Basic Security: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 83: Line 83:
<br />
<br />
<br />
<br />
SSL and OpenVPN private and public keys are kept in plain text inside the TELEM-GWM filesystem.
SSL, OpenVPN and IPsec private and public keys are kept in plain text inside the TELEM-GWM filesystem.
<br />
<br />

Revision as of 05:57, 27 May 2013

This is a basic guideline for securing TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and has used Linux command line interface before.

Account Management

As the configuration of the TELEM-GWM is done over SSH it is important to change the default accounts passwords. As a minimum change the passwords for users martem and root.

Changing the Default Account Credentials

TELEM-GWM chips with default accounts and known passwords. By default two accounts have passwords set. Only user martem can be used for changing the configuration of the device as root is not permit by SSH daemon configuration.
Here is the default /etc/shadow files content:

root@Telem-GWM ~ $ cat /etc/shadow
root:$1$Urv3LxYa$hf.UwazXZLYQmhZ2KWfdk1:10933:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
default:*:10933:0:99999:7:::
martem:$1$9Z9vTc0h$eWWGwJgXC6H2o65V1p0Tl1:14477:0:99999:7:::
root@Telem-GWM ~ $


From command prompt issue command passwd to change current users password. For instance:

root@Telem-GWM ~ $ passwd
Changing password for root
New password: 
Retype password: 
Password for root changed by root
root@Telem-GWM ~ $

changes password for root. Similarly password for user martem can be changed.
gws.exe can be used to change passwords by pressing “Change Password” at “SSH Settings” dialog.
In order to change password for root first change the password for regual user. Then log in again and chage the root password with command passwd.

Adding New Users and Removing Old Accounts

New user can be created with command adduser. For instance:

root@Telem-GWM ~ $ adduser myco
Changing password for myco
New password: 
Retype password: 
Password for myco changed by root
root@Telem-GWM

creates new user myco. If new user needs the ability to configure the device it needs to be in the group gws. This can be done with command adduser. For instance:

root@Telem-GWM ~ $ adduser -G gws myco2
Changing password for myco2
New password: 
Retype password: 
Password for myco2 changed by root
root@Telem-GWM ~ $

creates new user myco2 and adds it to group gws so that myco2 can change configuration.

Now user martem can be deleted with command deluser. For instance:

root@Telem-GWM ~ $ deluser martem
root@Telem-GWM ~ $ rm -r /home/martem/
root@Telem-GWM ~ $

deletes user martem and it's home directory.

Restoring Default Accounts

Default accounts with their passwords are kept in default setup which can be restore with DIP switch.

Plain Text Passwords and Keys in Configuration

Passwords for SIM card, http and https are kept in plain text in different configuration files.

SIM card unlock pin is kept in sim1_chat or in sim2_chat.

Passwords for web access is kept in gwSetup.bin. gwSetup.bin is a configuration file for telem-gw, which is main application that runs on Telem-GWM. Setup in XML format is available from web as well. If this is not desirable then this can be disabled from Webservers configuration by un checking the “Enable configuration(gw6config.xml)” selection.

SSL, OpenVPN and IPsec private and public keys are kept in plain text inside the TELEM-GWM filesystem.