Thanks to energy efficiency and whisper-quiet operation, the Raspberry Pi is used in many IoT projects. This inevitably makes it a target for hackers and botnets. That is why you need to secure the small computer.
Many small computers are permanently online in order to fulfill their tasks as VPN gateways, in home automation or as servers for various other purposes. This means that they are constantly exposed to attack attempts. Basically nothing can be changed about this, but you should make it difficult for attackers to access your computer. Port sharing and DynDNS are also quickly set up for the Raspberry Pi so that it can be accessed from the Internet. If unwanted gaps open up, the Pi can be misused as a stepping stone onto the internal network and can damage the connected hardware.
It is always the configuration of the overall system that determines security. Before you start hardening special components such as SSH access, you should tackle the supposedly simple things, take a look at user authorizations and passwords and keep your system up to date. In this article, we will outline some tips and tricks to secure your Pi.
It is easier for every attacker to have a system that is active with preset standards. So start by giving the standard user (with Raspbian “pi”) a new password. It should be as long as possible and also contain special characters. To do this, it is sufficient to open a terminal and type in :
This completes the first important step. Nobody should work with the well-known standard password. The name of the standard user “pi” is also known to potential attackers. You should therefore first create a user with an individual name with whom you will then work by default. The following command :
sudo useradd -m [youruser] -G sudo
adds a new user who also belongs to the “sudo” group. This means that he can also execute root commands. You also assign a secure password to this user after sudo passwd [user]. And while you’re at it, it’s also a good idea to assign a new root password. This is the required command :
sudo passwd root
Since you now have a new account that can also perform all tasks with root rights, you can now deactivate the standard user “pi”. This can be achieved using the command :
sudo passwd –lock pi
As with any modern computer, the Raspberry must be kept as up-to-date as possible. So in order to minimize attack access points, especially with SSH access, you should update the installed packages at regular intervals . This can be done by running the commands :
sudo apt-get update
sudo apt-get dist-upgrade
By the way: for “apt-get” there is also the newer “apt”, which offers a progress bar and combines other commands under one roof. Instead of “apt-get dist-upgrade”, “apt full-upgrade” is required. “Apt” reacts a little differently in special situations.
If you want it to be particularly convenient, do some research on the Internet for the “unattended upgrades” program. The package is installed with the comamnd :
sudo apt-get install unattended-upgrades
And using :
sudo dpkg-reconfigure -priority=low unattended-upgrades
the configuration is called up. In the first dialog you agree to automatic updates, in the second dialog you can change search patterns.
The program can then even be stored in the system as a cron job and is automatically executed at regular intervals. Then you no longer need to take care of the updates manually.
Access via SSH is certainly one of the most powerful tools in everyday use with a Raspberry. Because only this remote access makes it possible to access all system functions without having to connect a keyboard or monitor to the microcomputer.
With the appearance of the Zero Pi W models, access via SSH is initially deactivated, but most users want to use this access in their projects. The initial access to SSH can easily be achieved by creating an empty file “ssh” in the “/ boot” directory. The service will be reactivated the next time you boot up. The attackers are also aware of the popularity of SSH access, which is why you should take care of SSH security.
Before you make various changes, you should ask yourself whether you will need this access at all after setting up the system for the first time. If not, the access can be switched off again and the server can be uninstalled using the command:
sudo apt-get remove ssh
If SSH is still necessary, it is best to make a backup of the configuration in a differently named file so that you can return to the old setup at any time:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bk
Attempts to log in as root via ssh can easily be prevented. To do this, open the corresponding configuration file with an editor:
sudo nano /etc/ssh/sshd_config
Look for the entry “Permit-RootLogin” and set the value to “no”. Actually, there shouldn’t be any users on your system without a password. To prevent such users from logging in to SSH, look for the entry “PermitEmptyPasswords” and also set the value to “no” there.
It is also possible to allow only certain users to have access. In the configuration file there is the entry “Allowusers”, after which the names of the allowed users follow on one line. But this is better solved by creating a group using “AllowGroups”, followed by the group name. If necessary, new users can be added to this group later and do not have to intervene in the configuration file every time.
After changes have been made, the SSH service must be restarted using the command:
sudo /etc/init.d/ssh restart
Depending on how you set up your project, you will sometimes have direct access to the Pi. Then you can use the start script to temporarily switch on SSH by using:
sudo /etc/init.d/ssh stop
sudo /etc/init.d/ssh start
which activates the service only when it is needed.
