security tips raspberry pi

17 security tips for your Raspberry Pi

Raspberry Pi comes with a poor security level by default
If you use it at home or in a small network, it’s not a big deal
But if you open ports on Internet, use it as a WiFi access point, or if you install it in a bigger network, you need to take security measures to protect your Raspberry Pi
I’ll show you how to do this

How to secure a Raspberry Pi?
There are obvious steps that are logical, like setting a strong password
But there are also things you won’t think about, or more complicated to set up

I’ll show you the first 17 security tips you need to follow to get a good security level for your Raspberry Tips (and they mostly apply to all Linux systems)
It all depends on what you are doing, but it should be enough in most of the cases

Introduction

Should I follow all these tips?

As I wrote at the beginning, if your Raspberry Pi is at home, with a few services and no forwarded ports in your Internet box, you are already pretty safe

The risk level of your Raspberry Pi depends on how it’s exposed to the “real” world
You’ll not take the same measure for a Retropie game console at home, and for a DMZ in your network open on the Internet
But the 17 tips are good to know, and easy to apply, so if you share something on Internet, take 30min to read this and apply it

How I wrote this article

I selected the 17 main security tips I want to share with you, which apply to everyone who hosts a Raspberry Pi and share services on it

They are in order of risk level
If you think you are highly exposed, follow all the steps and you’ll be safe
If not too much, follow only the first ones

17 tips to secure your Raspberry Pi

1 – Keep your system updated

The first one may be obvious, but it’s an important one
With updates in the Raspbian repository, you not only get last features, but mainly security fixes for your installed softwares

Try to update your Raspberry Pi regularly with:

sudo apt update
sudo apt upgrade

You can also automate this process with the unattended-upgrades package
This procedure allows you to install security fixes each day automatically:

  • Install the unattended-upgrades package
    sudo apt install unattended-upgrades
  • Open the configuration file
    sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
  • Change what you want in this file
    By default it’ll download only security updates, but you can change this if you want to install all Debian updates, or even other repositories
    I recommend to at least comment out this line:

    Unattended-Upgrade::Mail "root";

    This will send a mail to root (or any other address if you have a mail server installed)

  • Save and Exit (CTRL+O, CTRL+X)
  • Then we need to set the periodic upgrade
    Open this file:

    sudo nano /etc/apt/apt.conf.d/02periodic
  • Paste these lines (the file should be empty, if not, change the values):
    APT::Periodic::Enable "1";
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::Unattended-Upgrade "1";
    APT::Periodic::AutocleanInterval "1";
    APT::Periodic::Verbose "2";
    

    This will enable the automatic update every day
    We ask apt to make: update, download upgrades, install upgrades, auto-clean every day
    The last line is the verbose level you’ll get in the /var/log/unattended-upgrades and email (1= low, 3=max)

  • Save and exit (CTRL+O, CTRL+X)
  • This should be ok, you can debug your configuration with this command:
    sudo unattended-upgrades -d

Don’t forget to check the log file and/or the email received to assure everything is working as expected

2 – Don’t use auto-login or empty passwords

Passwords are a big part of the system security

First thing: make sure that all critical access are asking for a password
Don’t use auto login and add a login step for each application you can access directly
I’ll not list all apps, but for example, if you have a web server, make sure that personal data or administration pages are not accessible without password

Make sure that nobody uses an empty password on the Raspberry Pi
If you have few accounts, it’s easy, check all access
If you have a lot of user accounts, these commands could help you:

  • Search for empty password
    sudo awk -F: '($2 == "") {print}' /etc/shadow

    This will display only accounts with an empty password

  • Lock unsafe accounts
    passwd -l <username>

3 – Change the default password for pi

A common mistake is to leave the default password on the pi user (raspberry)
Anyone who already used a Raspberry Pi know this password
So many people are scanning SSH ports and trying to login with pi / raspberry

Changing the default password should be the first thing to do on a new installation
Doing this is easy, login as pi and enter this command:

passwd

Try to use a sentence with over 15 characters to be safe against brute-force attacks, and to remember it easily (ex: iloveraspberrytips is a good password easy to remember ^^)

4 – Disable the pi user

As I said, the pi user is one of the most brute forced login with root
Hackers have a list of commonly used logins and try mainly these ones

If possible, create a new user and disable the pi user to prevent this kind of attacks:

  • Create a new user
    sudo adduser <username>
  • Give him the sudo privilege if needed
    sudo adduser <username> sudo

    This will add your new user in the sudo group

  • Check that everything is working correctly (ssh access, sudo, …)
  • Copy files from the pi user to the new user if needed
    sudo cp /home/pi/Documents/* /home/<username>/Documents/
    ...
  • Delete the pi user
    sudo deluser -remove-home pi

