Remote inspect your device without using traditional Raspberry Pi port forwarding

29th Jun 2021

It is almost inevitable that at some point in time, some of the devices in your IoT device fleet will malfunction in some way or another. You need a plan to address this. Port forwarding as a way to remote access a device can create a security risk if not performed correctly. Leveraging Raspberry Pi port forwarding can expose a network port on your network to the public internet. This is a known security vulnerability and can create risk. Port forwarding, alternatively described as port mapping, is often used to access a Raspberry Pi which is on a local network behind a NAT router so that it is separated from the public Internet. You then need router configuration knowledge to be able to manually open up ports so that you would be able to access a web server running on the Raspberry Pi via a specific port in it such as Port 22 for a SSH connection of 80.

Beware Port 22 hammering in Raspberry Pi Port Forwarding

Creating an SSH connection is the most conventional way to access the Raspberry Pi securely. However, this means managing keys and possibly passwords for the keys. Also with SSH, the port 22 for accessing the device would have to be opened up with SSH. Port 22 is often hammered by bots that try to get access to it. For example, only in May, the Kajii malware was identified, designed to infect large numbers of IoT devices and Linux servers, and launch DDOS attacks through a botnet. Kajii uses what is called brute forcing through SSH to infect its targets. It is not believed to be a serious threat at this point in time as it is still in development but this could change over time.

Remote Terminal superior for remote access and Raspberry Pi Port Forwarding

A better way to perform secure remote access and port forwarding is to use the Remote Terminal add-on developed by Mender. This gives you a highly secure way and the ability to access the terminal of your device, and inspect or modify the device to be able to easily debug customer and/or device issues. You can open up ports, or forward traffic to and from the device through Remote Terminal access. Opening up ports between the devices with remote terminal functionality is very important: it gives “one click access” to the device as long as the device has the Mender client and remote access terminal add-on installed. The advantages here is that there are extra ports, no extra connections, and it is all managed by the one secure connection that you are also using to perform your OTA software updates. This is a convenient, easy way to inspect your devices remotely so you can diagnose and debug the device in the field as long as you have Internet connectivity.

The Remote Terminal transmits messages of a defined protocol over a websocket connection. Mender-connect and the Mender UI communicate with each other, using an open protocol over a websocket connection. They exchange messages which carry user keystrokes, terminal output, and control data. You can run SSHD or SSH command over the terminal. This is the architecture with a websocket, mender-connect, and a shell running in a child process of mender-connect with allocated pseudo tty.

Remote terminal in Mender better for Raspberry Pi than Raspberry Pi Port Forwarding in a traditional way

Use cases for Remote Terminal

German AI telemedicine device provider Clinomic is using this Remote Terminal to access and troubleshoot patient bedside devices that are located behind the firewalls in a group of European hospitals. These hospitals have high IT and security requirements but oftentimes have low levels of IT and system administration support. The network configuration of the hospitals is very difficult as it is very heavily protected and has very limited local capabilities of IT and system administrators. There are hundreds of devices in different locations and this makes it very hard for Clinomic to control all these different infrastructures. The easiest way would have been for Clinomic to use SSH on all devices but that was impossible as you cannot interfere with these devices during a treatment of a patient. This is forbidden by hospital IT. The remote terminal access from Mender does not open any ports and creates a secure and authenticated connection between the administrator and the device which met the security policy requirements of the Hospital IT.

Also consider these useful articles on Raspberry Pi: