IT-S in a Box: Extension

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Extension of the description and use of the security box in the context of the Master's thesis "Smart Home Security Boxes – a practice-oriented evaluation" Wahlfachprojekt 1

WFP1 - Extension

Requirements

  • Raspberry Pi 4
  • 16 GB SD card
  • Ubuntu 20.04

and:

  • Raspberry Pi 5
  • 16 GB SD card
  • Ubuntu 24.04

Note: Ubuntu 20.04 cannot be installed via Raspberry Pi Imager for Raspberry Pi 4 and must be manually installed and configured instead!

Overview

Description

This elective subject project focuses on the extension and optimization of the existing master's thesis. The installation process does not differ from said master's thesis and can still be applied for both the Raspberry Pi 4 (Ubuntu 20.04) and the Raspberry Pi 5 (Ubuntu 24.04). For installation on Raspberry Pi 5 (Ubuntu 24.04), we provide assistance in the form of a script.

Update of Existing Project

To ensure that our systems operate optimally and securely, we recently performed comprehensive updates to bring all dependencies and installations up to date. This included updates to key platforms such as PHP and Python, as well as databases like MySQL. Additionally, we also updated our network monitoring and security applications such as LibreNMS, Suricata, and EVEBOX. Furthermore, we made improvements to proxy services like Squid and content filters like SquidGuard. These measures ensure that we have integrated current security patches and can benefit from the latest features and performance enhancements.

List of Updated Software (June 16, 2024)

  • EveBox: 0.18.2
  • LibreNMS: 22.02
  • MySQL: 10.7
  • PHP: 8.3
  • SquidGuard: 5.5
  • Suricata: 7.0.5
  • Ubuntu: 24.04

Alternative Software Considered to Suricata

After thorough evaluation, in addition to Suricata, we also installed and tested Snort to find the best network security solution for our needs. Despite testing, we did not find significant differences in functionality or performance that would justify switching from Suricata to Snort. Therefore, we decided to continue using Suricata, as it meets our requirements optimally and is already integrated into our existing infrastructure.

Advantages of Suricata:

  • Multi-threaded Architecture: Suricata efficiently utilizes modern multi-core processors due to its multi-threaded architecture. This provides superior performance in terms of throughput and scalability compared to Snort. This architecture enables Suricata to efficiently handle high-speed networks and large volumes of data.
  • Support for New Protocols: Suricata excels in its ability to handle new protocols and complex traffic patterns. It provides robust support for protocols such as HTTP, SSL/TLS, DNS, and more, making it versatile for network monitoring and threat detection across various layers of the OSI model.
  • Signature Language: Suricata uses a powerful signature language (YARA and open rule sets from Emerging Threats), ensuring nuanced and sophisticated threat detection capabilities. This flexibility is crucial for detecting complex threats and adapting to new attack vectors.
  • File Extraction and Analysis: Suricata has built-in support for file extraction and analysis, aiding in capturing and examining payloads and attachments in network traffic. This feature enhances forensic capabilities and assists in investigating security incidents.
  • Active Development and Community: Suricata benefits from an active developer community and regular updates, ensuring it stays abreast of the latest security threats and technological advancements. This collaborative approach leads to continuous improvements and bug fixes.

Disadvantages of Snort Compared:

  • Single-Threaded Nature: Snort traditionally operates in a single-threaded model, which may limit its ability to fully leverage modern multi-core hardware. This can impact its performance in high-speed networks compared to Suricata.
  • Protocol Handling: While effective for many common protocols, Snort may not have the same level of built-in support for new or less common protocols as Suricata. This could limit its effectiveness in certain network environments.

Other Alternatives Considered

  • Security Onion: Security Onion is a Linux distribution that integrates a range of open-source security monitoring tools, including Suricata, Snort, Zeek, and others. It provides a comprehensive platform for network monitoring, log management, and forensic analysis.
  • AlienVault OSSIM: AlienVault Open Source Security Information and Event Management (OSSIM) offers SIEM capabilities alongside IDS/IPS functionality. It integrates various open-source tools for monitoring security events and network activities.

We also considered the possibility of adding additional open-source software to expand our capabilities. However, we encountered limitations regarding available storage on the Raspberry Pi with 16 GB of memory. This led us to limit our selection to priority applications to ensure the stability and performance of our system.

Performance Comparison Raspberry Pi 4/5

The use of the Raspberry Pi 5 was significantly easier and more enjoyable, as it did not overheat, was more powerful, and allowed for smoother operation. In contrast, the Raspberry Pi 4 tended to have visual errors and even crashes, complicating work with it. The improved hardware of the Raspberry Pi 5 provided more stable and reliable performance, significantly easing development and use.