Last but not least, SSH can also be secured with certificates and optionally with additional password entries. If the Pi is to be publicly accessible, then certificates on the respective computers are a good choice. There are several methods for setting it up. It is common to first create a new key pair in the home directory of the computer to which the Pi is to be connected using :
ssh-keygen (-t rsa)
While creating the keys, you can also specify a passphrase that is used in the encryption. The public ( id_rsa.pub ) and secret key ( id_rsa ) are now in the ” .ssh ” subdirectory .
Now log on to the Pi with the appropriate account that should later be accessible via SSH and create the subfolder “ .ssh ” and in it the “authorized_keys” file. The content of the public key “id_rsa.pub” that has just been created must now be inserted at the end.
The SSH service must be restarted again and you can test the new connection from now on.
If SSH or comparable protocols are only used in the local network, everything is still manageable. From a security point of view, it becomes particularly interesting when one or more ports have been configured to enable external access to your host from the web. .
As a rule, automated attacks work with port scans: Data packets are optionally sent to systems and checked to see whether certain ports are open. As you probably know, standard ports are defined for the various protocols. With SSH this is port 22 – a port that attackers often query during their scan, because they know that SSH can normally be reached via exactly this port.
However, a system can be set up at any time in such a way that a service such as SSH is offered on a different port. You can also change this in the configuration file ” sshd_config ” on the Raspberry . You have to be careful, however, because the port number must not be used by another application or service. If you are unsure about this, you will find a list of standardized port uses on Wikipedia to help you out.
Now look up the line “Port” in the “ sshd_config ” file . Instead of 22 you would need to assign a different value there (theoretically 65,536 possibilities). For example, change the value to “22079”.
Changes to the configuration file are only made after restarting the service using the command :
sudo service ssh restart
Most hacking attacks clumsily try to log in with default account names and random passwords. The system naturally responds to the unsuccessful attempts with an error message. However, hacker scripts are able to automatically transfer a large number of different passwords in a short period of time.
A software package like fail2ban can simply prohibit such failed attempts after a certain number of times:
Now, of course, there can always be failed attempts to log in. You should therefore use the program’s configuration file to specify how many unsuccessful attempts you want to allow. To do this, run the command :
sudo nano /etc/fail2ban/jail.conf
the authoritative file in the editor. You can define the number of allowed unsuccessful attempts with “Maxretry”. “Findtime” however determines the time span within which the unsuccessful attempts must be made in order for them to be counted. The “bantime” variable defines the duration of the blockade for accessing IP. In both cases, the information is given in seconds.
In most cases, you know where you or the intended user group are usually located when accessing the Pi remotely. The fail2ban’s wiki describes how to use “geolookup” to specifically block IPs from different regions from access via SSH.
This provides you with flexible protection that distinguishes automated attacks from “normal” incorrect entries and can be well adapted to your own needs.
If there is only a limited group of people who need to access the Pi from outside then a VPN is recommended. A “Virtual Private Network” offers better security than port forwarding and is nowadays quite easy to set up in the private sector too. Thanks to the support in modern routers, this is generally done fairly quickly.
After setting up in the router configuration, you will receive the required account as well as group name and a “shared secret” in order to then configure the devices intended for access.
Once that’s done, you can log into your home network from your mobile device or PC via an encrypted connection and access the Pi located there.
If the computer is online more or less the entire time, a firewall should be activated on it. It works best on the principle of only letting through the data traffic that has been explicitly allowed. If the software used allows it, try to change the port of the application in a manner similar to that for SSH access. A system that does not respond to requests on the standard ports is too complicated for automated attacks.
With a few simple steps, you can protect your system a whole lot better.
As is so often the case: “Less is more”. After all, it makes sense to check which other services and software you still need to operate your small computer. Once you have an overview, it is very easy to turn off other services and uninstall unnecessary software.
Before you go any further, you can take an image of the Pi’s SD card to be on the safe side. If you have accidentally locked yourself out of WiFi or SSH access, it helps to connect the Pi directly to a monitor via HDMI. Make an image of the Pi’s SD card for safety.
If you like the content, we would appreciate your support by buying us a coffee. Thank you so much for your visit and support.