Security Considerations

Security best practices and considerations for WsprDaemon installations

This guide covers security aspects that system administrators and operators should understand when deploying and maintaining WsprDaemon installations.

User Protection Philosophy

WsprDaemon is designed with a user-first security model that prioritizes protecting amateur radio operators over developer convenience. The system absorbs technical complexity to minimize security configuration burden on end users.

Core Security Principles

  • No Direct Internet Exposure: Client devices never accept inbound connections

  • Zero Configuration Security: Users don’t manage firewalls, VPNs, or certificates

  • Liability Protection: Amateur radio operators protected from internet-based attacks

  • Defense in Depth: Multiple security layers provide comprehensive protection

Remote Access Security

Remote Access Channel (RAC) System

WsprDaemon includes an optional secure remote access system for developer support and maintenance.

Security Model:

  • Reverse Tunnels: Client devices initiate outbound connections only

  • Central Proxy: All access goes through secured proxy server (wd0.wsprdaemon.org)

  • VPN Required: WireGuard VPN required for any proxy access

  • Firewall Protected: Digital Ocean firewall blocks unauthorized traffic

User Control:

# RAC is completely optional - users must explicitly enable
REMOTE_ACCESS_CHANNEL=123        # Unique channel number
REMOTE_ACCESS_ID="MyStation-Pi4" # Descriptive identifier

Access Control Layers

  1. Digital Ocean Firewall: Perimeter defense

  2. WireGuard VPN: Encrypted access control (port 51820)

  3. SSH Key Authentication: Developer access verification

  4. Application Permissions: Service-level isolation

  5. Audit Logging: All connections tracked

Data Protection

Sensitive Information Handling

WsprDaemon configurations may contain sensitive data that requires protection:

Configuration Secrets:

  • KiwiSDR passwords

  • wsprnet.org credentials

  • GPS coordinates and station information

  • Network configuration details

Protection Mechanisms:

# Environment variable substitution for secrets
KIWI_PASSWORD="${KIWI_PASSWORD:-$(cat /etc/wsprdaemon/kiwi_password)}"

# Secure file permissions
chmod 600 /etc/wsprdaemon/secrets
chown wsprdaemon:wsprdaemon /etc/wsprdaemon/secrets

# Configuration file protection
chmod 640 wsprdaemon.conf
chown wsprdaemon:wsprdaemon wsprdaemon.conf

Data Integrity Protection

  • Automatic Backups: Configurations backed up before changes

  • Validation: Receiver definitions and schedules validated before use

  • Graceful Handling: Malformed configurations handled without system compromise

  • Recovery: Corrupted state files automatically recovered

System Hardening

Service Isolation

# WsprDaemon runs as dedicated user 'wsprdaemon'
# Separate from root/pi user for security
# Limited privileges for system operations

# Check service user
id wsprdaemon
groups wsprdaemon

SSH Security

# SSH hardening recommendations
# /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin no
AllowUsers wsprdaemon
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Restart SSH after changes
sudo systemctl restart ssh

Firewall Configuration

# Basic UFW setup for WsprDaemon
sudo ufw allow ssh
sudo ufw allow from 192.168.0.0/16 to any port 8081  # KA9Q-web (local network only)
sudo ufw allow from 192.168.0.0/16 to any port 8073  # KiwiSDR web (local network only)
sudo ufw enable

# Check firewall status
sudo ufw status verbose

Automatic Security Updates

# Enable unattended upgrades for security patches
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

# Configure automatic security updates
# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};

Network Security

Attack Surface Reduction

Current Risks:

  • SSH access enabled by default on Pi systems

  • Weak default passwords on Pi installations

  • Unpatched systems

  • Unnecessary services running

Mitigations:

# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable wifi-powersave
sudo systemctl disable avahi-daemon  # If not needed

# Check running services
systemctl list-units --type=service --state=running

Network Segmentation

# Isolate SDR devices on separate network segment if possible
# Example: 192.168.100.0/24 for SDR devices
# Example: 192.168.1.0/24 for management

# Route only necessary traffic between segments
# Block direct internet access from SDR segment

Monitoring and Alerting

Security Event Monitoring

# Monitor authentication attempts
sudo journalctl -u ssh -f | grep -E "(Failed|Accepted)"

# Check for unusual network connections
sudo netstat -tulpn | grep -E ":22|:8073|:8081"

# Monitor system resource usage
./wsprdaemon.sh -s | grep -E "(ERROR|WARNING|CRITICAL)"

Automated Health Checks

# System health monitoring script
#!/bin/bash
# /usr/local/bin/wd-security-check.sh

# Check SSH configuration
if grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config; then
    echo "WARNING: Password authentication enabled"
fi

