3 steps to take to improve the security of your Raspberry Pi server
About: The latest version of Raspbian disables SSH by default to improve security of the Raspberry Pi. This is a great step of improving internet and network security and I congratulate the Raspberry Pi team for moving forward with this step and making it super easy to enable SSH by simply adding a file called “ssh” into the /boot/ directory.
Enabling SSH allows you to use your Raspberry Pi headless, meaning you can use it without a keyboard and monitor by connecting to it from another computer. The problem with enabling SSH on your Raspberry Pi server is that if you expose your server to the internet you will notice many hackers will attempt to connect to your server and try to access it using brute-force attacks.
I will shows you 3 things you can do to improve the security of your Raspberry Pi server today if you have SSH enabled. These steps will improve your Raspberry Pi’s security as well as your personal network. We will learn how to change the default SSH port number, install Fail2Ban to ban IP addresses if they attempt to brute-force our user passwords and finally I will show you how to create SSH keys so that only the computer you create a key for will be able to access your Raspberry Pi server.
Objective: To improve security on the Raspberry Pi by changing the SSH Port Number, Installig Fail2Ban and generating SSH keys
Material: You will need the following:
- Raspberry Pi (Click the link to check out the price on Amazon. Usually around $37 with free shipping)
If you have SSH enabled on port 22 (default SSH port) hackers canscan your network looking for an open port 22. They can then attempt to enter your network from the Raspberry Pi and attempt to brute force your username and password.
Changing your SSH port will increase your security assuming a hacker scans your network for default ports only. You will still need to have a secure password and think of using SSH keys to improve security even further. Changing your port number will simply decrease the amount of probe attempts on your port. A non-standard port means that you don’t automatically show up in Shodan or other places that list machines listening on port 22.
Start off by opening the terminal on your Raspberry Pi or by connecting to it over SSH. Type the following command to open the SSH configuration file with nano (basic text editor):
sudo nano /etc/ssh/sshd_config
You should see a line called Port 22. This is the line we will want to change. Simply change the port number from 22 to any number you like. I recommend using a port number higher then 1000. The port number should be less then 65535. Look at the before and after images below of the sshd_config file. You can see I changed my SSH Port number from 22 to 12148.
After changing the port number hit CTRL+X and then Y to save the configuration file. After you do this restart your SSH service with the following command:
sudo service ssh restart
That’s it! You have now updated your Raspberry Pi’s SSH port number. The next time your want to connect to your Raspberry Pi over SSH you will need to use this new port number. You will also need to update your Port Forward settings on your Router if you want to remotely connect to your Raspberry Pi over SSH.
Fail2Ban is a daemon that scans defined log files and bans IP Addresses that show the malicious signs. It protects your Raspberry Pi from too many password failures or hackers seeking for exploits. It is a must have tool to protect your from intruders to your server or network especially if you allow outside SSH traffic or any traffics from an outside network to your Raspberry Pi. Fail2Ban supports a lot of services (sshd, apache, qmail, proftpd, sasl, asterisk, etc) and can be integrated with your IPTables.
Fail2Ban is very easy to install and setup and will drastically improve security on your Raspberry Pi. Fail2Ban works by monitoring your logs for failures and depending on the settings you setup it will ban or timeout an IP Address for a certain amount of time if it fails to login to your server. It is a great tool and a must have tool to protect your from brute-force attacks.
Open up your terminal on the Raspberry Pi and install Fail2Ban by typing the following commands:
sudo apt-get update
sudo apt-get install fail2ban
The initial settings for Fail2Ban are located at ‘/etc/fail2ban/jail.conf’. You can see all the default settings for many services that you are being protected against. However do not edit any of these settings in your ‘/etc/fail2ban/jail.conf’ file. You will want to edit the ‘/etc/fail2ban/jail.local’ file and add your configurations there.
Lets edit our SSH Fail2Ban configurations. Open up the ‘/etc/fail2ban/jail.local’ file with the following command:
sudo nano /etc/fail2ban/jail.local
Your jail.local file should be empty. Lets add the following settings:
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3
After pasting the settings hit CTRL+X and then Y to save the configuration file. Below is what each line in the configuration means and what you can edit.
enabled: Determines whether or not the filter is turned on.
port: The port Fail2Ban should be referencing in regards to the service. If using the default port, then the service name can be placed here. If you changed your SSH port to something else you would need to write the new port number here.
filter: The name of the file located in ‘/etc/fail2ban/filter.d’ that contains the failregex information used to parse log files appropriately.
logpath: The path to your log file.
bantime: The length of time in seconds that the IP Address will be banned for. In my example I used ‘900’ seconds which would be 15 minutes. If you want to ban an IP Address permanently then you will set the bantime to ‘-1’.
banaction: The action to take when banning an IP Address.
findtime: The length of time between login attempts before a ban is set. For example, if Fail2Ban is set to ban an IP after three failed log-in attempts, those three attempts must occur within the set findtime limit. The findtime value should be a set number of seconds.
maxretry: How many attempts can be made to access the server from a single IP before a ban is imposed.
