Raspberry Pi comes with a poor security level by default
If you use it at home or in a small network, it’s not a big deal
But if you open ports on Internet, use it as a WiFi access point, or if you install it in a bigger network, you need to take security measures to protect your Raspberry Pi
I’ll show you how to do this
How to secure a Raspberry Pi?
There are obvious steps that are logical, like setting a strong password
But there are also things you won’t think about, or more complicated to set up
I’ll show you the first 17 security tips you need to follow to get a good security level for your Raspberry Tips (and they mostly apply to all Linux systems)
It all depends on what you are doing, but it should be enough in most of the cases
Introduction
Should I follow all these tips?
As I wrote at the beginning, if your Raspberry Pi is at home, with a few services and no forwarded ports in your Internet box, you are already pretty safe
The risk level of your Raspberry Pi depends on how it’s exposed to the “real” world
You’ll not take the same measure for a Retropie game console at home, and for a DMZ in your network open on the Internet
But the 17 tips are good to know, and easy to apply, so if you share something on Internet, take 30min to read this and apply it
How I wrote this article
I selected the 17 main security tips I want to share with you, which apply to everyone who hosts a Raspberry Pi and share services on it
They are in order of risk level
If you think you are highly exposed, follow all the steps and you’ll be safe
If not too much, follow only the first ones
17 tips to secure your Raspberry Pi
1 – Keep your system updated
The first one may be obvious, but it’s an important one
With updates in the Raspbian repository, you not only get last features, but mainly security fixes for your installed softwares
Try to update your Raspberry Pi regularly with:
sudo apt update sudo apt upgrade
You can also automate this process with the unattended-upgrades package
This procedure allows you to install security fixes each day automatically:
- Install the unattended-upgrades package
sudo apt install unattended-upgrades
- Open the configuration file
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
- Change what you want in this file
By default it’ll download only security updates, but you can change this if you want to install all Debian updates, or even other repositories
I recommend to at least comment out this line:Unattended-Upgrade::Mail "root";
This will send a mail to root (or any other address if you have a mail server installed)
- Save and Exit (CTRL+O, CTRL+X)
- Then we need to set the periodic upgrade
Open this file:sudo nano /etc/apt/apt.conf.d/02periodic
- Paste these lines (the file should be empty, if not, change the values):
APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "1"; APT::Periodic::Verbose "2";
This will enable the automatic update every day
We ask apt to make: update, download upgrades, install upgrades, auto-clean every day
The last line is the verbose level you’ll get in the /var/log/unattended-upgrades and email (1= low, 3=max) - Save and exit (CTRL+O, CTRL+X)
- This should be ok, you can debug your configuration with this command:
sudo unattended-upgrades -d
Don’t forget to check the log file and/or the email received to assure everything is working as expected
2 – Don’t use auto-login or empty passwords
Passwords are a big part of the system security
First thing: make sure that all critical access are asking for a password
Don’t use auto login and add a login step for each application you can access directly
I’ll not list all apps, but for example, if you have a web server, make sure that personal data or administration pages are not accessible without password
Make sure that nobody uses an empty password on the Raspberry Pi
If you have few accounts, it’s easy, check all access
If you have a lot of user accounts, these commands could help you:
- Search for empty password
sudo awk -F: '($2 == "") {print}' /etc/shadowThis will display only accounts with an empty password
- Lock unsafe accounts
passwd -l <username>
3 – Change the default password for pi
A common mistake is to leave the default password on the pi user (raspberry)
Anyone who already used a Raspberry Pi know this password
So many people are scanning SSH ports and trying to login with pi / raspberry
Changing the default password should be the first thing to do on a new installation
Doing this is easy, login as pi and enter this command:
passwd
Try to use a sentence with over 15 characters to be safe against brute-force attacks, and to remember it easily (ex: iloveraspberrytips is a good password easy to remember ^^)
4 – Disable the pi user
As I said, the pi user is one of the most brute forced login with root
Hackers have a list of commonly used logins and try mainly these ones
If possible, create a new user and disable the pi user to prevent this kind of attacks:
- Create a new user
sudo adduser <username>
- Give him the sudo privilege if needed
sudo adduser <username> sudo
This will add your new user in the sudo group
- Check that everything is working correctly (ssh access, sudo, …)
- Copy files from the pi user to the new user if needed
sudo cp /home/pi/Documents/* /home/<username>/Documents/ ...
