These docs are for v3.3.0. Click to read the latest docs for v7.6.0.

Move to Production

In order to move a development environment to production and deploy devices to the field, few steps should be done to improve the overall security of the resulting embedded systems:

  • Linux Hardening
  • ESF Hardening
  • Creating a custom ESF installer

Linux Hardening

Eurotech suggests few guidelines that can be used to obtain a safer system:

  • Change the default root user password with a more secure one. For example choosing a long, difficult-to-guess credential which should include lowercase and uppercase letters, numbers and special characters.
# 1. Connect to the server:
ssh [email protected]

# 2. Type the following command:
passwd
  • Create new users without root privileges.
# 1. Connect to the server:
ssh [email protected]

# 2. Add a new user with the new username:
useradd newUserName

# 3. Specify the password for the newly created user:
passwd newUserName
  • Disable root access from SSH.
# 1. Connect to the server:
ssh [email protected]

# 2. Edit the ssh server configuration:
sudo nano /etc/ssh/sshd_config

# 3. Edit the configuration:
PermitRootLogin no

# 4. Save and then type: 
/etc/init.d/sshd restart
  • Configure the SSH server to allow public key authentication only.
  • Certificates should have key size bigger or equal than 2048 bit.
# 1. Generate the ssh key pair on the desktop computer:
ssh-keygen

# 2. Copy the public key to the server:
scp ~/.ssh/id_rsa.pub [email protected]:

# 3. Connect to the server:
ssh [email protected]

# 4. Append the public key to authorized_keys and remove the uploaded copy:
cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub

# 5. Edit the ssh server configuration to make sure that public key authentication is enabled (it should be enabled by default):
sudo nano /etc/ssh/sshd_config

# 5.1 These entries must be set to yes:
RSAAuthentication yes
PubkeyAuthentication yes

# 6. Save and then type: 
/etc/init.d/sshd restart
  • Deny SSH password access.
# 1. Connect to the server:
ssh [email protected]

# 2. Edit the ssh server configuration:
sudo nano /etc/ssh/sshd_config

# 2.1 These entries must be set:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

# 3. Save and then type: 
/etc/init.d/sshd restart
  • Move the SSH server to a non-default port (i.e. move the server from port 22 to a port in the range [49152-65535].
# 1. Connect to the server:
ssh [email protected]

# 2. Edit the ssh server configuration:
sudo nano /etc/ssh/sshd_config

# 2.1 Modify the Port field:
Port 49153

# 3. Save and then type: 
/etc/init.d/sshd restart
  • Disable unnecessary network services like Avahi or SysRq.

  • Protect U-Boot by setting the boot delay to 0. The following commands can be used for this purpose.

# 1. Reboot the device:
reboot

# 2. Use the serial console to access U-Boot.

# 3. Type the following command to set the boot delay to 0:
setenv bootdelay 0

# 4. Save the environment:
saveenv

๐Ÿ“˜

Eurotech suggests to keeps the devices updated with the latest Linux released image, in order to take advantage of all the latest security patches applied.

ESF Hardening

ESF should be fine tuned before field deployment. Eurotech suggests to:

  • Move ESF into production mode (References in the Security Features page).
  • Adopt a strong security policy.
  • Review the installed firewall rules to avoid exposing unwanted services (i.e. remove entries for port 8000 and 1450).
  • Restrict the access to the local ESF Gateway Administration Console for example allowing access only through the VPN subnet (10.234.0.0/16).
  • Adopt strong ESF Gateway Administration Console username and password (it should be long, difficult-to-guess, including lowercase and uppercase letters, numbers, and special characters).
  • Every new device should connect to the target account through provisioning .
  • Disable the remote command execution or protect the service with a strong password.
  • Disable all the network interfaces that are not used or protect them with suitable firewall rules.
  • If the device is setup to enable the Wi-Fi interface in Access Point (AP) mode, it is recommended to ensure that the wireless network is protected using a strong WPA/WPA2 password.
  • If the Wi-Fi connectivity is not required, it should be disabled.

๐Ÿ“˜

Eurotech suggests to keep ESF up-to-date, in order to take advantage of all the latest security improvements.

Creating a custom ESF installer

Often there is the need to install ESF with a custom configuration. First of all, a golden sample with the desired configuration has to be created, following the previous guidelines. Currently, the new security features of ESF do not allow a simple disk image and cloning it to another device. For this reason, the following steps should be performed in order to replicate the golden sample configuration.

Downloads

  1. Download the latest configuration snapshot using the local ESF Gateway Administration Console.

โ—๏ธ

This snapshot is unencrypted, so keep it in a safe place!

  1. Verify that all of the information in the snapshot is consistent. For example the snapshot should:
  • not contain value for the component with pid="org.eclipse.kura.core.data.transport.mqtt.MqttDataTransport".
  • have the ProvisioningService enabled and correctly setup.

Backups

  1. Copy to a safe location:
  • security.policy (available at /opt/eurotech/esf/kura/security.policy)
  • firewall (available at /etc/init.d/firewall)
  • dpa.properties (available at /opt/eurotech/esf/kura/dpa.properties)
  • packages folder (available at /opt/eurotech/esf/kura/packages/)
  • cacerts.ks (available at /opt/eurotech/esf/security/cacerts.ks)

Keystore

  1. Download the default certificates.ks keystore file from this link (the default password is defaultPassword): it contains the public keys of the certificates that ESF trusts. To have his code working, the developer has to use specific tools (like keytool) to add his public keys to the keystore, like shown below:
keytool -import -alias <key alias in keystore> -keystore <keystore name>.ks -file <public key to import>.pem

ESF will be able to access the keystore only if the correct keystore password is specified in the kura.properties file that will be distributed in the final release.

Install into a new device
In a new device, install a copy of ESF using the standard installer. Before the first framework startup, copy all the previously saved files to the respective locations.
At this point, ESF can be started and will run with the desired configuration.