1

I would like to assure my boss that port forwarding a raspberry pi is safe. I plan to be doing port forwarding the web port, so I can run an Apache server, and also port forwarding my own program (C command line socket server).

Q1: As I understand it, the only way to hack the raspberry pi (in this case) would be to hack the program that is being port forwarded. Is that true? Could the hacker get to another computer, or hack something else?

Q2: Is Apache unhackable if you port forward it?

Q3: Let's say that the only thing my program does is a ->ping->pong type program. Could there be a way that the program could be used to hack my pi?

Q4. If my pi is hacked, could the hacker then use it to gain access to other computers on the network? What could be done to prevent it?

Thank you very much for any response. If you are only able to answer one of my questions, that is perfectly fine.

pepperjack
  • 111
  • 2
  • Nothing is "unhackable". But I've had my Apache open on a non-standard port for about a year now. I've never had any security issues. – Patrick Cook Jul 24 '16 at 23:15
  • 2
    @PatrickCook that you know of – Steve Robillard Jul 24 '16 at 23:19
  • @SteveRobillard Fair point. – Patrick Cook Jul 24 '16 at 23:19
  • @PatrickCook if someone was to hack it, could they hack anything else on the network? I don't care if my pi gets hacked – pepperjack Jul 24 '16 at 23:23
  • @Evan_K2014 Like Steve said, that really depends on how the other devices on the network are protected and what (if any) trusts they share with the Pi. In my opinion, unless your company is a target for some reason, you should be okay. But security never hurts. – Patrick Cook Jul 24 '16 at 23:25
  • @PatrickCook is there a way to prevent communication between the pi and computers on the network? – pepperjack Jul 24 '16 at 23:26
  • @Evan_K2014 I don't think so, unless you disconnect it from the network, therefore nullifying this question. But there may be a way that I am not aware of. – Patrick Cook Jul 24 '16 at 23:28
  • @PatrickCook by the time you realize you are a target it may already be too late. – Steve Robillard Jul 24 '16 at 23:32
  • 1
    If you do not want to be hacked first disconnect all your computers from the network and then turn them off and leave them off. If anyone makes any promises to you otherwise, they are lying or delusional. – goldilocks Jul 25 '16 at 11:17

1 Answers1

1

An attacker can hack the program running the server and any program/service it relies on e.g. SSL, the webserver, logins etc.). No system connected to a network and plugged in is unhackable. If they can successfully exploit your Pi, they can then use it to attack your other servers - this will likely be far easier since they already accessed your network and there is likely a degree of trust between your Pi and other machines on your network. You need far more than port forwarding to protect your Pi and the rest of your network. This would include but is not limited to a firewall, intrusion detection, an update/patching plan, backups hardening of all exposed services and programs etc.

What value would you get from having a ping/pong or echo server running internally open on the web, it would be simpler to use a cloud provider and let them handle the security issues while you focus on your applications core functionality.

I would suggest doing much more homework before attempting this or trying to convince your boss - unless you want to be unemployed. You may want to start with this question, and this recent blog post.

Properly securing the Pi is not impossible, but requires a lot of knowledge, skill and time.

Community
  • 1
Steve Robillard
  • 34,687
  • 17
  • 103
  • 109
  • Is there a way to make the pi an outcast on the network? Like to where it cannot talk to any other computer? – pepperjack Jul 24 '16 at 23:26
  • 1
    It can only be done with a separate network that is air gapped from the internal network (no common router, gateway etc.). – Steve Robillard Jul 24 '16 at 23:29
  • @Evan_K2014: You can put the Pi into what's called a DMZ (De-Militarized Zone) on the network. The setup depends on what network equipment you use at your office, but even the cheapest of home network gateway equipment has this capability (not that I'd vouch for its trustworthiness though) – stevieb Sep 02 '16 at 17:21