- Delete the pi user
sudo deluser -remove-home pi
If you prefer, you can start by locking the account (like said previously), and delete it only after a few weeks, when you’re sure everything is fine
5 – Stop unnecessary services
On Raspberry Pi, we do a lot of projects about everything, and it could be a bad habit for security
Let’s say you installed PHPMyAdmin 3 months ago to try something, but you’re not using it anymore
This could create a breach for an attacker that will allow him to enter your system
Try to stop or uninstall unneeded services and apps
- To stop a service use:
sudo service <service-name> stop
If it starts automatically on boot, try:
sudo update-rc.d <service-name> remove
- Or to uninstall it, it should be something like:
sudo apt remove <service-name>
6 – Make sudo require a password
As you should know, sudo not always asks for a password
Most of the time you don’t need to type your password again
It’s cool for productivity, but for security reasons it’s not a good idea
If someone succeeds to get terminal access to your Raspberry Pi main user, super-user privileges will be accessible without password
I recommend you to ask for a password when you use sudo:
- Edit this file
sudo nano /etc/sudoers.d/010_pi-nopasswd
- Find this line
pi ALL=(ALL) NOPASSWD: ALL
Or any other users if you followed the previous steps
- Replace by this
pi ALL=(ALL) PASSWD: ALL
- Do the same for each user with sudo access
- Save and exit (CTRL+O, CTRL+X)
7 – SSH: Prevent root login
As I said previously, root and pi users are often the main target for brute-force attacks
It’s usually with SSH
So you need to make sure that root don’t have a direct SSH access
If you need root, login with your normal user (not pi) and then use sudo to get super-user privileges
By default, root access is disabled
You can check this:
- Open the SSH server configuration file
sudo nano /etc/ssh/sshd_config
- Find this line
#PermitRootLogin prohibit-password
- If you have something else, comment this line (by adding # at the beginning)
- Save and exit (CTRL+O, CTRL+X)
- Restart SSH server
sudo service ssh restart
8 – SSH: Change the default port
The SSH default port is 22
So basically, attackers will create bots to make login attempts on this port
To prevent this, you can change the default port and set another one
- Edit the SSH server configuration file
sudo nano /etc/ssh/sshd_config
- Find this line
#Port 22
- Replace the port by what you want
Port 1111
Make sure you don’t take a port you use for something else
List of known ports on Wikipedia - Save and exit (CTRL+O, CTRL+X)
- Restart your server
sudo service ssh restart
Don’t forget to adjust the firewall rules if you have one
Make a new connection test before closing the current one, it could help you if you made a mistake 🙂
9 – SSH: Use SSH keys instead of passwords
With the previous steps, we already block most of the script kiddies
We are now moving to things that could protect you even if you are facing a strong hacker that wants only your system
Using a strong password will slow his attack, but it’s always possible he finds it, even if it takes weeks to get the correct password
What you could do to block him, is to use SSH keys instead of password for your SSH connections
An attacker could guess a 15 characters password, but not an SSH key
The main idea is to generate a key on your computer, and then to add it on the Raspberry Pi to allow a connection from your computer (with or without a password)
I give you the step-by-step procedure at the end of this article
Once this is working, you could disable SSH connections with password only
Change this line in the SSH configuration file we saw before:
PasswordAuthentication no
10 – Install Fail2ban
Fail2ban is a tool to detect brute-force attacks and block them
In the previous steps, I said that an attacker could try to find you password during months, and maybe he could succeed
The main purpose of Fail2ban is to avoid this
Fail2ban will block attackers IP if they fail to login more than X times
You can configure the number of tries before a ban, and the ban duration
Follow these steps to install Fail2ban on your Raspberry Pi:
- Install the package
sudo apt install fail2ban
- By default fail2ban will ban attacker 10min after 5 failures
I think it’s ok to start, but if you want to change this, all the configuration is in the /etc/fail2ban folder
Mainly in /etc/fail2ban/jail.conf - Restart the service if you made any changes
sudo service fail2ban restart
This should really slow your attacker
5 attempts every 10 minutes, it’s 720 tries a day
If your password is not like “password” or “123456789” it should take a long time to find it
11 – Install a firewall
If you don’t know, a firewall allows you to block all ports except the ones you need, and filter access by IP
For example, you can block everything, and just allow SSH access from your computer IP address
I’m used to install iptables for my firewall rules, but maybe for a beginner it’s not the easiest way to do this
So I’ll explain you how to install ufw (Uncomplicated FireWall), which is more straightforward, and then allow only what you need
It’s a basic configuration with HTTP access for anyone, and SSH only for you, but you need to adapt this to what you want to do
- Install the firewall package
sudo apt install ufw
- Allow apache access for anyone
sudo ufw allow 80 sudo ufw allow 443
- Allow SSH access for your IP address only
sudo ufw allow from 192.168.1.100 port 22
Don’t forget to replace values with your own settings