# Check firewall status
if ! sudo ufw status | grep -q "Status: active"; then
    echo "WARNING: Firewall not active"
fi

# Check for failed login attempts
FAILED_LOGINS=$(sudo journalctl -u ssh --since "1 hour ago" | grep -c "Failed password")
if [ "$FAILED_LOGINS" -gt 10 ]; then
    echo "WARNING: $FAILED_LOGINS failed login attempts in last hour"
fi

# Check WsprDaemon service status
if ! ./wsprdaemon.sh -s | grep -q "RUNNING"; then
    echo "WARNING: WsprDaemon service issues detected"
fi

Backup and Recovery

Configuration Backup

# Automatic backup before changes
backup_config() {
    local timestamp=$(date +%Y%m%d-%H%M%S)
    cp wsprdaemon.conf "wsprdaemon.conf.backup.$timestamp"
    echo "Configuration backed up to wsprdaemon.conf.backup.$timestamp"
}

# System state backup
create_system_backup() {
    local backup_file="/tmp/wd-backup-$(date +%Y%m%d).tar.gz"
    tar -czf "$backup_file" \
        wsprdaemon.conf \
        /var/log/wsprdaemon/ \
        ~/.ssh/authorized_keys \
        /etc/systemd/system/wsprdaemon.service
    echo "System backup created: $backup_file"
}

Recovery Procedures

# Restore from backup
restore_config() {
    local backup_file="$1"
    if [ -f "$backup_file" ]; then
        cp "$backup_file" wsprdaemon.conf
        echo "Configuration restored from $backup_file"
        ./wsprdaemon.sh -s  # Validate restored configuration
    fi
}

# Emergency recovery
emergency_reset() {
    echo "Performing emergency reset..."
    ./wsprdaemon.sh -z  # Stop all services
    cp wd_template.conf wsprdaemon.conf  # Reset to template
    echo "System reset to default configuration"
}

Developer Access Security

RAC System Security Controls

  • Explicit Activation: RAC must be explicitly enabled by user

  • Unique Channels: Each installation gets unique RAC number

  • Centralized Logging: All access attempts logged on proxy server

  • Time Limits: Developer sessions can be time-limited

  • User Notification: Users can monitor access in logs

Developer Responsibilities

  • Minimal Changes: Make only necessary modifications during support

  • Documentation: Document any configuration changes made

  • Read-Only Operations: Use read-only commands when possible

  • Privacy Respect: Respect user privacy and data confidentiality

Audit Trail

# RAC connection logging
tail -f /var/log/wsprdaemon/rac-access.log

# Configuration change tracking
git log --oneline wsprdaemon.conf

# Service modification logging  
journalctl -u wsprdaemon -f

Implementation Priorities

Phase 1: Immediate Security (High Priority)

  1. SSH Hardening: Disable password authentication, restrict users

  2. Firewall Setup: Enable UFW with minimal required ports

  3. Automatic Updates: Enable unattended security updates

  4. Configuration Protection: Secure file permissions

Phase 2: Enhanced Monitoring (Medium Priority)

  1. Security Monitoring: Automated security event detection

  2. Health Checks: Regular system security validation

  3. Backup Automation: Automated configuration and system backups

  4. Alert System: Notification system for security events

Phase 3: Advanced Security (Long-term)

  1. Network Segmentation: Isolate SDR devices from internet

  2. Certificate Management: TLS for all web interfaces

  3. Intrusion Detection: Automated attack detection and response

  4. Compliance Logging: Extended audit logging and retention

Security Best Practices Summary

For System Administrators

  • Enable automatic security updates

  • Use SSH keys instead of passwords

  • Configure firewall with minimal required ports

  • Monitor logs for security events

  • Keep regular configuration backups

For End Users

  • Use strong, unique passwords for all accounts

  • Enable RAC only when needed for support

  • Keep systems updated and patched

  • Report suspicious activity to administrators

  • Follow configuration templates and guidelines

For Developers

  • Use RAC system for remote access only when necessary

  • Document all changes made during support sessions

  • Respect user privacy and system security

  • Follow principle of least privilege

  • Maintain audit trail of all activities

This security model ensures that WsprDaemon installations remain secure while providing the flexibility needed for amateur radio operations and development support.