Security

[gerdesj]

TL;DR: Out of the box, I think a BirdNET-Pi installation is decently secure, and will continue to be so provided it is kept up to date.

I run a small IT company in the UK and one of the things we as a company worry about quite a lot is security. I recently installed BirdNET-Pi on a Pi 3B+ that was lying around. It is next to a park and at this time of year the noise from the birds is nigh on deafening. All good - love the interface, ease of install. Noted the caddy frontend - great choice.

We have a system called Nessus which does IT security scanning and quite a lot of other tools. I have just done a PCI/DSS internal scan with credentials on my Pi. In English that means I let Nessus login and poke around at everything from the point of view of being secure enough to run point of sale credit card equipment - PCI means Payment Card Industry, DSS means Data Security Standard. It passed with four "medium" issues that I evaluated and considered OK. Please bear in mind that this is not official certification of any sort and only an indicator of how well I personally evaluate the system and the output from my scanner.

Nessus does tend to "batter" things when it scans and we encourage that to look for weaknesses. Only today we knackered a school's telephone system with it! BNP was unruffled and ticked on. I deliberately used a Pi 3 which is way slower than a 4 and left everything at defaults. I did use a USB stick and not a SD card. I installed the latest Pi OS 64 bit lite and updated it first and then ran the .sh installer (once I'd quickly read it through)

I will run more scans against it but I fully expect it to be fine. If not I'll be posting issues.

So, out of the box, I consider BNP is decently secure but you must keep it up to date if you put it on the internet. If you only have it available on your home LAN then it is still good practice to update regularly but not quite so imperative. If you put it on the internet, you must set a password otherwise it will soon cease to belong to you alone!

If you have any worries about security, post back here and I'll keep an irregular eye on this thread.

[ehpersonal38]

This is so cool, thank you for testing the security of BirdNET-Pi! I think Patrick gave us a great foundation with his attention to security, which becomes obvious with a glance through the source code.

I think It definitely helps that this project is open source, since 1) we can't hide with security by obscurity, and 2) we have a community (including people like you) constantly auditing the way our stuff works. All of that makes for a pretty robust and secure application.

Thanks again! Definitely feel free to post if you do further scans or discover anything of interest. 🙂

[gerdesj]

I've just done a web app scan which takes several hours. One medium: "Web Application Potentially Vulnerable to Clickjacking". That's not much of a concern for us though.

Overall, I'd say BNP is secure out of the box \o/

[gerdesj]

OK let's thrash it a bit directly with Apache Bench, this is making 1000 requests, 100 per second. My laptop is wifi connected to my home network and the Pi is gigabit connected. So I have much better connectivity to it than the internet connection.

I am using my laptop to "bully" the Raspberry Pi and the Pi responds well. Bear in mind I am using a Pi 3 which is quite old nowadays.

gerdesj@jglaptop ~ $ ab -n 1000 -c 100 http://birdnetpi.roseandjon.gerdes.co.uk/
This is ApacheBench, Version 2.3 <$Revision: 1903618 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking birdnetpi.roseandjon.gerdes.co.uk (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests


Server Software:        Caddy
Server Hostname:        birdnetpi.roseandjon.gerdes.co.uk
Server Port:            80

Document Path:          /
Document Length:        761 bytes

Concurrency Level:      100
Time taken for tests:   2.798 seconds
Complete requests:      1000
Failed requests:        0
Total transferred:      893000 bytes
HTML transferred:       761000 bytes
Requests per second:    357.44 [#/sec] (mean)
Time per request:       279.766 [ms] (mean)
Time per request:       2.798 [ms] (mean, across all concurrent requests)
Transfer rate:          311.71 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        2    4   1.9      4      12
Processing:    16  265  63.0    264     463
Waiting:       11  263  62.6    263     463
Total:         27  269  62.4    268     467

Percentage of the requests served within a certain time (ms)
  50%    268
  66%    291
  75%    306
  80%    312
  90%    343
  95%    376
  98%    410
  99%    424
 100%    467 (longest request)

[gerdesj]

I've just done another run and all good.

Do make sure you update your BNP via Tools -> System Controls, Update will have a number in red on it it.

Please do this job monthly - that is the IT norm.

[gerdesj]

All clear apart from the click jacking thing.

I'm inclined to mitigate this but it will break embedding BNP pages in another website. I think the best thing would be to make it an option in Tools/Settings/Advanced which defaults to on. That will protect everyone and only mildly inconvenience people who want to embed BNP in another website.

I'll file a bug with some details.