Securing your IoT Gateway – Services

Here we will outline some areas you can secure your IoT Gateway. Since I have more knowledge in Linux, that will be referenced. If you haven’t chosen an OS or are just getting started, you might want to find one or build one with the Yocto project.

Yaaa we are on the Internet!! Oh god we are on the Internet…

from shodan.io

So to start off, you shouldn’t just put your IoT gateway device on the internet. Tools like shodan and others can identify them easily and it makes it easier for unsavory characters to hack. That being said, since often times you might be building a system that someone else will be deploying here are some steps to secure your system from global issues as well as local issues.

Fing is your Friend

Fing allows you to do service discover. Its very useful in both identifying systems you can connect to as well as what services your device has open. Start by installing fing… Ill wait..

Great, now its a command line tool. To run a basic scan simply type

~/Development$ sudo fing

If it times out or hangs, you probably missed the sudo.

Fing spits back a list of devices on your network. There are other ways you can tune fing but at the least you can scan your own device.

Fing will return hostnames as well to make referencing easier.

You can identify specific items you want to check out by doing a service scan of a specific IP address. This will tell us what ports services are running on.

sudo fing -s {{IP ADDRESS}}

Note this is the Host in the above list returned from the general fing.

Example of a scan against an appletv

Securing Services on a gateway

Its important to make sure services on a device are operating at minimal required authority to complete its goals.

  • Remove Unnecessary Services
  • Secure Services Globally
  • Secure Services Locally

REMOVE UNNECESSARY LINUX SERVICES

While on a device you can run this command to check services. It will return a list of services running on your system.

netstat -lp

In Debian you can use this to remove services.

update-rc.d -f apache2 remove

SECURE SERVICES GLOBALLY

At a high level you will want to lock your device down to only the required ports that services such as https will use. You can do that with IPtables. SSH and HTTPS are ports 22 and 80. If you are wondering about specific ports for other services you can find them here.

Ex. ip table config

iptables -A INPUT -p tcp -s YourIP –dport 22 -j ACCEPT

Warning if you are not directly logged into the device this can shut your out.

SECURE SERVICES LOCALLY

If you are setting up a new service on the device such as a database postgres or redis, you should configure it so that access is limited to the local machine.

Redis Ex. After installing redis change the default bind condition to only localhost.Uncomment the bind 127.0.0.1

bind 127.0.0.1

Each service will have its on config file to change. Its good to go through these as understanding the options.

Like this article? Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

*