Best Practices
In this section we present some best practices that should be taken into account while using the eManager.
Top Security Practices
1. Change default passwords
It is important to note first that every eManager that is manufactured already with the new image v24.04 has a unique and not deductible password per device. This prevents an external attacker from being able to enter the computer with a known password.
But in cases where you want to prevent access in the scope of an installation or plant, we recommend changing the default password, both at console and Webadmin level.
It's important to use strong password.
2. Connect to eManager's console using ssh asymmetric key
More info here.
3. Connect to eManager's Webadmin using https
The first time we connect to an eManager over https, the browser will display a warning that the certificate cannot be verified for validity.
4. If using Node-Red, protect the flow with credentials
More info here.
5. If modem is used, make sure to configure an APN that uses private IPs unless your application requires otherwise
6. Disable unused system services from the following list:
Port | Protocol | Service | Description |
---|---|---|---|
22 | TCP | ssh | Secure Shell Protocol (SSH) |
80 | TCP | http | Nginx |
443 | TCP | https | Nginx |
111 | TCP | rpcbind | Remote Procedure Call (RPC) |
1880 | TCP | vsat-control | Node-Red |
5355 | TCP | llmnr | LLMNR (Link-Local Multicast Name Resolution) protocol |
8080 | TCP | http-proxy | SWUpdate |
16478 | TCP | emod_webadmin | Webadmin |
Dynamic | TCP | emod_upnp | Universal Plug and Play (UPnP) |
The services inherent in the ChirpStack, TICK Stack and MING Stack stacks are not included.
Below is a description of each of these services:
SSH
Description
SSH is a cryptographic network protocol for operating network services securely over an unsecured network.
When to disable
Never disable, since the possibility of connecting to the device will be closed. As mentioned above, we recommend connecting using an asymmetric key.
nginx
Description
Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
When to disable
Disable it only if you do not really need to access the eManager via browser.
How to disable
Webadmin
Description
Webadmin is a web-based system administration tool for eManager, which allows you to view and modify network settings and services, as well as update the entire system image and software packages.
To access it, you must log in with your username and password.
When to disable
Disable it only if you don't really need to access Webadmin.
How to disable
Remote Procedure Call (RPC)
Description
Remote Procedure Call (RPC) is an inter-process communication technique to allow client and server software to communicate on a network. Rpcbind accepts port reservations from local RPC services. These ports are then made available so the corresponding remote RPC services can access them.
Typically it is used to allow network hosts to communicate with resources available on a server. Calls to port 111 are not accessible from the internet unless your firewall allows them. It would be dangerous to do so and your firewall should not be setup to forward port 111 unless you know what you are doing.
Known vulnerabilities
CVE-2015-7236: solved
When to disable
You can safely remove rpcbind if you don't plan on using NFS.
How to disable
systemctl disable --now rpcbind.target
systemctl disable --now rpcbind.socket
systemctl disable --now rpcbind.service
Node-RED
Description
Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways.
When to disable
Disable it only if you don't really need to use Node-RED.
How to disable
LLMNR
Description
LLMNR (Link-Local Multicast Name Resolution) protocol based on the Domain Name System (DNS), allowing for name resolution for hosts on the same network. Included in both Windows and Linux systemd-resolved. LLMNR is very similar to mDNS.
Known vulnerabilities
LLMNR Poisoning Attack
When to disable
Disable it only if you don't really need to use name resolution for hosts on the same network.
How to disable
Can be disabled unchecking the Webadmin mDNS checkbox service.
SWUpdate
Description
SWUpdate is the tool that allows you to update the entire system image.
For security reasons, the images are encrypted and signed.
When to disable
It can be disabled as long as the image does not need to be updated.
How to disable
uPnP
Description
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices to seamlessly discover each other's presence on the network and establish functional network services.
When to disable
Disable it only if you don't really need to use uPnP.
How to disable
How to write files in an eManager
The eManager has flash memory to store the data in files permanently.
When required to write data to a file, it is important to consider the concept of atomicity.
Otherwise, an unexpected power outage while writing files may cause data loss or file corruption.
Atomicity is the property that ensures that an operation has been carried out or not, and therefore, in the event of a system failure, it cannot be left halfway. An operation is said to be atomic when it is impossible for any other part of a system to find intermediate steps.
The concept of atomicity is especially important in cases where the content of an existing file is replaced (truncated). In such cases, we can enforce atomicity by using temporary files. The data will first be written to a temporary file and when it is complete, the data will be moved to the final file. To do this, the mv
atomic operation is used, as it ensures that the entire content of the temporary file will be written to the final file without any data loss.
On the other hand, in the event that it is necessary to add data to a file (append), in the worst case, in the event that there is a shutdown of the equipment, we will only lose the last recorded data. We can minimize this by using the sync
command, which writes the data that is still in memory to flash.
Finally, it should be noted that if it is required to save a lot of data to files, it is better to use a database like mysql, which already manages these concepts.
You can find a Node-RED flow example, working with files atomicity here.