With the help of a created script, we attempted to directly compare the two Raspberry Pi models by continuously monitoring their system resources. The script captures the current date and time, system uptime, memory usage, disk usage, and CPU load at regular intervals of 60 seconds. By comparing the collected data, we were able to analyze in detail the stability, efficiency, and performance of the Raspberry Pi 5 compared to the Raspberry Pi 4.

Based on the tests conducted and the performance metrics obtained, we found that the Raspberry Pi 5 showed significant improvements in CPU and RAM performance compared to the Raspberry Pi 4. Here are the values observed from the results:

  • CPU Performance: The Raspberry Pi 5 demonstrated an average improvement in CPU performance of approximately 40% compared to the Raspberry Pi 4. This improvement results in faster computations and overall smoother task execution.
  • RAM Usage: Regarding memory (RAM), the Raspberry Pi 5 showed an improvement of approximately 30% to 40%. This means that the Raspberry Pi 5 can handle memory resources more efficiently, leading to better multitasking capability and fewer bottlenecks.

Monitoring Script

#!/bin/bash

# Function to get current date and time
get_datetime() {
    date +"%Y-%m-%d %H:%M:%S"
}

# Function to monitor system resources
monitor_resources() {
    echo "======================================="
    echo "$(get_datetime)"
    echo "System Resources:"
    echo "---------------------------------------"
    echo "Uptime:"
    uptime
    echo "---------------------------------------"
    echo "Memory Usage:"
    free -h
    echo "---------------------------------------"
    echo "Disk Usage:"
    df -h /
    echo "---------------------------------------"
    echo "CPU Usage:"
    mpstat 1 1 | grep "all"
    echo "======================================="
}

# Main loop to run indefinitely
while true
do
    monitor_resources
    sleep 60  # Sleep for 60 seconds
done

The provided Bash script is for monitoring and displaying essential system resources on a Linux-based system. It regularly gathers information on CPU usage, memory utilization, disk space, and system uptime and outputs them. This is useful for administrators to monitor system performance over time and identify potential resource bottlenecks early.

Adjust the monitoring frequency by changing the sleep duration in the script (sleep 60).

Automation Script

We have implemented an automation process to efficiently handle recurring tasks. This includes installing necessary software components and configuring specific system settings. This automation helps save time and minimize errors in manual configuration steps.

Detailed information on the automated tasks and configurations can be found under the path /securitybox/scripts. Among them, the checklist provides guidance on troubleshooting when issues arise. In the installs.sh script, you can track which software packages are installed and what specific adjustments are made to ensure the efficiency and security of the configuration.

To execute the script, adjust permissions first: 

$ chmod +x installs.sh

Then run: 

$ sudo su
$ ./installs.sh

Manual Adjustments

When configuring the Raspberry Pi, IP addresses need to be manually adjusted in certain files to match the Raspberry Pi's address. Here are the relevant directories and files:

  • /etc/hosts
  • /etc/squidguard/squidGuard.conf
  • /var/www/html/adult_block.php

The installation script does not address the configuration of Suricata and EVEBOX, to successfully install them, manual installation in accordance with the specific instructions of the master's thesis is required!

Areas to Improve

During the project, we encountered several issues related to implementing new software, notable among them were:

  • Missing Configuration File at /opt/librenms/config.php: The configuration file does not exist by default but can be copied from a template (e.g., the default file) and customized to have the correct settings.
$ cp /opt/librenms/config.php.default /opt/librenms/config.php
$ nano /opt/librenms/config.php
  • Manual Download of Nginx Service: The Nginx service needs to be downloaded manually.
$ sudo apt install nginx
  • Configuration Issues with Nginx Service: The web server's (Nginx) configuration files do not work immediately. This could be due to errors in the files themselves or a lack of adjustments to the specific environment. In our case, we were able to fix it as follows:
$ sudo chown -R www-data:www-data /var/www/librenms/html
$ sudo chmod -R 755 /var/www/librenms/html
  • Known Bug in the Librenms Database: There is a known bug in the Librenms database that may cause a created user to no longer exist. In such a case, the user must be reset manually.
  • Incomplete Librenms Setup: The Librenms setup is incomplete as components such as the scheduler, updates, and the web server are missing. These need to be set up manually to make the system fully functional.

References

https://git.fh-campuswien.ac.at/Elvis/sicherheitsbox/-/blob/WFP1/README.md?ref_type=heads

Retrieved from "https://wiki.elvis.science/index.php?title=IT-S_in_a_Box:_Extension&oldid=16359"