Pi-star security consideration

The Universal Plug-and-Play service is scary as heck! I always disable it on any devices I have connected to my network for exactly the reason Martin ran into.

Many people don't understand what the difference is between the Public and Private options in Pi-Star. The fact that Pi-Star is poorly documented is a big part of the reason for that.

I only have DMR enabled on my Pi-Star hotspots and I have 4 different sets of Public/Private radio buttons. Each one performs a separate function. With the exception of the Public/Private radio buttons for "Node Type", the rest are for automatically modifying the firewall policy on Pi-Star and controlling the UPNP commands that are sent to your firewall/router. Pi-Star runs a built-in host-based firewall called "iptables" which is the de-facto firewall in most Linux distributions.



The Public/Private radio buttons that control HTTP and SSH access are the scariest ones of all as they open ports 80/tcp and 22/tcp (HTTP and SSH respectively) through your firewall but only if you're running UPNP and your firewall supports UPNP. If you're using the router that you got from your Internet provider, chances are very good that you have UPNP and it's enabled.

I use a couple of different commercial firewalls - one doesn't support UPNP at all - the other does but it's off by default (a VERY good thing - IMHO). It's not a feature that commercial customers would ever use, so having that option would be perceived as a major downfall.

FYI - the "Node Type" Public/Private radio buttons provide some security for RF-based access to Pi-Star. With DMR, if you leave Node Type set to Private, Pi-Star will only allow a radio with your DMR ID to transmit through the hotspot. If someone tries to use a radio with a different DMR ID, they will not be able to transmit. If you change the radio button to "Public" then Pi-Star will allow any DMR ID. I'm not sure how it works with other modes - I would presume it works in a similar fashion. I only use DMR so that's the only one I can speak to.

https://groups.io/g/PiStar/topics

Labels: ,

No comments:

Post a Comment

.
PiStar Users Discussion Group
Pi-Star Users Support Group
https://groups.io/g/PiStar

BrandMeister Network Users Discussion Group
https://groups.io/g/BrandMeister
.

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)