security

hi

i just installed this on an old raspberry pi 2 with an IQ audio Dac and a wifi dongle, everything was picked up automatically, getting thing running with samba was dead simple and I’m blasting out tunes and thinking about a subscription as there are a couple of other spots in the house that could do with this.

What I cant find, is any was to enhance the security. There seems to be no challenge at all on the network, and ssh can be turned on by just visiting the /dev page, so I’ve got a node on my network exposing a superuser shell to anyone else on the network here. Is there anything I can do to make sure only I can access this, or to lock ssh away?

All I can think of is turning ssh on, logging in and changing that password - is there anything else?

That’s the first thing anyone should do in a new Volumio install. I don’t know why that’s not part of the initial setup script.

Turning off smbd (assuming you’re not going to use it) is another. The rest of the services are pretty much required.

because we explicitly disabled ssh, point.

That’s misleading.

As the OP points out, ssh is trivially re-enabled by visiting /dev on Port 80 of the device. Which is to say that anyone with access to Google knows both how to enable ssh on the device and what the default superuser password is.

The only way to ensure a modicum of security is to enable ssh and change the password.

You can then return to the /dev interface and “disable” ssh again. But, as already mentioned, doing make not a lick of difference.

Adding the entries in the initial script should be possible. The following can be addressed there imho:

• update the passwd
• en/disable smbd
• en/disable hotspot

Should they be mandatory? I’m not sure if that really improves security. Ease of use would definitely suffer from this.

Any thoughts? Or settings worth adding?