Nginx

A little extra security(Fail2Ban) plus Node Red auth

Since most of you(like me), will forward ports on your router so you will have access to the Banana from outside your local network in various ways, a good first step towards security is to avoid brute force attacks and specific patterns. This way for example, if anyone fails 3 times in a row to successfully login through SSH his IP will be banned.

For that we will need to install Fail2Ban. This is pretty straightforward with:

and you are done! This comes preconfigured for services like SSH and Apache(although you need to enable the Apache one).

As you can see with

If you want to make any changes, do so. To enable Fail2Ban for Nginx though, we need to make a new rules in jail.local(whatever is in this file overrides the jail.conf) and make the proper settings there.

Sergej Mueller in his Github page has predefined rules. You can download the zip file from there, and then copy his jail.local to your /etc/fail2ban and also the 4 files from the filter.d folder inside /etc/fail2ban/filter.d or if you don’t have easy access(ftp or samba), just make new files with nano and paste their code.

Show jail.local for nginx

[collapse]

For the other four files, first go into the subdirectory:

And let’s make files and copy/paste their code.

Show nginx-badbots.conf

 

[collapse]

Show nginx-badrequests.conf

[collapse]


Show nginx-noscript.conf

[collapse]


Show ssh-auth.conf

[collapse]

After we have all the proper files at their proper location, let’s restart the service and we are all set.

So now we have increased server security, with a minimal resource cost. Not bad at all.

Node Red Auth

If you followed the instructions of the previous post, you should have Node Red installed on your Banana Pi. There is an issue with the default installation though, as it requires no authentication at all and if you allow access to Node Red from the internet this can be a major problem.

Thankfully, getting Node Red UI to ask for a username and password to get access is pretty easy.

But first we need to have the MD5 hash of our desired password. To get that, simply run this command:

which will return a string of characters. Copy that string and let’s put it in our settings.js.

Here, apart from the uiPort that you can change from 1880 to something else, search for this line:

uncomment it, set as user your desired username and paste that MD5 hash that you copied earlier as the pass value. Restart and you are ready!

Basic Banana Pi setup – Bananian, Nginx, MySQL, PHP, Node.js, Node Red

So, let’s start from the basics. A basic setup of Bananian Linux, along with the stuff we will probably need to have installed so we can play with them(Nginx, MySQL, PHP, node.js, node red).

Bananian Linux

This is my favourite Linux distribution, since it has just the basics for a headless setup. It has a special feature that while it is considered bad, it is good as it saves you some headaches if you don’t know much about linux. The default user is root, so you have complete access at everything and no need for sudo. Just be careful to have a good strong password and don’t experiment with anything stupid.

Go and download the latest version from the official site https://www.bananian.org/download

Burn the image file to your SD card following the instruction on that website, that has to be at least 2GB. I used an old 2GB SD card since I will soon move my installation to a 2.5″ HDD. 2GB might not seem much, but after installing everything mentioned above I still get 300+ MB free.

Place the SD card in the Banana, connect a keyboard and a monitor, and wait for the first boot. Login with root/pi and run bananian-config for some basic changes. CHANGE THE PASSWORD, set your correct timezone and locale, change if you want the hostname, leave video acceleration disabled and ideally expand the filesystem.

Now, there is one more thing we need to do. Set a static IP for your local network. For that, do:

comment the lines about DHCP, uncomment and set a static IP address and it should look something like this:

where address is the static IP you want your Banana to have, gateway is your router’s IP address and netmask should probably be 255.255.255.0 anyway.

Once you have done all these, remove the keyboard, remove the monitor, just leave the power and ethernet cables on and reboot your Banana. From now on you can access it through SSH so download PuTTY or whatever and let the fun begin. So login through SSH to your Banana and let’s…

Install Nginx

Nginx(pronounced engine-x) is an open source lightweight web server. While Apache2 seems more popular, now that resources are limited we will need to have as many of them as possible available for our use.

Before we install anything, let’s do a

and then

We can start the server with

and to test that it works, open a browser, enter the IP address of the Banana and you should see a welcome message.

Install MySQL

While for our purposes a NoSQL database might work better, MySQL is so widely used it will be useful at some point. To install it:

During the installation script, you will be asked for a password for MySQL’s root user. Do that! Then, for some advanced MySQL security:

Read carefully all the questions and answer them promptly.

Install PHP

For PHP to run under Nginx, you will need PHP-FPM.

Also, for PHP to work with MySQL you will need

You can speed up PHP by setting up a cache that stores the already compiled PHP pages.

Configure Nginx

To get PHP working properly under Nginx, we will need to make a few changes to the configuration file.

You should uncomment some lines and the result has to be like this:

Show more...

[collapse]

Finally, one change must be done to the php.ini file.

and set the “cgi.fix_pathinfo” parameter to 0.

Now restart your Nginx with

and test if all is done correctly by making a test.php file

where you put the following code

Save the file with the name test.php and if you open in your browser the <Banana-pi-IP-address>/test.php you should see something like this:

phpinfo

Install Node.js

Node.js is required from Node Red, so we have to install it first. For ARMv7 processors this is what we have to do:

Install Node Red

Before installing Node Red if you had an earlier Node.js installation it is a good idea to…

Now it’s time to install Node Red.

You will see tons of warning and gyp errors that you should ignore. You will probably also see an error about the Bananian OS, that you should ignore also. After about 5 minutes, you will have Node Red installed on your Banana.

To start Node Red you can run the following command(and change the size of RAM in MB that Node Red will use from 128 if you want):

You can open your browser, go to <Banana-pi-IP-address>:1880 and you should see Node Red running.

nodered

To have Node Red start on boot, you can install PM2, a process manager for Node.js.

You can have Node Red autostart by placing the following commands: