I need to open up a port to the internet on a raspberry pi. For that Pi to be isolated I see the following options:
Buy a second router and create a first subnet (DMZ) and then plug the current router (internal LAN) into that. I guess the WAN port on the internal LAN router goes to the new DMZ router / switch. Any tips for cheap routers for this purpose ? I just need Gigabit and literally 1 port for the DMZ subnet
Connect the Pi directly to the internet and keep my router and internal lan as is. For this option, how would I access the Pi ? (I guess it would need DynDNS or something so I can log in to it / copy files etc.)
Ideally I wouldn’t put it in the DMZ, because that means it’s completely exposed to the internet on all ports. That’s probably OK if you don’t have anything of interest on the RPi and turn on security auto-updates, but I wouldn’t feel totally comfortable leaving it wide-open like that.
The best solution would be to put the RPi on a separate VLAN, which is isolated from your primary intranet, and then port-forward whatever ports you need to its IP in your router. That’s what @SudoSaibot was referring to. Your router can probably do it with an alternate firmware.
Nope, take it off. All Pi’s have a known vuln with a default password backdoor (IIRC), but they are also easily compromised. If you put that on the DMZ it will for sure get pwned. Then say good bye to your upload bandwidth as you’ll then contribute to a botnet.
Only way to secure a pi is to have is dark or behind a NAT + firewall.
Just being on the network can make it a target. Even if there is nothing else of value to you on the device, the fact that it’s connected to the Internet is of value to an attacker. An unsecured device is open to automated harvesting by worms. It may become part of a botnet, or it could be used as an anonymous relay to attack other sites. This makes the attacker more difficult to trace, until an investigation comes demanding information from you. You probably don’t want to deal with that. So don’t leave your devices open to it.
As proof, here is a step-by-step guide on how to easyly pwn a rpi connected to a network via metasploit.
Regarding RPi security, you secure them like any other linux box. Whatever python POS is running on port 4321, block access via iptables or turn it off.
The exploit would still technically work, if unpatched and running, but for someone on the internet to access it they would first have to penetrate your perimeter elsewhere.
Regarding transmission, if you mean the port that Bittorrent uses for incoming connections, it’s fine to open that to the internet, but I would not expose any web UI.
Interesting. The perimiter would (should) only be those 2 ports, as the RPi would be connecting directly to the fiberbox (internet). Unless there are exploits that don’t even need ports open…
Then my normal LAN router would be connected to the same Fiberbox (internet), hiding the LAN with no ports need to come in to that.
If it’s connected directly to the internet, there is no perimeter, it’s fully exposed. You would have to firewall off connections locally through iptables.
