April 2020 – Frontier9 - Web and Security

Learn admin on a Raspberry Pi? Part1 – Seedbox

April 29, 2020May 4, 2020
by Michael

So … full disclosure, on another blog I published a white paper about how your Raspberry Pi is a poor choice as a home security “hub”. Mostly because companies making you pay a lot are using these fab little computers to deliver something that … is all to easy to hack. On the other hand – I recommend you to buy a Raspberry Pi 3b+ or 4 or anything … and make something. So here is my guide to what has been a frustrating but eventually rewarding journey attempting to make something useful with an RPi.

Advice (1): its very easy to make something useful of an RPi if you manage your expectations. More often than not we go for the “wow its a cheap computer” and we want to use it … as a computer. Web browser, videos and so on – which you can but … unless its the absolute latest one and I haven’t got one of those RPi4 yet …well its going to be slow, frustrating and probably crashy. Oh, i’m sorry I am a realist, but there is a light at the end of the tunnel.

Advice (2): if you do want to go RPi project making, learning etc find my links on the “RPi4 or RPi3b+” leading to Canakit products and save yourself a lot of bother by getting a full kit from the get go … otherwise maybe you’ll feel you saved money but you’ll be massively delayed by all the various dramas and shopping searches that ensue after you realize you need all these other parts. You can do without the kit but its a lot of risk of damaging your RPi … or crashing due to bad power, wearing out weak plug points. Make sure you add on an HDMI cable at least … there are bigger kits too for real builders and educational use

Raspberry Pi 3 Model B+ Material And Original Package Package ... — Its got a foot print the size of a credit card, but people put it in a plastic box or something else that’s cool and … it grows, it spreads. Hats, devices, gadgets, projects – is there anything this little guy can’t do?

Flashback to 2012

My first experience was the early day Raspberry Pi model B which I pre-ordered – just so I could show off a tiny computer. I was already building ever smaller computers, servers, firewalls but … well this was cheap and small. I was hooked but I had no illusions it would be for serious computing – at least back then. Sometime in May-June 2012 I got mine. The original concept seems to go back 6 years before then – so someone was at it for a very long time. The idea of this product was to get a computer into more peoples hands be it for children or low income earners so they could … learn programming. Much like the One Laptop Per Child project but from more of a minimal price hardware than engineered for children specifically.

Flash forward to 2019 – RPi is pissing off business world by enabling new IOT projects

Last year I did an extensive testing of RPi 3b+ as a media player and I did make it work, had great times. Also had some very suspect times … where it seemed to be hacked … but thats what you get when you are downloading from strange “repositories” of dodgy code. That is the Kodi media center track and OpenElec is another path. Basically I had moved to my new home, with my new wife and I only had a laptop. I was doing RPi research and so I was doing that thing where you are all positive. Downloading all kinds of things.

First stop – an image of a system – an image writing utility.

You get yourself an image, a memory card … you might buy a bundle that has a power adapter, memory card and the “Pi” as we end up calling them. Then you play and typically I want to try a few OS or just start again if things go wrong … so after looking at Raspian OS for a bit and how shitty it was if you opened youtube.com. You may already be satisfied with the basic OS and leave it be. The Raspberry Pi website will guide you through the basics but know that there are alternatives to win32diskimager. You can make a lot of OS bootable from a memory card or USBdrive with Rufus so don’t feel like there is only one tool. Google is your friend.

Second Stop – NOOBS

There is a NOOBs of image loader that lets you have a whole selection of OS installs on one memory card, delete, reload, add, remove – choose which one is first boot choice … and a few options to fix the settings so your mouse or LAN connection fire up. I found this website excellent for distributing “berry boot” images. https://berryboot.alexgoldcheidt.com/images/

That was where I went through and of course there is one excellent distribution called Kali for ethical hacking, security testing and training. If you want to learn admin that’s an excellent place to start. So I had Kali and Kodi and Raspian on a 32gb microSD memory card. Kodi I had several versions and even within Kodi you can add a lot of software via repositories and go into the sketchy world of alternative video access. However, honestly there are boxes designed for running things like Kodi but they will often be branded as Android box … and I can’t guarantee anything … but you’ll want more RAM. I think the RPi4 will probably be far better for Kodi/OpenElec media center with 2-4gb RAM. The 1gb RAM on the 3b range – it works, until you install a bunch of add-ons and then things start to make you realize people tune Kodi for a much more powerful computer.

So Admin … enough of this GUI, Web Browser Stuff

My definition of Admin here is that you should be wanting to know Linux and the command line. If you install something that doesn’t have KDE or Gnome … just straight up Linux Bash terminal you can start putting apps into your RPi and using it as a local server. I will even explain how I went further and got it exposed to the internet so my friends could work with it.

So Covid19 … locked down at home, for an admin nerd its just another day at the office. The RPi sitting there under the monitor (its so tiny) and it is asking “you gonna do something with me or not?”. I have it plugged into a TV I’m using with a real Linux Desktop PC (dual boot windows :-|) and on the 2nd HDMI input the RPi was there waiting to be re-purposed.

Cost cutting or foolishness?