    If you prefer, you can start by locking the account (like said previously), and delete it only after a few weeks, when you’re sure everything is fine

5 – Stop unnecessary services

On Raspberry Pi, we do a lot of projects about everything, and it could be a bad habit for security
Let’s say you installed PHPMyAdmin 3 months ago to try something, but you’re not using it anymore
This could create a breach for an attacker that will allow him to enter your system

Try to stop or uninstall unneeded services and apps

  • To stop a service use:
    sudo service <service-name> stop

    If it starts automatically on boot, try:

    sudo update-rc.d <service-name> remove
  • Or to uninstall it, it should be something like:
    sudo apt remove <service-name>

     

6 – Make sudo require a password

As you should know, sudo not always asks for a password
Most of the time you don’t need to type your password again
It’s cool for productivity, but for security reasons it’s not a good idea

If someone succeeds to get terminal access to your Raspberry Pi main user, super-user privileges will be accessible without password
I recommend you to ask for a password when you use sudo:

  • Edit this file
    sudo nano /etc/sudoers.d/010_pi-nopasswd
  • Find this line
    pi ALL=(ALL) NOPASSWD: ALL

    Or any other users if you followed the previous steps

  • Replace by this
    pi ALL=(ALL) PASSWD: ALL
  • Do the same for each user with sudo access
  • Save and exit (CTRL+O, CTRL+X)

7 – SSH: Prevent root login

As I said previously, root and pi users are often the main target for brute-force attacks
It’s usually with SSH

So you need to make sure that root don’t have a direct SSH access
If you need root, login with your normal user (not pi) and then use sudo to get super-user privileges

By default, root access is disabled
You can check this:

  • Open the SSH server configuration file
    sudo nano /etc/ssh/sshd_config
  • Find this line
    #PermitRootLogin prohibit-password
  • If you have something else, comment this line (by adding # at the beginning)
  • Save and exit (CTRL+O, CTRL+X)
  • Restart SSH server
    sudo service ssh restart

 

8 – SSH: Change the default port

The SSH default port is 22
So basically, attackers will create bots to make login attempts on this port
To prevent this, you can change the default port and set another one

  • Edit the SSH server configuration file
    sudo nano /etc/ssh/sshd_config
  • Find this line
    #Port 22
  • Replace the port by what you want
    Port 1111

    Make sure you don’t take a port you use for something else
    List of known ports on Wikipedia

  • Save and exit (CTRL+O, CTRL+X)
  • Restart your server
    sudo service ssh restart

Don’t forget to adjust the firewall rules if you have one
Make a new connection test before closing the current one, it could help you if you made a mistake 🙂

9 – SSH: Use SSH keys instead of passwords

With the previous steps, we already block most of the script kiddies
We are now moving to things that could protect you even if you are facing a strong hacker that wants only your system

Using a strong password will slow his attack, but it’s always possible he finds it, even if it takes weeks to get the correct password
What you could do to block him, is to use SSH keys instead of password for your SSH connections
An attacker could guess a 15 characters password, but not an SSH key

The main idea is to generate a key on your computer, and then to add it on the Raspberry Pi to allow a connection from your computer (with or without a password)
I give you the step-by-step procedure at the end of this article

Once this is working, you could disable SSH connections with password only
Change this line in the SSH configuration file we saw before:

PasswordAuthentication no

10 – Install Fail2ban

Fail2ban is a tool to detect brute-force attacks and block them
In the previous steps, I said that an attacker could try to find you password during months, and maybe he could succeed
The main purpose of Fail2ban is to avoid this

Fail2ban will block attackers IP if they fail to login more than X times
You can configure the number of tries before a ban, and the ban duration
Follow these steps to install Fail2ban on your Raspberry Pi:

  • Install the package
    sudo apt install fail2ban
  • By default fail2ban will ban attacker 10min after 5 failures
    I think it’s ok to start, but if you want to change this, all the configuration is in the /etc/fail2ban folder
    Mainly in /etc/fail2ban/jail.conf
  • Restart the service if you made any changes
    sudo service fail2ban restart

This should really slow your attacker
5 attempts every 10 minutes, it’s 720 tries a day
If your password is not like “password” or “123456789” it should take a long time to find it

11 – Install a firewall

If you don’t know, a firewall allows you to block all ports except the ones you need, and filter access by IP
For example, you can block everything, and just allow SSH access from your computer IP address

I’m used to install iptables for my firewall rules, but maybe for a beginner it’s not the easiest way to do this
So I’ll explain you how to install ufw (Uncomplicated FireWall), which is more straightforward, and then allow only what you need

It’s a basic configuration with HTTP access for anyone, and SSH only for you, but you need to adapt this to what you want to do

