Hardening your Raspberry Pi is a must when considering the security of your home network. There are several things to consider before following this guide, such as preventing services from conflicting. For instance, if SSH is the only method you have of remoting into your Pi, make sure UFW opens and allows connections on port 22.
We will be using Raspberry Pi OS/Raspbian for demonstration. This guide is for practical hardening and does not necessarily consider certain external programs (such as Nginx or WebServers). Be cautious with your commands!
1) SSH Keys
If you are remoting into your Pi from another computer, SSH keys are a must for security. This can be done before you burn Raspberry Pi OS to disk (easiest), or afterwards. We will provide a separate guide to this shortly.
2) Change the Pi account password
Login as user Pi and enter the following command:
passwd
Dexter Security recommends choosing a password that is 16 characters or more at a minimum, with 24 characters or higher being optimal. Read our guide on password security for more information.
3) Create A Non-Admin User
Log into your new user account, then run the command below to verify your new user has admin privileges.
sudo visudo
4) Disable The Pi Account
sudo usermod –lock –expiredate 1 pi
Log out and try to log back in as pi. If you succeeded, then the account is disabled.
5) Update Your Pi
6) SSH Hardening
To prevent root logins, create a group for ssh users.
Generate a Public/Private Key pair and set up SSH. We will have a guide on this shortly.
sudo nano /etc/ssh/sshd_config
Edit the ssh config file to have the following:
Restart SSH
sudo systemctl restart ssh
7) Firewall Configuration
UFW will provide us an easy way of modifying IPTables, install it with:
<Note: If UFW will not install, ensure your system is up to date first as this may cause conflicts with iptables>
Run the following commands to harden UFW. If you are running other services, you need to identify what ports they need open. Otherwise, these settings will allow for appropriate functions to operate as well as allowing you to access the Pi via ssh.
For extra security, you can limit what IP addresses are allowed to connect to your SSH Port. You can do this by either allowing any computer on your LAN to connect, or just 1 computer. For the first example, we will limit ssh connections to the computer you are using right now. Get your current computer’s local IPv4 address and add it to the following UFW command.
If you want all devices on your network to be able to ssh into your Pi, run the following command. Keep in mind that you will need to move the ssh keys to each computer for them to use.
sudo ufw allow from <your-computer’s-ip>/24 proto tcp to any port 22
Example: sudo ufw allow from 192.168.1.1/24 proto tcp to any port 22
8) Log Failed Login Attempts (option may not be available on your pi by default)
Now Faillog will keep logs for more than 3 unsuccessful attempts at /var/log/faillog. Our other services will do something similar, but we can appreciate redundancy. Our UFW settings will block/limit failed SSH connections after 6 attempts, at which point a timer will be enacted before more attempts can be made. These are redundant, last lines of defense; an important security topic to understand.
9) Setup Automatic Updating (unattended-upgrades)
sudo apt install unattended-upgrades
Verify that it works:
Location for logs:
/var/log/unattended-upgrades/unattended-upgrades.log
10) Setup Fail2Ban
This will also prevent brute force attacks in the event that an attacker has breached your network.
Add the following to the file:
Restart Fail2ban
sudo service fail2ban restart
11) Backing Up Your Pi
There is not necessarily an easy way to back up your Pi. In the event of an OS failure, you ideally want your Pi backups to be off of the SD card, as it can be potentially (but not usually) difficult to recover anything lost. A separate machine running Linux can be used to backup your Pi via SSH, or by use of the tool WinSCP for Windows to transfer files to and from your machine. We will post a separate guide on this later.
12) Set Up An Alert System Via SMTP (Email) [Optional]
For the rest of this article we will focus on setting up an alert system that sends information to your email of choice when certain defenses have been activated. This is an important way for us to know whether or not an attacker is in your network.
Place the following lines in the file. You can use a different provider than Gmail if you are concerned about privacy. It is best to create a separate email you do not care to lose which will send the email. The recipient can be your personal email or one set up to specifically receive alerts, but its password should not be put in this file.
Test the service:
$ echo "Test” | msmtp --debug your@emailaddress.com
13) Setup Port Scan Attack Detector (PSAD)
Add these arguments to the psad.conf file:
We have to add this to the UFW rules:
sudo nano /etc/ufw/before.rules
Add these lines, but do not put them after the COMMIT line found at the bottom of the file.
Repeat the same steps for /etc/ufw/before6.rules
sudo nano /etc/ufw/before6.rules
# PSAD Configuration
-A INPUT -j LOG --log-tcp-options
-A FORWARD -j LOG --log-tcp-options
14) More To Come
We will update this guide regularly to bring you well researched and improved tips for hardening your Pi.