My idea was simple – I’ve been renting a server for many years that I use for redistributing bit-torrent. All legitimate files of course ;-(). Bittorrent is an early success story decentralized approach to file-sharing and yes P2P filesharing since the early days. There were many challenges or problems to hurdle beyond to replace a “hosted server” account with my at home little toy of a computer. Some people call this kind of solution a “seedbox” … but run it from home is completely backwards. Its running on a fast internet, which has a private network – so my public IP may or may not be exposed to the point where they can directly tag it if someone downloaded something copy protected (who would do that?). Seedboxes are usually hosted where people can ignore attempts to complain about specific file sharing participation.

Before we worry about internet access and sharing the access to people outside my LAN … “web hosting” aspect of it lets just make it.

I used Ubuntu – because I’ve been using Ubuntu 18.04 for several Virtual Private Servers – and Kali is much the same as Ubuntu so I thought I’d just see what they have. They have RPi well covered https://ubuntu.com/download/raspberry-pi and the version I installed didn’t boot into a graphical UI – which is perfect because I just want a headless CLI driven thing just like a VPS for website hosting. No NOOBS for this project – just write the image to the microSD card. I started with a 32gb samsung. I use this card reader, its excellent, the Ugreen SDcard reader I like it because I can also use it to backup my phone via microUSB connector and it has normal USB connectivity.

More Project ingredients Deluge, Ngrok

Then I followed this guide to add Deluge which is what I was using on the old seedbox for many years. I set up Deluge with a builtin plugin IPblocklist – just in case it helps the seedbox be more protected from snooping. I created a user and set up the home directory to be owned by root. Thus you can “chroot” it so that when people SFTP in they are locked into this as their “root” directory and can’t escape and start looking around your system. Then Deluge copies completed torrents and reads seeds from non-root owned “Deluge” directory inside that home directory. So users access the box via a web interface for deluge and upload/download files for torrent sharing via SFTP.

Part 2 of this project gets quite involved so I’ll just say that after this I used Ngrok on the PI and Ngrokd on an external VPS to open tunnels for my friends to access Deluge and SFTP. My ISP doesn’t give one a real public IP – just a private IP in their network so forwarding ports from the router doesn’t give access to your LAN at all, other than perhaps to other users of your ISP … maybe. Ngrok is a kind of “reverse proxy”. In future I might also put a normal proxy server on the VPS and then all torrenting, web access and sftp are accessed via that server which is my PI tunnels into using Ngrok. Ngrok does try to keep the tunnels alive … but that’s a longer story. It is a working solution for over a week so far.

Uncategorized

Do you need antivirus in 2020 anymore?

April 12, 2020
by Michael

The truth is, after working all year for clients who are getting hacked by malware and let down by antivirus that can’t work I wanted to search for this title. Then I found articles like https://www.windowscentral.com/do-you-need-pc-antivirus and it basically talks about Microsoft’s built in software as well as a beefed up “Windows Defender Offline” tool you can boot from. Does that find the malware I’ve been fighting? Nope.

One of my work friends was recommending, and rightly so, “Bitdefender” which had worked for years. However, the truth is Bitdefender, like the leading antivirus programs before it is used for “testing” malware to ensure it is not detectable. They know you’ll use all this, and their “payload” will be tested. It will consequently not necessarily flag a warning. A client of mine recently got reinfected by a link from his Banks domain – but very odd – like secure5.thebankdomain.com (not actual domain name) with a long link after it. That provided some strange text message but … a day later his computer has excuted macros and downloaded the payload and installed a whole ton of fake replacement MicrosoftApps that are replacing the built in apps. So … yes we need antivirus software but right now its not working. The strategies for detecting compromised files are not working and this article is quite decent for explaining how, why and where.

https://www.cimcor.com/blog/5-places-ransomware-and-malware-can-hide-that-you-may-never-check

I do have my way of finding malware but it is based on familiarity with the places it hides and software in general. I have tools which I can’t publish here because, they will just become part of the arsenal of testing for the “malware industry”. Which is a literal industry growing exponentially by using weak operating systems, weak security software.

Bitdefender was literally turned itself into malware, disabled from preventing anything – a zombie. I’ve seen this before with McAffee and Norton AV in previous years going back over 10 years. Removing Bitdefender the next attack decided to turn my clients Microsoft Office also into it’s malware shelter. The software is not even that secretive about its intentions once you start to locate it.

Why my client hired me? Well he had used a series of professionals to repair his computer and it remained infected. Not only that but the people came to not believe it had even happened as they “couldn’t find anything”. Instead, knowing this is why he hired me, I took every report very seriously. I’ve got experience of people “not believing victims” in many other contexts from sexual abuse, cult abuse, financial abuse – blaming the victim and saying they are crazy or imaging it. So I believed him and as such I eventually did the work, much of it on my own time as a research to expose the techniques.

I found png, pointed out by my client, which I believe are installer/executables. They even look like real graphics and are small – but there is no reason for them to appear magically other than via hacking/malware delivery systems saving them to locations. Temp directories, the desktop, the web cache – where-ever browser or email stores a file so you can “read it” is likely to call some function that has a vulnerability. Next thing it has executed and you are infiltrated … again. Often the files are dormant until you run into a secondary or third attack that somehow makes use of what has been saved into your system previously.