Restart Fail2Ban with the following command to make your configuration settings live:
sudo service fail2ban restart
At this point Fail2Ban is configured and your server will be protected from brute-force attacks however all bans will be cleared upon restarting Fail2Ban or rebooting the server. If you manage to ban yourself you can simply restart your Raspberry Pi.
You can check your IPTables list with the following command to see all your banned IP Addresses:
sudo iptables -L -n --line
If you need to unban an IP Address use this command. Change the number to the line you want to remove:
sudo iptables -D fail2ban-ssh 1
SSH Keys are a secure way of connecting to a server without needing a password. The way it works is a private and public set of keys are generated and the private key is held on our main computer and the public key is put on the server, in this case it would be our Raspberry Pi. The keys generated are a minimum of 512-bits with 1024-bits being the default. The recommended bits to use for a server are 2048-bits but you can go up to 4096-bits.
SSH Keys allow you to login to your server without a password and the client and server will use these keys to authenticate the client allowing it access. This is safer because it prevents brute-force attacks. You can however add a passphrase to your key, meaning that you would need to have a private key as well as a passphrase to connect to the server. Adding a passphrase would really lock-down our server and make it virtually impossible to connect into without the SSH key and passphrase.
First we will start off by generating the SSH key on our main computer that we will be using to connect to our Raspberry Pi. I will assume you are using a Linux based computer. Look up how to generate SSH keys on Windows or MAC if that’s what you are using. I am using Linux Mint so this tutorial will show you how to generate SSH keys using Linux. Start off by opening the terminal on your computer.
Type the following command to generate a SSH key. We will be generating a SSH Key with 2048-bits using the RSA protocol version 2:
ssh-keygen -b 2048 -t rsa
Once you type that command in you should be prompted where you would like to save the keys. Simply hit enter to save the keys in the default location. After that you should get one more question asking you to enter a passphrase. If you do not want to enter a passphrase simply hit enter or enter in your new passphrase.
Entering a passphrase is simply up to you. It will improve your servers security because a hacker would need to steal your private SSH Key first as well as the passphrase. The downside is that you would need to enter in your passphrase every time you connect to your server. This may not be a big deal if you don’t login to your server often, however, if you do lose or forget your passphrase there is no way to recover it remotely. Assuming your server is headless you would need to hookup a monitor and keyboard and generate new keys locally and replace your current keys or delete them..
Your SSH Keys should now be located in ~/.ssh. You can view your key files with the following command:
You should see 2 files located here:
id_rsa.pub : This is your public key and will be transferred to your server.
id_rsa : This is your private key which will remain on your main computer you will be using to connect to your server.
Now go ahead and SSH to your Raspberry Pi and run the following commands to create a ‘.ssh’ folder and an ‘authorized_keys’ file:
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys
The mkdir command will create a directory called ‘.ssh’ followed by the cd command to change our directory into the one we just created. We will then use the touch command to create an ‘authorized_keys’ followed by changing the permissions of the files we just created.
Go back to your main computer and type the following command to transfer the public RSA key to the Raspberry Pi. We will be transferring the data from the key into the authorized_keys file we created on the Raspberry Pi earlier:
cat ~/.ssh/id_rsa.pub | ssh -p 22 firstname.lastname@example.org 'cat >>.ssh/authorized_keys'
Note that you will need to change the IP address to match the IP address of your server. Also if you changed your SSH port number you can change the default 22 port number to whatever port number you are using for your server. You will be asked for your password one last time but once you run this command your computer and Raspberry Pi will be linked and you will never have to use your password again, you will have to enter in the passphrase if you chose to use one earlier.
Make sure you are able to login without using a password and you should be complete. For extra security you can remove Password Authentication from the Raspberry Pi. This will disable logging in with a password for any user over SSH. It is important you can login using your keys before disabling Password Authentication.
Removing the Password Authentication is not required but will improve security a step further. If you choose to do this step login to your Raspberry Pi and run the following command to edit the SSH configuration file:
Look for the line that says ‘#PasswordAuthentication yes’. We will need to uncomment this line by removing the # and then changing the yes to no. Save this file by hitting CTRL+X followed by Y for yes.
Now just restart the SSH service with the following command:
sudo /etc/init.d/ssh restart
You should now be able to login to your server using SSH keys.
If you have any comments or concerns please let me know in the comments below. Also if you have any other recommendations to improve security on the Raspberry Pi please let me know.