Hardering your raspberry Pi

Cover Image for Hardering your raspberry Pi
Marmeus
Marmeus

Table of Contents

    Introduction

    I have a Raspberry Pi since 2017, which runs several servers and programs 24/7, but I have never thought of securing my Pi until now. Hence, here you have several tips that you could use in order to make your Raspberry PIs more secure.

    Keep your Pi updated

    The first thing and so, the most important is to keep is to keep its system updated. There are 2 ways of doing it:

    • Manually:

    • Automatically:

      This process will update your Pi daily basis.

      • $ sudo apt-get install unattended-upgrades

      • Avoiding unnecessary emails to root:

        • sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
        • Comment this line:
        • Unattended-Upgrade::Mail "root";

      • Set daily periodic updates:

        • $ sudo vim *etc/*apt/apt.conf.d/02periodic Adding this lines:

          APT::Periodic::Enable "1";

        APT::Periodic::Update-Package-Lists "1";

        APT::Periodic::Download-Upgradeable-Packages "1";

        APT::Periodic::Unattended-Upgrade "1";

        APT::Periodic::AutocleanInterval "1";

        APT::Periodic::Verbose "2";

        • Debugging the configuration:

          $ sudo unattended-upgrades -d

    Change your user

    Due to all Raspberry Pis come with a default username (Pi), you should create a new username deleting the former.

    • Creating a new user:

      • $ sudo adduser user1

    You will be prompted to create a password for the new user and then, a new folder will be created /home/user1

    • Adding the user to the sudoers group

      • $ sudo adduser alice sudo

    • Deleting the old user.

      $ sudo deluser -remove-home pi

    You must take into account that some aspects that require the “pi” user to be present. If you aren’t sure whether it will be affected by this, then leave it there and just change pi’s password

    sudo password pi

    Make sudo require a password

    By default sudo doesn’t need a password. So if someone hacks your Raspberry Pi because, it is connected to the Internet, He or She could run anything with privilege mode. To avoid that you need to:

    sudo vim /etc/sudoers.d/010\_pi-nopasswd

    Change the pi entry (or any other usernames that have superuser rights) to:

    pi ALL=(ALL) PASSWD: ALL

    Improving SSH security

    Allowing or denying specific users by modifying the sshd configuration file.

    sudo nano /etc/ssh/sshd\_config

    This line will allow you to log in the specifies users:

    AllowUsers user1 user2 user3

    This other will stop some usernames from logging in:

    DenyUsers admin1 admin2

    and finally, this one will avoid anyone to connect through ssh as root:

    #PermitRootLogin prohibit-password

    After this change, you will need to restard the sshd service:

    sudo systemctl restart ssh // sudo reboot

    Changing the default SSH port

    In this case, we need to modify “sshd_config” file again. Find this line:

    Port 22

    and replace it by whatever you want

    Port 5687

    Once again, save the file and restart your server

    sudo service ssh restart

    Using Key-based authentication

    One of the advantages of ssh is the usage of generated keys in order to to log in to your account.

    Generating a key pair in Linux is done using “ssh-keygen” command (Client Side). You will be asked for a passphrase, which will generate 2 files. Those keys will be generated at your current folder. <nameOfFile> & <nameOfFile>.key. However, if you couldn’t find them look at ~/.ssh/. The passphrase will be used with the key file to log in through ssh.

    Once, you must copy <nameOfFile>.key to your raspberry pi.

    cat \<pathFile.pub\> | ssh username@IP ‘mkdir -p \~/.ssh && cat

    >> ~/.ssh/authorized_keys’

    Finally, you just log in to you raspberry pi as usual, and you will be prompted for the passphrase you created earlier.

    Install Fail2Ban

    Fail2Ban is a tool which detects brute-force attacks. Fail2Ban will block IPs if they fail to login more than X times.

    1. Install Fail2Ban

      $ sudo apt-get install fail2ban

    2. Change default configuration

      $ vi /etc/fail2ban/jail.local

    If you want to permanently ban IPs, set a negative number in the bantime.

    1. Restart the service

      $ sudo service fail2ban restart

    Installing a firewall (UFW)

    Ufw (Uncomplicated Firewall) is a simple firewall which, like other firewalls, will block all ports except the ones you need, and filter access by IP.

    1. Install ufw

      $ sudo apt-get get install ufw

    2. Configure ufw

    sudo ufw disable

    Allow apache’s services

    sudo ufw allow 80
    sudo ufw allow 443

    Allow SSH access for your internal IP

    sudo ufw allow from 192.168.1.35 port 22
    1. Enable firewalls
    sudo ufw enable

    If you want to show your current rules once you have enabled ufw:

    sudo ufw status verbose

    Secure Apache

    1. Password Authentication

    For instance, if you have an apache server running and there are certain webpages, which only some users can get access to it, this is what you have to do.

    Install apache and its utilities

    sudo apt-get install apache2 apache2-utils

    Create a password file

    This file will contain usernames and password that will be needed to access to your private webpages.

    Because, this will be the first time you create this file, you will need to use this parameter “-c”

    **$ **sudo htpasswd -c /*etc*/apache2/.htpasswd user

    You will be asked to supply and confirm a password for the user.

    If you want to add more users, leave out the -c parameter.

    sudo htpasswd /*etc*/apache2/.htpasswd user1

    Configure apache to provide authentication

    Authentication is done on a per-directory basis. To set up authentication, you will need to select the directory you wish to restrict, and add the following lines.

    *sudo nano /etc/apache2/sites-enabled/000-default.conf*
    
*\<VirtualHost \*:80\>*

*    ServerAdmin webmaster@localhost*

*    DocumentRoot /var/www/html*

*    ErrorLog ${APACHE\_LOG\_DIR}/error.log*

*    CustomLog ${APACHE\_LOG\_DIR}/access.log combined*

*    \<Directory "/var/www/html/folder"\>*

*AuthType Basic*

*AuthName “Restricted Content”*

*AuthUserFile /*etc*/apache2/.htpasswd*

*Require valid-user*

*    \</Directory\>*

*\</VirtualHost\>*

*```*

**

1.  Restart Apache

```bash
sudo service apache2 restart

    Finally, once you access to your private webpage, a pop up will appear.

    To conclude, there are more services that I didn’t mention, that is because I have never use them and I don’t want to write the definitive guide for system administrators. Hence, I hope that, with these little tips you can developed your own prospects in your new safety Raspberry.