Security Guide - RFS-Portable-BTS

⚠️ Threat Assessment

Physical Security Critical

Threats: Device theft, tampering, unauthorized access

Physical device compromise
SIM card theft
Hardware tampering
Unauthorized physical access

Network Attacks High

Threats: Man-in-the-middle, eavesdropping, DoS

GSM interception
Network sniffing
Denial of service
Traffic analysis

Authentication Bypass High

Threats: Weak authentication, credential theft

Default passwords
Weak encryption
Session hijacking
Brute force attacks

Data Interception Medium

Threats: Call interception, SMS capture

Unencrypted communications
Weak cryptographic keys
Side-channel attacks
Traffic correlation

System Compromise High

Threats: Remote exploitation, privilege escalation

Unpatched vulnerabilities
Weak system configuration
Insecure services
Malware installation

Regulatory Violations Critical

Threats: Legal compliance, spectrum violations

Unauthorized spectrum use
Privacy law violations
Telecom regulations
Data protection laws

🛡️ System Hardening

Secure Boot Configuration

                            # Enable secure boot
sudo systemctl enable secureboot

# Disable unnecessary services
sudo systemctl disable bluetooth
sudo systemctl disable avahi-daemon
sudo systemctl disable cups

# Remove unnecessary packages
sudo apt remove --purge -y wolfram-engine libreoffice*
                        

User Account Security

                            # Create dedicated user for YateBTS
sudo useradd -r -s /bin/false yatebts

# Set strong password policy
sudo passwd yatebts

# Configure sudo access
echo "yatebts ALL=(ALL) NOPASSWD: /usr/bin/systemctl" | sudo tee /etc/sudoers.d/yatebts

# Disable root login
sudo passwd -l root
                        

File System Security

                            # Set proper file permissions
sudo chmod 600 /etc/yate/ybts.conf
sudo chmod 600 /etc/yate/sims.conf
sudo chown yatebts:yatebts /etc/yate/*.conf

# Enable filesystem encryption
sudo cryptsetup luksFormat /dev/nvme0n1p2
sudo cryptsetup luksOpen /dev/nvme0n1p2 encrypted_root
                        

Kernel Security

                            # Enable kernel security features
echo "kernel.dmesg_restrict = 1" | sudo tee -a /etc/sysctl.conf
echo "kernel.kptr_restrict = 2" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | sudo tee -a /etc/sysctl.conf

# Apply changes
sudo sysctl -p
                        

⚠️ Important Security Notes

Regular Updates: Keep system and YateBTS updated
Backup Security: Encrypt backup files and store securely
Access Logs: Monitor all access attempts and system changes
Physical Security: Secure device location and access

🌐 Network Security

Firewall Configuration

                            # Install and configure UFW
sudo apt install -y ufw

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (change port)
sudo ufw allow 2222/tcp

# Allow YateBTS web interface (local only)
sudo ufw allow from 192.168.1.0/24 to any port 80

# Enable firewall
sudo ufw enable
                        

SSH Hardening

                            # Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Key security settings:
# Port 2222
# PermitRootLogin no
# PasswordAuthentication no
# PubkeyAuthentication yes
# MaxAuthTries 3
# ClientAliveInterval 300
# ClientAliveCountMax 2

# Restart SSH service
sudo systemctl restart ssh
                        

VPN Configuration

                            # Install WireGuard
sudo apt install -y wireguard

# Generate keys
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod 600 /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

# Configure WireGuard
sudo nano /etc/wireguard/wg0.conf
                        

Network Monitoring

                            # Install network monitoring tools
sudo apt install -y tcpdump netstat-nat

# Monitor network connections
sudo netstat -tuln

# Check for suspicious connections
sudo ss -tuln | grep -E ':(22|80|443|8080)'

# Monitor traffic
sudo tcpdump -i any -n 'host your-server-ip'
                        

🔐 Access Control

Multi-Factor Authentication

                            # Install Google Authenticator
sudo apt install -y libpam-google-authenticator

# Configure for user
google-authenticator

# Edit PAM configuration
sudo nano /etc/pam.d/sshd
# Add: auth required pam_google_authenticator.so
                        

Key-Based Authentication

                            # Generate SSH key pair
ssh-keygen -t ed25519 -C "yatebts-admin"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# Test key-based login
ssh -i ~/.ssh/id_ed25519 user@server
                        

Session Management

                            # Configure session timeouts
echo "TMOUT=1800" | sudo tee -a /etc/profile
echo "readonly TMOUT" | sudo tee -a /etc/profile

