My Raspberry Pi has turned into a central hub for automation and connections to various devices at home. As I want to expose some services outside of the local LAN, I run into the risk of being hacked. So what can we do to secure the Raspberry Pi from intruders?
This first post deals with some basic security aspects that you can consider to get a more secure Raspberry Pi environment when it comes to ssh access.
Replace the default user pi
The Raspbian OS comes with a default user “pi” and the first thing you should do after booting up Raspbian is of course to change the default password. But as the user “pi” is standard, a potential intruder has half of what is needed for logging into the Raspberry (knowing the name and just guessing the password). Also, the default pi user is part of the sudo group and a trespasser can potentially do anything on the device if the password is known. The next step should be to create a new user with the same privileges as the pi user and then delete the default pi user. Preferably, use a more creative user name than “pi”.
You can list the groups for the currently logged in user with the groups command:
groups
For my pi user I get this list:
pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi
Then, to create a new user with the same groups as the pi user, you can use the useradd command with the same list of groups:
sudo useradd -m -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi USERNAME
Where USERNAME is the name of your new non-standard user. You can set a password for the new user with:
sudo passwd USERNAME
Then, reboot the system, login as the new user and delete the pi user and its data:
sudo deluser --remove-all-files pi
Warning! This will remove all contents from the old pi user’s home directory, so only do this if you don’t have any valuable data that you want to keep from the old account. A good precaution would be to first backup your SD card before doing the pi account deletion.
An alternative is to rename the pi user (and its home directory) with usermod. But if you start out with a fresh Raspbian install, it might be easier to create a new account and delete the old one with the steps listed above.
Last note: The Raspberry configuration in the Raspbian desktop will not work without a user called “pi”. You can still use raspi-config from the command line though. You will not be able to “autologin with user pi” anymore – but why would you?
Replace the ssh password login with a key login
Even if you have a non-default user name with a strong password on your pi, if someone gets access to these credentials, they can login to your RPi from any machine on the same network (or from Internet if you expose ssh outside the router). A more secure approach is to disable ssh password logins and use ssh keys instead. What you need to do is to generate a private/public key pair from the computer that you want to use for accessing the RPi and then copy the public key to the RPi and keep the private key on your computer. The keys can (and should) be protected by a passphrase. After this, you can disable password logins for ssh on the RPi (it is enabled by default in Raspbian). Now it is only possible to login in via ssh to the Raspberry Pi via trusted computers (i.e. your devices and not the intruder’s computers).
Here are two good tutorials that describes all the steps:
https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md
http://raspi.tv/2012/how-to-set-up-keys-and-disable-password-login-for-ssh-on-your-raspberry-pi
Change the default ssh port
Yet another trick as described in the last tutorial link above is to change the default ssh port from 22 to something less obvious.
Use Fail2Ban
Fail2Ban is a tool that locks out ssh access (or other services depending on configuration) from specific IP addresses for a period of time after a specified number of failed ssh login attempts. So, if someone is trying to guess the user/password with a ssh login, they will have a harder time as the machine access is blocked after N failed attempts. Here is a good guide for Fail2Ban:
https://www.linode.com/docs/security/using-fail2ban-for-security
Stay safe!