5 Best Basic Security tips and tricks every Raspberry Pi user needs to take

Share on Facebook1Share on Google+0Tweet about this on TwitterShare on Reddit0Share on StumbleUpon0Pin on Pinterest1

Security on the Raspberry Pi is often overlooked especially with the rise of IoT (Internet of Things) gadgets and every device being connected to the internet. Today I will show you some easy tips and tricks you can take to improve the security of your Raspberry Pi. I recently wrote an article about 3 steps to take to improve your SSH security on the Raspberry Pi. Today’s focus will be more of the basics and general security tips and tricks that you should be doing on every Pi setup. The following steps should be done by new and experienced Raspberry Pi users and will improve the security of your system ten-fold.

I will discuss how to delete the default Raspberry Pi ‘pi’ user as well as changing the password for any other users you create. This is a good first step because if a hacker identify’s that your system is running the Rasbian distro then one can assume that there is a user called ‘pi’ on the system and can begin trying to crack that users password. Deleting the default ‘pi’ user and creating a new Raspberry Pi username and password will make it much harder to gain access to your system.

I will also be discussing about installing Fail2Ban which will block hackers from brute-forcing your username and password. This is good because it will block the hackers IP Address if they fail to login to your system and they will be unable to perform an unlimited number of username and passwords trying to gain access to your system. Another item that I will be discussing is setting up unique SSH keys, this will allow only clients that have the correct keys that you generated to login to your Raspberry Pi. This is one of the most secure ways of logging into your Raspberry Pi because only computers that you give the generated key file will be able to login and anyone who doesn’t have the key file will be blocked.

The final security tip and trick I will show you will be how to setup automated security updates. This is great if you are using your Raspberry Pi as a server and don’t access it often. All Raspbian security updates will be downloaded and applied in the background so you know you are running the latest and most secure software.

Objective

To learn about and perform basic security steps on our Raspberry Pi to improve our overall security on the Raspberry Pi system

Material

You will need the following:

1. Remove the default ‘pi’ user from your Raspberry Pi

The first Raspberry Pi tip and trick I will be showing you is removing the default ‘pi’ user from your Raspberry Pi. You will first need to login to the ‘pi’ user and create your new user. I will be creating a user with the username ‘dayz’ in my example. After that we will be able to delete the ‘pi’ user.

Go ahead and open a terminal window or SSH into your Raspberry Pi and run the following command to create your new user (Use the sudo command to run the command as a root user):

You will be asked to enter a password for your new user, enter in the new password and then hit Enter and confirm your password by typing it again. It will ask you to enter the Full Name of this user as well as other information like a Phone number. You can just hit Enter to leave these values blank or you can fill them out.

Once you get the ‘Is this information correct [Y/n]’ screen you can type Y and then hit Enter.

Now that you created your new user you can log in to your new user with the password you created earlier and we can delete the default ‘pi’ user. Login to your newly created user and type the following command (Use the sudo command to run the command as root):

Note: The -r flag will remove the home folder for the ‘pi’ user. Be sure to save any files in this folder if you have anything important in them. You can also remove the ‘-r’ flag if you want to keep the home folder.

2. Change the default Raspberry Pi user ‘pi’ password

I highly suggest to remove the ‘pi’ user if you can but if for any reason you do not want to or you can’t then the next best thing to do would be to change the password.

Login to the Raspberry Pi with your ‘pi’ user and open a terminal window and type the following command to change your password:

You will be prompted to enter in your current password followed by the new password. I suggest using a strong password that you can remember or using a password generator and writing you password down if you will not be logging into the system often.

Once your password is changed you will get the following message:

Your password change will take effect immediately.

