Secure initial setup of the ODROID GO Advance
Table of Contents
In this post I’ll describe how to secure the default installation of the ODROID GO Advance. This guide may also work on other Linux Handhelds with some modifications.
For completing the guide you’ll need to know your way around a linux shell and its editors.
I’ll install vim-nox
during this tutorial but of course you can use the already installed nano
editor or install a different editor of your choice.
ODROID GO Advance
The ODROID GO Advance is a handheld console shaped similar to a GameBoy Advance.
The device comes with a quad-core Cortex-A35 CPU, 1GB DDR3 RAM and a 320×480 LCD screen.
ODROID also provides an Ubuntu based operating system which I’ll be using for this guide.
The initial setup
This part of the guide will probably be completely different if you use a different device. I’d recommend reading it as well, maybe there are still some helpful bits.
Creating the microSD card
The first step in setting up the ODROID GO Advance is to flash the microSD card.
Regarding the SD card, I have tested two cards I had around but some games were slower than the device specs would suggested so I bought a more expensive card with a higher speed class and some games now work a lot better.
When booting the ODROID for the first time after flashing the microSD card, the device will expand the flashed file system to use all the available space, therefore the boot might take a bit longer. You’ll also probably see the pink Ubuntu splash screen which we’ll disable later on so booting and switching applications looks more consistent.
Setting up WiFI
After the device booted the first thing to do is to connect to a wireless network. The ODROID Go Advance has an ESP32 soldered to the board that acts as the network module. It’s not the fastest and doesn’t support modern (5GHz, WPA3) networks so you might have to fiddle with your AP settings if you can’t find your network.
Connecting to a new network can be done by pressing the A button while the “configuration” menu item is selected, then using the D-Pad to select “WiFi” and A to open the network management application.
There might already be a primary network defined which will be selected.
Changing selection to the +
button can be done by pressing the (outer) shoulder buttons.
Selecting is still done with A.
There should now be a list with available networks.
Select the network you want to connect to and a dialog box asking for the password should show up.
There is a bit of a bug in this dialog because aborting with the x
at the bottom left corner will still add the network which has to be deleted manually.
After putting in the password and confirming with the checkmark button, there should be a “play icon” next to the network name to show that it’s connected.
To go back to the main menu, the x
button has to be selected using the shoulder buttons.
Connecting using SSH
To easily find the IP of the device, open the “network info” application from the configuration menu.
Then connect to the device using the username and password odroid
(replace <deviceIP>
with the IP address):
ssh odroid@<deviceIP>
Installing utilities
To finish the initial setup, let’s update the system and install some useful utilities:
sudo apt update && sudo apt -y upgrade && sudo apt -y install vim-nox htop git
Securing the device
Now let’s continue with securing the device, starting with the most obvious thing.
Changing the password(s)
To prevent other people from connecting to your device, change the password for the odroid
user:
passwd
Remember that this user also has sudo
capabilities so the root
account is basically just as secure as the odroid
account!
Securing SSH
To make remote login even harder, SSH can be configured to only allow login for non-root users and only with key based authentication.
This can be done by editing /etc/ssh/sshd_config
to make it contain the following values:
PermitRootLogin no
PasswordAuthentication no
fail2ban
Although it might be a bit overkill on smaller networks, when you take your device with you and connect to some sort of large or open(ly connected to the internet) network, some people (or bots) might try to brute force your SSH.
To make their life harder, you can install fail2ban:
sudo apt install -y fail2ban
A description on how to configure fail2ban can be found in my post about setting up servers
Installing a firewall
Installing a firewall is a good idea if you don’t plan on using the “Playertoo” feature of the ODROID and plan to use the device in non-trusted networks and/or with non-trusted software. Of course the probability of some software opening unwanted ports on the ODROID is pretty low, but it’s never zero and the firewall doesn’t use that much energy.
UFW is a pretty easy to use IPTables based firewall script, it can be installed by executing:
sudo apt -y install ufw
Before activating the firewall, we’ll need to make sure to allow SSH access to not lock ourselves out:
sudo ufw allow ssh
Then the firewall can be activated:
sudo ufw enable
This command will warn about possible disruption of SSH connections which has to be confirmed by entering y
.
After this, the command should finish with Firewall is active and enabled on system startup
.
Now let’s check the firewall status:
sudo ufw status
You’ll see that currently only SSH (port 22) is allowed for IPv4 and v6.
More rules can be added by executing ufw allow
followed by the port number or service name.
For my setup, SSH is enough.
Logwatch
If you want to go really overboard, you can also install logwatch to receive periodic log analytics via email. This requires that you save the credentials to the mail account on the unencrypted SD card “anyone” could access easily so this also opens other holes.
You can find the instructions in my server setup post. The only thing that should not be followed in those instructions is creating the cronjobs for reasons I describe below. The deletion of the cronjob installed by APT should still be done!
The problem with the cronjobs is that they won’t be executed if the ODROID is not running.
Since I want the log analytics only once a week, the probability of the system not being turned on during the cronjob trigger is very high.
To mitigate this, I start the cronjob using anacron
which will execute the cronjob on system boot if an execution was due while the system was off.
This can be done by adding the following content to the /etc/anacrontab
file:
# days delay identifier command
7 2 logwatch /usr/sbin/logwatch
The delay in the config will give the device (2 minutes) time to connect to a wireless network after boot.
SMB
By default there is also an SMB service running (which will be blocked by the firewall in case it it active). I don’t consider SMB as secure so I disabled it using:
sudo systemctl stop smbd && sudo systemctl disable smbd
Final tweaks
The next few things are not really focused on security, more on the convenience of using the device.
Removing Ubuntu Advantage
Ubuntu Advantage is some Enterprise management software which doesn’t makes sense on a handheld device. It can be removed by running:
sudo apt purge ubuntu-advantage-tools
Disabling the ubuntu spash screen
When booting or shutting down the system and when changing emulators, there is a purple Ubuntu splash screen shown.
It can be turned off by changing the arguments given to the kernel at boot time. For this, we’ll first need mount the boot partition:
sudo mount /dev/mmcblk0p1 /mnt
Now the file /mnt/boot.ini
can be edited.
In this file, in the line starting with setenv bootargs
, there are the arguments quiet splash
.
When splash
is removed from that line, the purple splash screen is hidden.
When quiet
is removed, the system will show log messages at boot.
After the changes are made, the boot partition can be unmounted and synced:
sudo umount /mnt && sync
After a reboot, the splash and/or the messages will be shown depending on the changes you’ve made.
Transferring ROMs
While transferring roms can be done using SCP or SMB, I would recommend to do this using a microSD Adapter (and a Linux host that can read extFS) or inserting (and mounting) a USB Stick into the ODROID because the WiFi Adapter (an ESP32) is pretty slow.
Transferring using a microSD Adapter on my ThinkPad resulted in a 5x faster transfer compared to using WiFi.
Backups
Since ODROID releases any updates as a new .img
file rather than simply using the package manager already present on the system, I’d recommend only backing up the /roms
and the /home/odroid
folder.
This of course means that this guide has to be walked through again after each update.
In my opinion it’s still worth it because you never know what got changed with the update.
And yes, you could look, but (from my point of view) walking through this guide again is faster than inspecting the new .img
and comparing it to the current version on the SD card.
Finishing the setup
Now that the device is fully configured, the last step missing is to reboot:
sudo shutdown -r now
That’s all for now. If you have any more suggestions to make or experience problems, don’t hesitate to write me, I’ll update this port accordingly!
I hope this was useful, have a nice day!