On a local network you can get your ip address with ipconfig (Windows) or ifconfig (Linux/Mac)
If you change the SSH port in the previous step (by 1111 or anything else), replace it here - Enable the firewall
sudo ufw enable
Be careful, this will enable the firewall now, and also on boot
If you lose access to your device, you’ll not be able to fix this, even after a reboot
You’ll need to change the configuration directly on the Raspberry Pi (physically) - Check that everything is fine
To display your current rules once ufw enabled, use this command:
sudo ufw status verbose
For more complex configurations, check the man page
12 – Backup your system
One of the worst consequence of an attack, is to lose data
If you backup correctly and regularly your files, you’ll be safe even if the hacker destroys your SD card
I already wrote an article about how to back up and restore your Raspberry Pi, so I’ll not repeat here
But the second part is critical, assure than you can read your backup and that all important files are inside, otherwise it’s useless
13 – Crypt your connections
This is a vast topic and I’ll not give many details about this, but I’ll give you an example
With basic protocols, data flows in clear on the network
That’s to say, if you type your password, a hacker could get it while listening the network
Luckily, there are often other protocols that work safer, by encrypting all the data
The first thing to is to stop using unsafe protocols (FTP, Telnet or HTTP for example)
And then try to replace them by safer access (SFTP, SSH, HTTPS)
The procedure will depend on which protocols you are using with your Raspberry Pi
Let’s take the HTTP example
HTTP is cool if you only use it for static content, you never type a password, and don’t have sensitive data
But move your application to use the HTTPS protocol to be safer anyway
It’s pretty simple to do, you just need a certificate and change lines in the Apache or Nginx configuration
You’ll find a lot of helpful tutorials on the Internet
And most of the time it’s easy
You can switch from FTP to SFTP as your Raspberry Pi already have SSH enable
The same for Telnet, why do you need Telnet whereas SSH is available?
Then look for all the protocols you are using with sensitive data and what you can do to improve it
14 – Use a VPN
A more radical option is to access your Raspberry Pi through a VPN
VPN stands for Virtual Private Network and allows you to access remotely all services on your Raspberry Pi as if you were in the local network
All flows between you and the Raspberry Pi will be encrypted by a strong protocol
This is a good option to prevent opening a lot of ports on the Internet without security
I’ll try to write an article about this one day, but you’ll find a lot of tutorials on Internet (search for OpenVPN for example)
15 – Protect physical access
The last protection is obvious but often ignored when we talk of security
You can configure any security protocols, firewall and VPN from all the steps before
If your Raspberry Pi is physically accessible by anyone, it’s useless
Make sure that can’t be stolen easily (or the SD card), or that nobody could come plug a keyboard and screen and be logged in automatically
The steps to implement to protect that kind of attack will depend on your system
Maybe you’ll need an auto logoff after X minutes, a password in the grub boot menu or encrypt data on the SD card
Think about it, what could be the worst thing that could happen if someone gets access physically to your Raspberry Pi?
And find solutions to block him
16 – Check your logs regularly
The last two item from this list are not other protections, but more a commitment to follow
Most of the time, attacks are visible in the log files
So, try to read them regularly to detect any suspicious activity
All logs are in the /var/log folder, but the main log files to check are:
- /var/log/syslog: main log file for all services
- /var/log/message: whole systems log file
- /var/log/auth.log: all authentication attempts are logged here
- /var/log/mail.log: if you have a mail server, you’ll find a trace of recent emails sent here
- Any critical application log file, for example /var/log/apache2/error.log or /var/log/mysql/error.log
Some solutions are available to simplify this work
For example, you could configure syslog to send logs to a master server, with an interface to read them, filter, etc …
You can also use logwatch to get daily reports about the system operation
17 – Read the news
To keep a good security level in your projects, try to stay constantly updated
I see new vulnerabilities in a lot of majors softwares every day, and it could take weeks or more to have the fix available in the Raspbian repository
If you read security news regularly, you could take action quickly to stay protected
Here are some good links to follow:
You could also use a vulnerability scanner like Nessus to find only the vulnerabilities that apply to your system
But if your project requires a so high level of security, you probably should not stay on Raspberry Pi 🙂
Conclusion
That’s it, you now know the main security steps to protect your Raspberry Pi
I know it’s only the first steps, and that there are other important too, but we are talking about Raspberry Pi, not high availability servers with tons of confidential data
I think you already have a good protection if you implement the 17 ideas from this article
If you have any other security tips to share with us, please leave a comment below