  • Install the firewall package
    sudo apt install ufw
  • Allow apache access for anyone
    sudo ufw allow 80
    sudo ufw allow 443
  • Allow SSH access for your IP address only
    sudo ufw allow from 192.168.1.100 port 22

    Don’t forget to replace values with your own settings
    On a local network you can get your ip address with ipconfig (Windows) or ifconfig (Linux/Mac)
    If you change the SSH port in the previous step (by 1111 or anything else), replace it here

  • Enable the firewall
    sudo ufw enable

    Be careful, this will enable the firewall now, and also on boot
    If you lose access to your device, you’ll not be able to fix this, even after a reboot
    You’ll need to change the configuration directly on the Raspberry Pi (physically)

  • Check that everything is fine

To display your current rules once ufw enabled, use this command:

sudo ufw status verbose

For more complex configurations, check the man page

12 – Backup your system

One of the worst consequence of an attack, is to lose data
If you backup correctly and regularly your files, you’ll be safe even if the hacker destroys your SD card

I already wrote an article about how to back up and restore your Raspberry Pi, so I’ll not repeat here
But the second part is critical, assure than you can read your backup and that all important files are inside, otherwise it’s useless

13 – Crypt your connections

This is a vast topic and I’ll not give many details about this, but I’ll give you an example
With basic protocols, data flows in clear on the network
That’s to say, if you type your password, a hacker could get it while listening the network
Luckily, there are often other protocols that work safer, by encrypting all the data

The first thing to is to stop using unsafe protocols (FTP, Telnet or HTTP for example)
And then try to replace them by safer access (SFTP, SSH, HTTPS)

The procedure will depend on which protocols you are using with your Raspberry Pi
Let’s take the HTTP example

HTTP is cool if you only use it for static content, you never type a password, and don’t have sensitive data
But move your application to use the HTTPS protocol to be safer anyway
It’s pretty simple to do, you just need a certificate and change lines in the Apache or Nginx configuration
You’ll find a lot of helpful tutorials on the Internet

And most of the time it’s easy
You can switch from FTP to SFTP as your Raspberry Pi already have SSH enable
The same for Telnet, why do you need Telnet whereas SSH is available?

Then look for all the protocols you are using with sensitive data and what you can do to improve it

14 – Use a VPN

A more radical option is to access your Raspberry Pi through a VPN
VPN stands for Virtual Private Network and allows you to access remotely all services on your Raspberry Pi as if you were in the local network
All flows between you and the Raspberry Pi will be encrypted by a strong protocol

This is a good option to prevent opening a lot of ports on the Internet without security
I’ll try to write an article about this one day, but you’ll find a lot of tutorials on Internet (search for OpenVPN for example)

15 – Protect physical access

The last protection is obvious but often ignored when we talk of security
You can configure any security protocols, firewall and VPN from all the steps before
If your Raspberry Pi is physically accessible by anyone, it’s useless

Make sure that can’t be stolen easily (or the SD card), or that nobody could come plug a keyboard and screen and be logged in automatically
The steps to implement to protect that kind of attack will depend on your system
Maybe you’ll need an auto logoff after X minutes, a password in the grub boot menu or encrypt data on the SD card

Think about it, what could be the worst thing that could happen if someone gets access physically to your Raspberry Pi?
And find solutions to block him

16 – Check your logs regularly

The last two item from this list are not other protections, but more a commitment to follow
Most of the time, attacks are visible in the log files
So, try to read them regularly to detect any suspicious activity

All logs are in the /var/log folder, but the main log files to check are:

  • /var/log/syslog: main log file for all services
  • /var/log/message: whole systems log file
  • /var/log/auth.log: all authentication attempts are logged here
  • /var/log/mail.log: if you have a mail server, you’ll find a trace of recent emails sent here
  • Any critical application log file, for example /var/log/apache2/error.log or /var/log/mysql/error.log

Some solutions are available to simplify this work
For example, you could configure syslog to send logs to a master server, with an interface to read them, filter, etc …
You can also use logwatch to get daily reports about the system operation

17 – Read the news

To keep a good security level in your projects, try to stay constantly updated
I see new vulnerabilities in a lot of majors softwares every day, and it could take weeks or more to have the fix available in the Raspbian repository
If you read security news regularly, you could take action quickly to stay protected

Here are some good links to follow:

You could also use a vulnerability scanner like Nessus to find only the vulnerabilities that apply to your system
But if your project requires a so high level of security, you probably should not stay on Raspberry Pi 🙂

Conclusion

That’s it, you now know the main security steps to protect your Raspberry Pi
I know it’s only the first steps, and that there are other important too, but we are talking about Raspberry Pi, not high availability servers with tons of confidential data
I think you already have a good protection if you implement the 17 ideas from this article

If you have any other security tips to share with us, please leave a comment below

 

Leave a Comment