Raspberry Pi Firewall and Intrusion Detection System
Maybe you think “Why should I protect my pivate network? I’ve got no critical information on my computer, no sensitive data”. Are your emails really public? Don’t you have some photos you don’t want to upload to Facebook, because they’re private. Do you really don’t care if you computer is hijacked and used to attack other PCs or act as a spam server?
I don’t think you’re so careless but maybe you thInk, that setting up a secure network environment is expensive and really difficult. Don’t be afraid in this article we will see how to create a network gateway with a firewall, DHCP and DNS server, and a Network Intrusion Detection System (NIDS), entirely based on a Raspberry Pi.
After this instructable we will have a small security system with the following features:
– Enforce network traffic policies
– Ensure that abnormal packets does not get out or in our network
– DHCP server to distribute network parameters to your LAN
– DNS cache/server to speed up DNS requests and filter out bad DNS queries
– NIDS to detect malicious traffic, such as malware or vulnerability exploits
– Central network monitoring node to watch and debug network traffic
Some may now say “Hey wait, the Raspberry hs only one network port, how should this act as a gateway?”. This is done by a small trick. Of course you could buy an USB to ethernet device to get a second network card. But to keep it as simple as possible we just use the Raspi as our gateway, this works really nice. Traffic flows in both ways trought it. Of course it requires some additional configuration, but it’s not a problem.
Step 1: Parts
To make our security system we need:
– A Raspberry Pi
– An SD card, I took a class 6 SD Card with 8 GB, 4 should be enough. Be careful with class 10 types, many of them cause
problems with the Raspberry!
– An Ethernet cable
– A micro-usb power cable
– An Archlinux ARM image. As we don’t need any graphical interface, and as the NIDS part will require much of the ressources, we
need a lightweight one with a barebone terminal. So ArchLinux ARM is the best choice for this project.
– Win32DiskManager software
– An USB keyboard (during the time of installation)
During the setup we need a display. Maybe you connect your Raspberry to a TV screen or to a monitor, which is what I prefer. After the basic setup you won’t need it any longer becaue we’ll remotely access our Raspi via the network
Step 2: Installing ArchLinux
To install your image on your SD card, please follow the following Windows instructions quoted from the ArchLinux ARM website :
1. Download and install Win32DiskImager
2. Select the archlinuxarm-13-06-2012.img image file, select your SD card drive letter, and click Write
3. Eject the card from your computer, insert into the Raspberry Pi, and power it on.
4. If your keyboard, mouse, or other USB device doesn’t appear to be working properly, try using it through a POWERED USB hub.
The Raspberry Pi’s USB ports are limited to 100mA.
Now we should have a running ArchLinux on your Raspberry Pi.
Step 3: Secure Password
After the boot sequence you are prompted to enter a login. The default login and password for ArchLinux ARM are root/root.
If you set up a network security device you shouldn’t fail with a weak password which can be cracked in a few seconds
There’s a nice comic which helps you to chose a strong passwords below. If you made your choice you can change the default password with the following command
Enter the password twice. if they are identical the password will be changed. Please make a note of the new password and store it at a safe place.
Step 4: Network configuration
Having a stroong password, we can now go on and configure the network settings on our Raspberry Security System (RSS). We have to set a static IP address as well as the netmask and the gateway. The network topology is as follow : the LAN subnet is 192.168.1.0/24, the DSL modem/router is 192.168.1.1 (LAN gateway), and the RSS will be 192.168.1.3. Of course you can modify these settings accordingly to your network.
# vi /etc/rc.conf
# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
# Static IP
# Disable DHCP by commenting these lines or else it will override the static IP configuration
Remove from startup the unneeded daemons :
DAEMONS=(!hwclock syslog-ng network @crond @sshd @openntpd)
# vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost
# rc.d restart network
Step 5: System updates
In this step we’ll update the system and install required packages for the RSS
Initiate a full upgrade :
# pacman –Syu
Maybe the system asks to update pacman itself, if so answer with “yes”.
Now we need to create keys for pacman :
# pacman-key –init
If you just wait for the process to finish, you will wait hours! The keys are generated with random factors and need external commands to speed up the process. If you have a mouse connected, you could move it around, or you just open another terminal (ALT + F2 or F3) and run different commands like ls -l, less, top, cat and so on.
After te keys are generated we now request a full upgrade again:
# pacman -Syu
This could take a while, makse some tea or coffee, pet your cat/dog, call a friend or read another chapter of a book. You won’t miss anything awesome if you don’t sit all the time in front of your TV or monitor.
Once it’s done, we can now install the additional packages:
# pacman –S vim
# pacman –S htop
# pacman –S tcpdump
Vim is simply a lot better than vi, htop is an improved top, and tcpdump is very handy to debug network traffic and ensure that everything is routed correctly.
Now reboot the system to apply updates that requires it :
Once the system has restarted, check the memory available :
If the total memory is down to 128Mo, that means that the “start.elf” is splitting 128MB for the OS and 128MB for the GPU. We do not need so much memory for the GPU, and we certainly need more for the system.
Fix it by doing the following to give 224MB to the OS :
# cd /boot
# mv ./start.elf ./start.elf.old
# cp ./arm224_start.elf ./start.elf
Step 6: Resizing the SD Card
ArchLinux is now up to date and running, but the full SD card is not used. We need to extend the current partition to use the full space available.
# fdisk /dev/mmcblk0p2
Delete the partition :
Create a new one (new, primary, 2):
Write changes to disk :
Reboot to apply the changes :
While the startup process, it will run a command to extend the partition, this will take a while depending on the size of your SD card
Step 7: Adding another user
It’s no good idea to do everything as root. if this account gets compromized, we’ve got some serious problems. To avoid this we will now create a user who will not be root, but who will be allowed to run commands as root when needed.
We’ll create now the user “rss”, but feel free to create something better for you 😉
# useradd -m -g users -G optical,storage,video,wheel,power -s /bin/bash rss
Create a password for our new account :
# passwd rss
Again you should really chose a strong password….
We then need to install the “sudo” package, which will enable our user to run commands as root when needed :
# pacman -S sudo
The last thing to allow us to use the sudo command :
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
Logout from root, and login with our new user :
From now on, your prompt will begin with “$” and not anymore with “#”, and will require the sudo command for every privileged task.
Step 8: Configuring SSH
SSH will allow us to connect remotely from our personal computer, or anything else, by using an SSH client. If you are on Windows, you will be able to use Putty for instance, from Linux you can use ssh from console.
$ sudo vi /etc/ssh/sshd_config
# Modify the default port
# Disable login with the root account
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
$ sudo rc.d restart sshd
Now get to your PC or laptop and try to connect with your user “rss”. If everything is fine, you can now disconnect your Raspberry from your monitor or TV set and unplug the keyboard.
Another possible step to improve the security would be to add a certificate to authenticate, also requiring a password. It would render useless any bruteforce attack against SSH. However, as it is just in a home environement without remote access to SSH from the Internet, we can skip this feature.
For more detail: Raspberry Pi Firewall and Intrusion Detection System