Basic Security

From Phobos Wiki
Revision as of 05:59, 27 May 2013 by Roland (talk | contribs)
Jump to navigation Jump to search

This is a basic guideline for securing TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and has used Linux command line interface before.

Account Management

As the configuration of the TELEM-GWM is done over SSH it is important to change the default accounts passwords. As a minimum change the passwords for users martem and root.

Changing the Default Account Credentials

TELEM-GWM chips with default accounts and known passwords. By default two accounts have passwords set. Only user martem can be used for changing the configuration of the device as root is not permit by SSH daemon configuration.
Here is the default /etc/shadow files content:

root@Telem-GWM ~ $ cat /etc/shadow
root:$1$Urv3LxYa$hf.UwazXZLYQmhZ2KWfdk1:10933:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
default:*:10933:0:99999:7:::
martem:$1$9Z9vTc0h$eWWGwJgXC6H2o65V1p0Tl1:14477:0:99999:7:::
root@Telem-GWM ~ $


From command prompt issue command passwd to change current users password. For instance:

root@Telem-GWM ~ $ passwd
Changing password for root
New password: 
Retype password: 
Password for root changed by root
root@Telem-GWM ~ $

changes password for root. Similarly password for user martem can be changed.
gws.exe can be used to change passwords by pressing “Change Password” at “SSH Settings” dialog.
In order to change password for root first change the password for regual user. Then log in again and chage the root password with command passwd.

Adding New Users and Removing Old Accounts

New user can be created with command adduser. For instance:

root@Telem-GWM ~ $ adduser myco
Changing password for myco
New password: 
Retype password: 
Password for myco changed by root
root@Telem-GWM

creates new user myco. If new user needs the ability to configure the device it needs to be in the group gws. This can be done with command adduser. For instance:

root@Telem-GWM ~ $ adduser -G gws myco2
Changing password for myco2
New password: 
Retype password: 
Password for myco2 changed by root
root@Telem-GWM ~ $

creates new user myco2 and adds it to group gws so that myco2 can change configuration.

Now user martem can be deleted with command deluser. For instance:

root@Telem-GWM ~ $ deluser martem
root@Telem-GWM ~ $ rm -r /home/martem/
root@Telem-GWM ~ $

deletes user martem and it's home directory.

Restoring Default Accounts

Default accounts with their passwords are kept in default setup which can be restore with DIP switch.

Plain Text Passwords and Keys in Configuration

Passwords for SIM card, http and https are kept in plain text in different configuration files.

SIM card unlock pin is kept in sim1_chat or in sim2_chat.

Passwords for web access is kept in gwSetup.bin. gwSetup.bin is a configuration file for telem-gw, which is main application that runs on Telem-GWM. Setup in XML format is available from web as well. If this is not desirable then this can be disabled from Webservers configuration by un checking the “Enable configuration(gw6config.xml)” selection.

SSL, OpenVPN and IPsec private and public keys are kept in plain text inside the TELEM-GWM filesystem.

Setup History

TELEM-GWM backups automatically old setups. Old and current setup is kept in /usr/local/etc/telem.

myco2@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 104
drwxrws--T    3 root     gws           1680 Dec 14 14:29 .
drwxr-xr-x    3 root     root           224 Dec 10 13:13 ..
-rw-rw----    1 root     gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root     gws           4095 Dec 14 14:29 config.xml
lrwxrwxrwx    1 root     gws             27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root     gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root     gws           1936 Dec 14 14:29 gwSetup.bin
-rw-rw----    1 root     gws            292 Nov  7 11:21 gwSetup.bin.0.old
-rw-rw----    1 root     gws           5594 Nov  7 11:14 gwSetup.bin.1.old
-rw-rw----    1 root     gws            292 Dec 14 13:23 gwSetup.bin.new
-rw-rw----    1 root     gws            878 Dec 14 14:29 hw-run.xml
-rw-rw----    1 root     gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root     gws           2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws           5480 Dec 14 14:28 setup.tar.xz
-rw-rw----    1 root     gws           5260 Dec 14 13:23 setup.tar.xz.0
-rw-rw----    1 1001     gws           7396 Dec 10 09:56 setup.tar.xz.1
-rw-rw----    1 1001     gws           6160 Dec  7 06:50 setup.tar.xz.2
-rw-rw----    1 1001     gws           6092 Dec  6 07:19 setup.tar.xz.3
-rw-rw----    1 1001     gws           5744 Dec  6 07:16 setup.tar.xz.4
-rw-rw----    1 root     gws             21 Dec 13 13:34 version
-rw-rw----    1 root     gws             54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root     gws             61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root     gws             62 Dec 13 13:34 version-buildroot
myco2@Telem-GWM ~ $

Old setups can be deleted with command rm.

root@Telem-GWM ~ $ rm /usr/local/etc/telem/setup.tar.xz.*
root@Telem-GWM ~ $ rm /usr/local/etc/telem/gwSetup.bin.*
root@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 48
drwxrws--T    3 root     gws           1088 Dec 14 15:09 .
drwxr-xr-x    3 root     root           224 Dec 10 13:13 ..
-rw-rw----    1 root     gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root     gws           4095 Dec 14 14:29 config.xml
lrwxrwxrwx    1 root     gws             27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root     gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root     gws           1936 Dec 14 14:29 gwSetup.bin
-rw-rw----    1 root     gws            878 Dec 14 15:08 hw-run.xml
-rw-rw----    1 root     gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root     gws           2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws           5480 Dec 14 14:28 setup.tar.xz
-rw-rw----    1 root     gws             21 Dec 13 13:34 version
-rw-rw----    1 root     gws             54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root     gws             61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root     gws             62 Dec 13 13:34 version-buildroot
root@Telem-GWM ~ $ sync

After updating the configuration the /usr/local/etc/telem folder looks something like so:

root@Telem-GWM ~ $ ls -la /usr/local/etc/telem/
total 60
drwxrws--T    3 root     gws           1160 Dec 14 15:12 .
drwxr-xr-x    3 root     root           224 Dec 10 13:13 ..
-rw-rw----    1 root     gws            452 Dec 13 13:34 asciiart
-rw-r--r--    1 root     gws           4111 Dec 14 15:12 config.xml
lrwxrwxrwx    1 root     gws             27 Jan  1  1970 gpio -> /usr/local/etc/telem/gpio.2
drw-rw----    2 root     gws            720 Dec 14 13:31 gpio.2
-rw-rw----    1 root     gws           1938 Dec 14 15:12 gwSetup.bin
-rw-rw----    1 root     gws            878 Dec 14 15:12 hw-run.xml
-rw-rw----    1 root     gws            878 Dec 13 13:34 hw.xml
-rw-rw----    1 root     gws           2967 Dec 13 13:34 log-conf.xml
-rw-rw----    1 myco2    gws           5484 Dec 14 15:11 setup.tar.xz
-rw-rw----    1 myco2    gws           5480 Dec 14 14:28 setup.tar.xz.0
-rw-rw----    1 root     gws             21 Dec 13 13:34 version
-rw-rw----    1 root     gws             54 Dec 13 13:34 version-GwLinux-git
-rw-rw----    1 root     gws             61 Dec 13 13:34 version-Telem-GW-git
-rw-rw----    1 root     gws             62 Dec 13 13:34 version-buildroot
root@Telem-GWM ~ $