Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Raspberry Pi colocation providers BEWARE
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Raspberry Pi colocation providers BEWARE

elwebmasterelwebmaster Member
edited January 2014 in General

I have an RPi colocated with one of the providers which offer this service. Just a few days ago they emailed me saying that my RPi has been hijacking tens of IP addresses and attempting man in the middle attacks. They have logs showing my MAC. But my RPi had a stock Debian, with Nginx (no scripts), certificate-only SSH and nothing else. I am not saying that it could not have been hacked, but it was more secure than an average VPS. The only known "security risk" was that I enabled IP forwarding in the kernel, I was planning to setup a VPN server.

Then I googled the problem and I found that it's really easy to spoof the ethernet MAC on an RPi. Some older versions of the Linux kernel even have a bug which causes a new MAC to be generated on every reboot. Once the MAC is spoofed it will be very hard (if not impossible) to ensure the RPi is using the IP address you provisioned or to link any malicious activity to a particular Pi.

What I am trying to say with this is that if you are planning to offer RPi colocation you should pay extra attention to the security aspect. There is more risk involved than offering VPS.
Thankfully my provider is very professional and I am hopping that the problem will be solved.

Comments

  • Eer.. Okay. Thanks for the heads up, I guess?

  • JanevskiJanevski Member
    edited January 2014

    @elwebmaster Properly configured managed L2 ethernet switch, and such behavior can be controlled. Avoided - no, but controlled - yes.

  • eric1212eric1212 Member
    edited January 2014

    Nice use of paragraphs :D

    Thanks for the warning!

  • @eric1212 said:
    Nice use of paragraphs :D

    Thanks for the warning!

    Sorry I wrote it on mobile.

  • Can you pm the provider? Thanks!

  • Is this colocation provided by EDIS?

  • Hope your issues get resolved soon.

    said: Thankfully my provider is very professional and I am hopping that the problem will be solved.

  • Check this out,

  • Did they not vlan your pi? What kinda provider is this... you can pickup a 48x100mbit layer3 cisco switch for $30....

  • @MassNodes said:
    Did they not vlan your pi? What kinda provider is this... you can pickup a 48x100mbit layer3 cisco switch for $30....

    Can you link me to this $30 switch, trying to find 21 for my 1,000 rpi/rack.

  • MassNodesMassNodes Member
    edited January 2014

    Your looking for a WS-C3550-48-SMI if you want a cheep layer 3 switch. You can get something even cheaper if you don't want layer 3.
    Buy it now prices are actually around $40 for the layer 3 version. http://www.ebay.com/sch/i.html?_sacat=0&_from=R40&_sop=15&_nkw=WS-C3550-48-SMI

    You can save yourself money if your going to buy more then once switch and just place a vyatta machine infront. Then you can just do some vlans to get it all going.

  • And the 3550-48-SMI can't really do 48 SVIs (IP interfaces) at all, doesn't do ipv6 in hardware, etc.
    And putting each RPi in it's own VLAN would use 4x he IPs.

  • MassNodesMassNodes Member
    edited January 2014

    @rds100 said:
    And the 3550-48-SMI can't really do 48 SVIs (IP interfaces) at all, doesn't do ipv6 in hardware, etc.
    And putting each RPi in it's own VLAN would use 4x he IPs.

    It's a cheap solution and it will do the job if you want vlan & ipv4. Yes, it's old and outdated that's why it's a cheap solution.

  • Try 48 VLANs with different IPs each and you will see :)

  • I think something like PPPoE may be an even cheaper solution. Or IPv6-only network with IPv4-in-IPv6 through OpenVPN. My dedi uses the VLAN & 4x IPs approach described above. Food for thought.

  • MassNodesMassNodes Member
    edited January 2014

    @rds100 said:
    Try 48 VLANs with different IPs each and you will see :)

    Well, it's a solution if you got 48 /30 laying around if you wanna vlan every single one lol
    Network security is still important :/

    The most getto way I can think of implementing vlans "cheaper" would be internal addressed vlans that go to NAT rules for external ips. Yeah, but don't...

  • @MassNodes said:
    Well, it's a solution if you got 48 /30 laying around

    You'll exhaust TCAM.

  • MassNodesMassNodes Member
    edited January 2014

    @Microlinux said:
    You'll exhaust TCAM.

    I've never tried that many vlans so that could be true.

  • @MassNodes said:
    I've never tried that many vlans so that could be true.

    It's a documented limitation. Still, if you don't need lots of SVIs, they are really great switches on the cheap.

  • NeoonNeoon Community Contributor, Veteran

    Basically you dont need a switch just w-lan adapters per pi it would cost 9Euros, so create one as hotspot and youre done. No cables :D

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2014

    I found that it's really easy to spoof the ethernet MAC on an RPi.

    You can easily change the MAC on any network interface produced in the last decade at least, nothing RPi-specific here.

    Some older versions of the Linux kernel even have a bug which causes a new MAC to be generated on every reboot.

    Okay maybe, and...?

    Once the MAC is spoofed it will be very hard (if not impossible) to ensure the RPi is using the IP address you provisioned or to link any malicious activity to a particular Pi.

    And now you jump back to the unrelated "spoofing" issue, which is again, not RPi-specific. I can go on any of my dedis and set the network MAC to whatever I like. The only result I'm going to get on a properly managed network, is my network connectivity ceases to work.

    So newsflash here, when you allow untrusted users on an badly designed network, bad things may happen. Again, how is this a Raspberry Pi specific problem? Stop your uneducated FUD please, unless all you want to get is less people willing to do anything with the RPi "because I read on the forums it is insecure".

    Thanked by 2Mark_R Melon
  • @rm_ said:
    So newsflash here, when you allow untrusted users on an badly designed network, bad things may happen. Again, how is this a Raspberry Pi specific problem? Stop your uneducated FUD please, unless all you want to get is less people willing to do anything with the RPi "because I read on the forums it is insecure".

    There are two reasons why this is an Raspberry Pi specific problem:

    1) The RPi colocation tends to be much cheaper than any other server colocation or dedicated offer. Therefore, with RPi colocation the provider has less resources available to invest in a secure network and is likely to cut corners. From what I've seen, the power supply and the enclosure are the biggest discussion topics, as if people forget that it's a physical device and carries risk for their network.

    2) Script kidos can get an RPi on the cheap, ship it to some random data center, pay a small monthly fee and off they go, they can hack as they please. If they were sending a real server for colocation or prepaid for an yearly dedicated offer, they would probably think twice.

    "because I read on the forums it is insecure" -> the story actually did happen, I am not making it up. It is better to talk about the problem than to ignore it and hope it won't happen.

Sign In or Register to comment.