that taking security as seriously as you do is something to be emulated.
If I remember correctly, I used XRDP simply because the configuration was more user-friendly. But, as you know, VNC is great as well, so feel free to use at your convenience. If you end up configuring VNC and don't mind showing documentation, I can append it in the footnotes. Just email me at mitch(dot)mclaughlin1(at)gmail(dot)com.
Authored Comments
Hi Paul, thank you for the thoughtful and thorough response. Security is foundational to any system and without it, you have nothing, as you have alluded to. However, I am glad to have this discussion now and I will do my best to address the issues you have raised concern with.
Like every project, it brings certain freedoms and with freedoms comes responsibilities. This project is no different. To be fair, this tutorial, if it was not clear, is intended to be the first step in setting up a personal web server not a completely scalable system. If I had the autonomy to include my entire personal web server setup in this article I would have. I get into more sophisticated personal server security techniques in later tutorials on my blog where the bulk of this project resides: https://mitchellmclaughlin.com/server.html as linked to in the original article.
What I can point to immediately is after the first boot in this article it explicitly states:
"Select the 'Expand Filesystem' option and hit the Enter key [3]. Also, I recommend selecting the second option, 'Change User Password.' It is important for security. It also personalizes your Raspberry Pi."
This change to a secure password occurs before the device is connected on the internet. So, in the improbable scenario, where an immediate brute-force attack was launched on the server upon entering the internet, a strong password would be sufficient to negate any immediate intrusion. Now, we can discuss how and what a strong password looks like. However, that lies outside the immediate steps of this tutorial. I'd refer to: http://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strong-…
Out of brevity, I did not mention in the article, but I wanted to, is installing 'fail2ban'. Fail2Ban blocks suspicious requests coming from the internet. For example, if there are too many attempts to guess the password, it will block that IP address. To anyone reading this, I recommend installing this package and I can revise the original article to include it. It can be installed by typing into Terminal:
$ sudo apt-get install fail2ban
I will reiterate changing the default password and installing Fail2Ban is the minimum someone can do for basic security of the server. Failure to do so is an assumption of risk.
As always, keeping the operating system, applications, and software packages up to date is good practice for security. I explain this on my blog, but it's worth repeating. This will prevent any recently fixed bugs from being exploited. To make sure the system is up to date, type in Terminal:
$ sudo apt-get update
$ sudo apt-get upgrade
Raspbian operating systems (Jessie and PIXEL) are flavors of Linux Debian, and Debian comes preinstalled with a firewall. If I remember correctly, both ufw (uncomplicated firewall) and iptables (another firewall package) are both preinstalled on Debian. And in later and more advanced tutorials on my blog, you will find explicit instructions for configuring iptables & Apache (web server software) where it reads:
$ cd /etc/network
$ sudo iptables -A INPUT -p tcp - -sport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp - -sport 443 -j ACCEPT
$ sudo iptables -L
$ sudo iptables-save
I also then share a link to further educate and allow customization of the iptables firewall. https://fedoraproject.org/wiki/How_to_edit_iptables_rules
One thing I purposefully have not mentioned in this response is 2-factor authentication. This is the next logical step in securing a personal web server, however I have not yet found documentation on the web that implements it correctly. If I find it, I will update it here.
I want to further specifically address two comments you made.
You mention, "firstly you MUST change all default passwords, in fact you should delete the "pi" user and replace it with another username." As I said, I do recommend that as a minimum for security. However, I can't force any reader to do something they don't want. So, it’s discretionary.
You mention, "You should also remove the 'sudo' capabilities for that user." Let me elaborate. That is more secure, but I defer this decision to the user. Some prefer the convenience of using sudo over the added security even though it may not be best practice.
Permissioning and ssh keys can increase security, but I won't further discuss those topics in this response.
I think it's important to step back and keep in mind the big picture. Security is very important, yes. But personally, I caution myself from over-protecting a system. The extent to which a system administrator becomes overly paranoid or unintentionally locks him or herself out can be equally problematic (Unfortunately, I have experienced it, and it's not fun). In that extreme case, security can become paralyzing and I do not advocate for that. Balancing security principles with flexibility is difficult, but I tend to leave it up to each person. Said another way, we are debating philosophy, but I think it's clear we agree on the facts.
I also hope you are sensitive to fear mongering about security. Security can be a complex issue in targeted attacks, but speaking about it with sophisticated language to the average user can be unfavorable. To anyone reading, I'd say, basic security on the web is not extremely complicated. Taking basic steps, such as having a strong password, will prevent most intrusions and that should be the goal.
In the end, I think we agree on many things Paul. And if everyone can takeaway something from the discussion, it's that taking security as seriously as you do is something to be emulated.
For further reading on basic web server security see: https://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-fo…
If I remember correctly, I used XRDP simply because the configuration was more user-friendly. But, as you know, VNC is great as well, so feel free to use at your convenience. If you end up configuring VNC and don't mind showing documentation, I can append it in the footnotes. Just email me at mitch(dot)mclaughlin1(at)gmail(dot)com.