# Configure screen lock
sudo apt install -y vlock
echo "alias lock='vlock -a'" | sudo tee -a /etc/bash.bashrc
                        

Privilege Escalation

                            # Configure sudo with timeouts
echo "Defaults timestamp_timeout=15" | sudo tee /etc/sudoers.d/timeout

# Limit sudo access
echo "yatebts ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart yatebts" | sudo tee /etc/sudoers.d/yatebts

# Audit sudo usage
echo "Defaults logfile=/var/log/sudo.log" | sudo tee /etc/sudoers.d/logging
                        

📊 Monitoring & Logging

System Logging

                            # Configure rsyslog
sudo nano /etc/rsyslog.conf

# Add security logging
echo "*.warn /var/log/security.log" | sudo tee -a /etc/rsyslog.conf

# Configure log rotation
sudo nano /etc/logrotate.d/yatebts

# YateBTS logs
/var/log/yatebts/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
}
                        

Intrusion Detection

                            # Install AIDE (file integrity)
sudo apt install -y aide

# Initialize database
sudo aideinit

# Install fail2ban
sudo apt install -y fail2ban

# Configure fail2ban
sudo nano /etc/fail2ban/jail.local

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 2222
                        

Security Monitoring

                            # Install security tools
sudo apt install -y rkhunter chkrootkit

# Run security scans
sudo rkhunter --update
sudo rkhunter --check

# Check for rootkits
sudo chkrootkit

# Monitor system calls
sudo apt install -y auditd
sudo systemctl enable auditd
                        

📈 Monitoring Checklist

Log Analysis: Regular review of system and security logs
Performance Monitoring: CPU, memory, and network usage
Access Monitoring: Failed login attempts and suspicious activity
File Integrity: Regular checksum verification of critical files
Network Monitoring: Unusual network traffic patterns

📋 Compliance & Regulations

Security Compliance Matrix

GDPR Compliance

Data protection and privacy regulations

Partial

Telecom Regulations

Spectrum usage and licensing

Non-Compliant

ISO 27001

Information security management

Partial

NIST Framework

Cybersecurity framework

Compliant

PCI DSS

Payment card industry standards

N/A

HIPAA

Healthcare information privacy

N/A

🛡️ Secure Your GSM Network Infrastructure

Professional compliance and security management for telecommunications systems

⚡

80% Less Compliance Work

Automate evidence collection for DORA, NIS2, ISO 27001, and SOC 2 frameworks

💰

Save €60K+ Annually

Cut compliance costs without compromising security standards

🔄

24/7 Audit Ready

Continuous monitoring and automated reporting for GSM infrastructure

Why CyberUpgrade for YateBTS?

✅ Automated vulnerability scanning for SDR devices
✅ Compliance management for telecommunications regulations
✅ Expert CISO guidance for network security
✅ Risk management for BladeRF and Raspberry Pi infrastructure

🚀 Get Expert Security Support Free consultation • CISO-level guidance

⚠️ Legal Disclaimer

Important: Operating a GSM BTS may be subject to local telecommunications regulations and licensing requirements. Always check with your local regulatory authority before deployment.

Verify spectrum licensing requirements
Check power output limitations
Ensure compliance with local laws
Consider privacy and data protection laws

Data Protection Measures

                            # Encrypt sensitive data
sudo apt install -y ecryptfs-utils

# Encrypt YateBTS configuration
sudo ecryptfs-setup-private

# Configure data retention
echo "log_retention_days=30" | sudo tee -a /etc/yate/ybts.conf

# Implement data anonymization
sudo apt install -y anonymizer
                        

Audit Trail

                            # Enable audit logging
sudo systemctl enable auditd
sudo systemctl start auditd

# Configure audit rules
sudo nano /etc/audit/rules.d/audit.rules

# Monitor file access
-w /etc/yate/ybts.conf -p wa -k yatebts_config
-w /etc/yate/sims.conf -p wa -k sims_config

# Monitor system calls
-a always,exit -F arch=b64 -S execve -k system_calls
                        

✅ Security Checklist

🔒 Pre-Deployment Security Checklist

✅ Change all default passwords
✅ Enable firewall and configure rules
✅ Install security updates
✅ Configure SSH with key-based authentication
✅ Enable system logging and monitoring
✅ Encrypt sensitive configuration files
✅ Set up intrusion detection
✅ Configure backup and recovery procedures
✅ Test security measures
✅ Document security procedures

🔄 Ongoing Security Maintenance

Weekly: Review logs, check for updates, verify backups
Monthly: Run security scans, update passwords, review access
Quarterly: Security audit, penetration testing, policy review
Annually: Full security assessment, compliance review