IIAB/Security: Difference between revisions

From OLPC
Jump to navigation Jump to search
No edit summary
No edit summary
 
(59 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{xsce}}
Some security tips that will become more professional as time goes on:
'''''Some security tips — that will become more professional as time goes on:'''''


# Please confirm your '''[[../FAQ#What_are_the_default_passwords.3F|passwords are secured]]'''.
* The following applies to CentOS-based XSCE school servers, towards downloading and semi-automatically installing recent security patches & updates, that is if you have a reasonably fast connection, and are willing to take risks with certain packages breaking.
# Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your server, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
# Please read more about the 'iiab-admin' Linux user and group, which allow you to log in to IIAB's Admin Console:
#* https://github.com/iiab/iiab/tree/master/roles/iiab-admin
#* https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
# ''If OpenVPN is installed, [https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml developers' ssh keys are also installed] to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running: "sudo rm -f /root/.ssh/authorized_keys". NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.''
# If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme


== For Debian, Raspberry Pi OS and Ubuntu servers ==
* Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code>(this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services).


* Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
* In the past we ran "yum -y update" but (arguably) that installs far too many untested and diverse updates/upgrades across the board, adding features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!)


apt update
* If you notice Wikipedia-like item are no longer accessible from http://schoolserver.lan, try running the following as root:
apt dist-upgrade (or "apt-get upgrade" if you do not want a new kernel etc)
apt clean (may be more comprehensive than "apt-get autoclean")


* In February 2017, [http://lists.laptop.org/pipermail/server-devel/2017-February/008085.html James Cameron] suggested some may prefer to use "apt" instead of "apt-get":
xsce-make-kiwix-lib

apt update
apt full-upgrade (similar to above "apt-get dist-upgrade")
apt-get clean (may be more comprehensive than "apt-get autoclean")

He mentions there's a package for automated unattended upgrades, called [https://wiki.debian.org/UnattendedUpgrades "unattended-upgrades"] for those who require that (and are willing to bear the risks!)

* Whichever path you take above, the final step is optional &mdash; to remove packages that were auto-installed to satisfy dependencies, but are no longer needed:

apt autoremove (some consider this last step risky, though no known IIAB/XSCE problems have resulted as of May 2017)

* In the distant past, "rpi-update" was also required to update firmware on Raspberry Pi SD cards.

== For CentOS and Fedora servers ==

* Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code> (this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services).

* Please also consider commands:
** yum updateinfo list security all
** yum updateinfo list security installed
** yum updateinfo list security available

* Many with high-bandwidth run more complete system updates, as follows: <code>yum update</code> or <code>yum -y update</code> (followed by <code>yum clean all</code> among those who were daring). Even if arguably this installs far too many untested and diverse updates/upgrades across the board, adding too many features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!)

== Security Blowback / Survival Tips ==

* Please join the design discussion "[https://github.com/iiab/iiab/issues/1516 Student Privacy / Medical Confidentiality best practices prior to copying/re-provisioning an IIAB"] and help us refine http://FAQ.IIAB.IO entry "[http://wiki.laptop.org/go/IIAB/FAQ#How_do_I_back_up.2C_shrink_.26_copy_IIAB_microSD_cards.3F How do I back up, shrink & copy IIAB microSD cards?]"

* If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to the http://box/admin -> Install Content -> "Restart Kiwix Server" button:

iiab-make-kiwix-lib
systemctl restart kiwix-serve
systemctl restart kiwix-serve


* If ownCloud updates itself, users visiting http://schoolserver.lan/owncloud may face error message "You don't have permission to access /owncloud on this server." Fix guideline forthcoming from Tim Moody.
* If ownCloud updates itself to 8.1 or above, users visiting http://schoolserver.lan/owncloud from unknown IP addresses may face error message "You don't have permission to access /owncloud on this server." <strike>Fix guideline forthcoming from Tim Moody.</strike> NEW PROGNOSIS FEB 2017: Josh Dennis hopes to move IIAB to http://Nextcloud.com, which has stronger community support than ownCloud. Mnemonic http://box/docs stands to greatly ease field usage among young children and less literate teachers around the world.

Latest revision as of 18:09, 9 August 2021

This IIAB XSCE content does not reflect the opinion of OLPC. These pages were created by members of a volunteer community supporting OLPC and deployments.

Some security tips — that will become more professional as time goes on:

  1. Please confirm your passwords are secured.
  2. Consider the strategies below to help secure your OS (downloading and/or semi-automatically installing recent security patches & updates). That is IF you find a reasonably fast Internet connection for your server, and are willing to take certain risks with packages/versions occasionally/potentially colliding.
  3. Please read more about the 'iiab-admin' Linux user and group, which allow you to log in to IIAB's Admin Console:
  4. If OpenVPN is installed, developers' ssh keys are also installed to enable remote login, for remote support during Beta programs and similar. You can disable this feature by running: "sudo rm -f /root/.ssh/authorized_keys". NOTE: If you later ask Internet-in-a-Box to reinstall OpenVPN, please note that developer keys will be reinstalled.
  5. If you use Samba file sharing, see also: https://github.com/iiab/iiab/tree/master/roles/samba#samba-readme

For Debian, Raspberry Pi OS and Ubuntu servers

  • Several in our Internet-in-a-Box (IIAB) community choose to run the following quasi-weekly:
  apt update
  apt dist-upgrade    (or "apt-get upgrade" if you do not want a new kernel etc)
  apt clean           (may be more comprehensive than "apt-get autoclean")
  • In February 2017, James Cameron suggested some may prefer to use "apt" instead of "apt-get":
  apt update
  apt full-upgrade    (similar to above "apt-get dist-upgrade")
  apt-get clean       (may be more comprehensive than "apt-get autoclean")

He mentions there's a package for automated unattended upgrades, called "unattended-upgrades" for those who require that (and are willing to bear the risks!)

  • Whichever path you take above, the final step is optional — to remove packages that were auto-installed to satisfy dependencies, but are no longer needed:
  apt autoremove      (some consider this last step risky, though no known IIAB/XSCE problems have resulted as of May 2017)
  • In the distant past, "rpi-update" was also required to update firmware on Raspberry Pi SD cards.

For CentOS and Fedora servers

  • Run yum -y update --security if your system already has yum-security installed, typically via yum install yum-security (this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services).
  • Please also consider commands:
    • yum updateinfo list security all
    • yum updateinfo list security installed
    • yum updateinfo list security available
  • Many with high-bandwidth run more complete system updates, as follows: yum update or yum -y update (followed by yum clean all among those who were daring). Even if arguably this installs far too many untested and diverse updates/upgrades across the board, adding too many features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!)

Security Blowback / Survival Tips

  • If you notice Wikipedia-like items are no longer accessible from http://box.lan, try running the following as root, which is similar to the http://box/admin -> Install Content -> "Restart Kiwix Server" button:
 iiab-make-kiwix-lib
 systemctl restart kiwix-serve
  • If ownCloud updates itself to 8.1 or above, users visiting http://schoolserver.lan/owncloud from unknown IP addresses may face error message "You don't have permission to access /owncloud on this server." Fix guideline forthcoming from Tim Moody. NEW PROGNOSIS FEB 2017: Josh Dennis hopes to move IIAB to http://Nextcloud.com, which has stronger community support than ownCloud. Mnemonic http://box/docs stands to greatly ease field usage among young children and less literate teachers around the world.