read

File Drop Project

While browing reddit the other day, I discovered a hint of a raspberry pi project that I thought might be cool. The idea is simple: Create a raspberry pi with an open and braodcasting wifi access point that allows anyone to connect and upload a file or see what others have uploaded.

It's a bit of an experiment in a way. Will anyone actually see this, login, and upload? Time to find out!

Security Concerns

First things first.. the goal here isn't to give anyone access to my home network. While I set this up, I have it wired in, but it will soon be unplugged and it will have never connected to my wifi.

FileDrop Software

I did a little searching for something at first. I ended up finding filedrop written in golang, but it looks relatively unmaintained and didn't compile when I tried (the dependencies seemed to not exist anymore).

I figured this is something easy I could probably just write in an afternoon, so I picked nodejs on an expess stack and did just that!

You can find the source on github

Setting up the RPi

1. Install raspbian

First things first, I need to get raspbian on the pi! I went for their lite image, since I didn't need a UI.

After following their instructions to flash my SD card, there's one more step that you need to do: enable ssh.

While the SD card is mounted on your computer (assuming linux), you need to touch /path/to/boot/ssh . By adding the file ssh to the /boot sector on the SD card, this will cause it to automatically start the SSH service on first boot.

After this, you should be able to plug in to wired ethernet and to power, and then ssh straight into your device.

Once you ssh, first thing's first: change your password by running passwd . This is a device we plan to have on open wifi, the last thing we want is to leave the default raspbian password!

2. Set up access point (AP)

The next step was to set up the device as an Open Access Point. I did this with hostapd, following these instructions, but I had to make some changes.

First, install hostapd and dnsmasq.

sudo apt-get update sudo apt-get install dnsmasq hostapd

hostapd

Once installed, edit dhcpcd configuration to give your device an IP: (this is necessary sense devices will be connecting to the pi, not the other way around)

Edit: sudo nano /etc/dhcpcd.conf and insert the following at the bottom:

interface wlan0 static ip_address=192.168.50.1/24 nohook wpa_supplicant

Then edit: sudo nano /etc/hostapd/hostapd.conf (it will be empty), and add:

interface=wlan0 driver=nl80211 ssid=drop-project hw_mode=g channel=7 wmm_enabled=0 macaddr_acl=0 wpa=0 ignore_broadcast_ssid=0

Lastly, edit sudo nano /etc/default/hostapd , and add this line:

DAEMON_CONF = "/etc/hostapd/hostapd.conf"

dnsmasq

Next, we need to configure dnsmasq. We want to accomplish two things with it.

Act as a DHCP server to assign IP addresses to clients as they connect, and Route every DNS lookup to resolve to the raspberry pi as the host.

We want #2 because even if the user enters google.com into their browser, we want them to see filedrop. This will also trick phones into presenting this as a "login page" when the user first connects to the open AP.

Edit /etc/dnsmasq.conf and add (anywhere)

interface=wlan0 # Use the require wireless interface - usually wlan0. You can check by running 'ip addr' dhcp-range=192.168.50.2,192.168.50.200,24h address=/#/192.168.50.1 # Resolve all requests to self

3. Set up FileDrop

Note: If you have trouble accessing the internet past this point, you might have to temporarily disable dnsmasq. This is because it might be tricking your pi into resolving all requests back to itself. You can simply run systemctl stop dnsmasq , and swap stop for start once you're done.

First, install nodejs onto the pi:

sudo apt-get install nodejs npm git `

Then clone the repo:

git clone https://github.com/zix99/filedrop.git cd filedrop npm install npm run forever

At this point you should be able to hit filedrop from your browser at http://x.x.x.x:8080 (file in your pi's IP address).

4. Reverse Proxy (Nginx)

One of the keys here is to also set it up in such a way where it can run on port 80 (standard HTTP port). We don't want to run the application itself on port 80, since it would need to be priviledged (and having an open wifi is already enough of a security hole). So to solve this problem, I chose to set up nginx, which is a populate lightweight web server and reverse proxy.

sudo apt-get install nginx

Then add this configuration at: sudo nano /etc/nginx/sites-enabled/filedrop

server { listen 80; server_name _; location / { proxy_pass http://127.0.0.1:8080; proxy_buffering off; client_max_body_size 100M; } }

You can then reload nginx by running systemctl restart nginx , and hitting http://x.x.x.x (now without the port) and seeing if it works.

5. Firewall (Optional)

Though optional, I highly recommend adding a firewall. While this is isolated from your network, it could still be compromised itself.

I chose to install ufw

sudo apt-get install ufw sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow http sudo ufw allow 53 #DNS sudo ufw allow 67 #DHCP # Limit login attempts on ssh port using tcp: this denies connection if an IP address has attempted to connect six or more times in the last 30 seconds sudo ufw limit ssh/tcp # Enable sudo ufw enable

If you would like to secure your pi even more check out these raspbian docs

6. Test it out!

First thing's first: we've done a lot of configuration, time to reboot! sudo reboot . If all goes well, it should now be broadcasting a public wifi signal. You should be able to connect your laptop/phone to it.

From there, simply ssh back in, go to where you installed filedrop, and run npm run forever again. If you want, you can set it up to autostart using a systemd service or something like supervisor.

7. Finally

Don't forget to unplug the ethernet! We put a lot of effort into security, but we don't want a hacker to be able to get in to your network!

Conclusion

This was a fun little weekend project. I'm not sure if anyone will ever connect to it, but I live in a pretty dense part of a fairly techy city, so I have high hopes that if I leave it there for long enough eventually someone will see it and be curious enough to connect. It might take a bit of waiting, but if it does get interesting, I'll be sure to report back with my findings!