securing embedded Linux on ConnectCore or Connect ME 9210 module against external access

To disable the telnet daemon, patch your rootfs/etc/inittab and comment the line starting telnet with a "#"

With the Digi Embedded Linux ESP create a rootfs project, select configure project, Roofs Configuration->Pre-built applications

deselect busybox httpd and cherokee webserver (if you do not need them)

deselect Vsftp or ftp server (if you do not need them)

deselect Dropbear SSH server (if you do not need it)

If you need dropbear SSH server, you should disable root login by modifying rootfs/etc/init.d/ in the start() section:

start-stop-daemon --start --quiet --pidfile /var/run/ --exec /usr/sbin/dropbear -- -w

add a new user for ssh access with the "adduser" command on the embedded module, provide a secure password.

If your rootfs is read only (e.g. ME9210 squasfs), such that you can not run adduser on the embedded system, modify your rootfs/etc/passwd to add a user manually. The password can by created on the development host with:

openssl passwd -crypt you have to copy the output into the second entry in the /etc/passwd file.

You should also modify the standard root password

Check your embedded modules for additionally open ports with a port scanner like nmap runned on your Linux development host as root.

To permanently add modified /etc/* files to your rootfs, add them to be copied to your rootfs in the project

Last updated: Jun 13, 2019

Recently Viewed

No recently viewed articles

Did you find this article helpful?