3. Install Fail2Ban to ban brute-force attempts on our Raspberry Pi

Fail2Ban is very easy to install and setup and will drastically improve security on your Raspberry Pi. Fail2Ban works by monitoring your logs for failures and depending on the settings you setup it will ban or timeout an IP Address for a certain amount of time if it fails to login to your server. It is a great tool and a must have tool to protect your from brute-force attacks. If you want to find out more information about Fail2Ban check out my article here. It goes into more detail as to what exactly we will be doing and more configuration options.

Lets install Fail2Ban by typing the following commands after opening a terminal window or logging in through SSH:

The initial settings for Fail2Ban are located at ‘/etc/fail2ban/jail.conf’. You can see all the default settings for many services that you are being protected against. However do not edit any of these settings in your ‘/etc/fail2ban/jail.conf’ file. You will want to edit the ‘/etc/fail2ban/jail.local’ file and add your configurations there.

Lets edit our SSH Fail2Ban configurations. Open up the ‘/etc/fail2ban/jail.local’ file with the following command:

Your jail.local file should be empty. Lets add the following settings:

After pasting the settings hit CTRL+X and then Y to save the configuration file.

Restart Fail2Ban with the following command to make your configuration settings live:

At this point Fail2Ban is configured and your server will be protected from brute-force attacks however all bans will be cleared upon restarting Fail2Ban or rebooting the server. If you manage to ban yourself you can simply restart your Raspberry Pi.

4. Perform Security Updates automatically on the Raspberry Pi

Keeping up with security on your Raspberry Pi will require some maintenance and having to check and apply for security upgrades periodically. This can be troublesome if you are using your Raspberry Pi as a server and don’t normally access it on a regular basis. There is a solution. You can setup a cron schedule to check for and perform updates using the ‘apt-get update’ and ‘apt-get upgrade’ commands but these command will upgrade all your software too. This can be an issue because some updated software can break other programs running in the background. Since we are focusing on easy security tips and tricks we will be installing ‘unattended-upgrades’.

Lets install unattended-upgrades with the following command:

Once the unattended-upgrades package is installed we will want to configure it. There are a few configurations we can perform. Type the following command to edit the configuration file for unateended-upgrades:

The packages that we want to upgrade are located in between Unattended-Upgrade::Origins-Pattern { } in the configuration file. You will either need to uncomment the Raspbian line or add the following line to perform only Raspbian Jessie Security updates:

Your Unattended-Upgrade::Origins-Pattern { }  should look something similar to this:

There are a few other configurations you can set like the time to perform the updates as well as sending you an email but this is just the basic setup tips and tricks tutorial. Now your Raspberry Pi will perform automatic security updates daily.

 

5. Setup SSH Key Pairing to Login to your Raspberry Pi

SSH Keys allow you to login to your server without a password and the client and server will use these keys to authenticate the client allowing it access. This is safer because it prevents brute-force attacks. You can however add a passphrase to your key, meaning that you would need to have a private key as well as a passphrase to connect to the server. Adding a passphrase would really lock-down our server and make it virtually impossible to connect into without the SSH key and passphrase.

Setting up SSH Keys will require you to set them up on your main computer (client) that you will be accessing the Raspberry Pi from. The Raspberry Pi in this scenario will be your server. What will happen is you will generate the SSH keys on your client and then transfer the key to the server so that way only that client will be able to access the server with those keys. Setting up SSH keys is not difficult but it is a lot more detail then I can explain in a few paragraphs. You can check out my full article on SSH keys here.

 

Conclusion

Those are 5 basic Raspberry Pi security tips and tricks that every user must do. These should only take a few minutes to perform and should be done on every Raspberry Pi setup. Having so many devices being connected to the internet now really increases the risks of your network and personal information. These tips and tricks may not stop a hacker from gaining access into your system but it definitely stops hackers who are simply looking for easy ways into your network. If you have any other simple tips and tricks that every Raspberry Pi user needs to do leave a comment below.

 

Share on Facebook1Share on Google+0Tweet about this on TwitterShare on Reddit0Share on StumbleUpon0Pin on Pinterest1

Leave a Reply