An update of security for Raspbian


maj_jessie_01 the more observant of you have no doubt noticed that the Raspbian-PIXEL image available in the download area has been updated November 25, 2016.
When a major version of the OS is released, we usually see as soon as the community uses them that there are a few small bugs and problems.


= a translation article published on the blog of the Foundation =


the Foundation brings together the patches and produced a 1.1 version a few weeks later. There is no announcement on these fixes, because there is no real new feature. These are just the corrections so that things work as planned originally.


However, in the present case, there was some significant changes. They won’t be noticed by many users, but for those who notice them and who will be impacted this is some explanation…


why these changes?


If you follow the news about technology, you saw in the last months of stories about botnets operating on devices of the Internet of things (IoT). Hackers use passwords by default on webcams and other systems to create a network able to send enough requests to a Web site to block (DDOS attack).


maj_jessie_02


the Foundation has always tried to keep the Raspberry Pi as open as possible. There is a default user account ( pi ) with a default password ( raspberry ), and this account can use sudo to control or change what he wants without password. This facilitates the grip by beginners. There is also a SSH port open by default, so that people who use a Raspberry Pi remotely can simply install the last image Raspbian, plug in and use their Raspberry Pi without configuring anything.


Unfortunately, hackers use increasingly access like these in to quietly take control of devices. In general, this has not been much of a problem with the Raspberry Pi. If a Raspberry Pi is on a private home network, it is unlikely that an attacker could achieve it. If you put a Raspberry Pi on a public network, had to be aware of the risks that you run and think about changing the default password or disable SSH.


but the threat of piracy is now at a point that we must change approach. Even though the Foundation hate impose restrictions on users, its relatively relaxed security approach could cause significant problems. With this release, they brought a few small changes to improve safety, which should be enough to make it extremely difficult for the hand hold on a Raspberry Pi, without making life too difficult users.


that is what changed?


first, SSH is disabled by default on the images of Raspbian. SSH (Secure SHell) is a network protocol that allows you to connect remotely to a Linux computer and control it from an interface remote command line. As mentioned above, many Raspberry Pi owners use it to install a Raspberry Pi “headless” (without display and keyboard) and control it from another PC.


, SSH was enabled by default.  Thus, users of Raspberry Pi “headless” could easily update their SD card. Activation or deactivation of SSH always requires the use of raspi-config or application Raspberry Pi Configuration , but access to a screen and a keyboard connected to the Pi itself , which is not the case in “headless” applications The system therefore provides a simple mechanism to enable SSH before starting an image.


the a Pi Raspberry boot partition is accessible from any machine with a reader of SD card, Windows, Mac or Linux. If you want to enable SSH , you just place a file called ssh in the directory /boot/ . The content of the file has no importance: it can contain any text of your choice, or even nothing at all. When the Raspberry Pi starts, he’s looking for this file. If it finds it, it activates SSH then deletes the file. SSH can still be enabled or disabled from the application Raspberry Pi Configuration or raspi-config ; It is simply another way to activate it if you cannot easily run any of these applications.


Fenêtre de configuration du Raspberry Pi montrant SSH activé

click to enlarge



the risk with a port SSH open is that someone could access it and connect; To do this, you need a user account and a password. Original, all facilities of Raspbian have the default user account ‘ pi ‘ with the password ‘ raspberry ‘. If you select SSH , really must change the password of the user ‘ pi ‘ to prevent that a hacker uses default values. To encourage this, you will have warnings when starting. If SSH is enabled and the password of the user ‘ pi ‘ is still ‘ raspberry ‘, a warning message appears each time that you start the Raspberry Pi, whether graphical or command line. There is no obligation to change the password, but you will be notified every time that you start if your Raspberry Pi is potentially at risk.


Message d'avertissement de Raspbian indiquant que SSH est activé et que le mot de passe n'a pas été changé

click to enlarge



translation: SSH is enabled and the default password of the user ‘pi’ has not been changed.
It is a security risk – connect you as user ‘pi’ and run Raspberry Pi Configuration to set a new password.


the Foundation hope that these (relatively minor) changes will not cause too much inconvenience, but they will make more difficult the task of hackers trying to attack the Raspberry Pi.


are there – it something I need to do to protect my Raspberry Pi?


at this stage do not panic! There’s no information saying that Raspberry IP were used in botnets or “hijacked” in large numbers. Your own Raspberry Pi is certainly not hacked currently.


However it is a good practice to protect to avoid future problems. The Foundation therefore suggests to use the application Raspberry Pi Configuration or raspi-config to turn off SSH If you do not use and change the password for the user ‘ pi ‘ if it’s still ‘ raspberry ‘.


to change the password, you can either click on the button change the password in the graphical configuration of the Raspberry Pi, either type passwd on the command line, then follow the instructions.


Fenêtre de configuration du mot de passe

click to enlarge



this issue caused a lot of discussions at the FT Towers. The Foundation had good reason for a “relaxed” approach and is reluctant to change. However, they think that these changes are necessary to protect the users of current and future threats, hope you can understand this reasoning.



the latest version of Raspbian with PIXEL image is available on the download page of the website of the Foundation. Note that the uncompressed image is more than 4 GB, and some a little older unzippers fail to decompress correctly. If you have problems, use 7 – Zip on Windows and The Unarchiver Mac. They are both free applications that have been tested and relax the file correctly.


to update your image of existing Jessie with all bug fixes and the new security changes, type the following in a terminal or command line:


 sudo apt - get update sudo apt - get dist-upgrade sudo apt - get install y pprompt 

then restart the Raspberry Pi


A security update for Raspbian PIXEL




No comments:

Powered by Blogger.