In this Raspberry Pi tutorial, we will learn to secure our Raspberry Pi board. We will also learn to implement and enable the security features to make the Pi secure.
This article is an excerpt from the book, Internet of Things with Raspberry Pi 3, written by Maneesh Rao.
Changing the default password
Every Raspberry Pi that is running the Raspbian operating system has the default username pi and default password raspberry, which should be changed as soon as we boot up the Pi for the first time. If our Raspberry Pi is exposed to the internet and the default username and password has not been changed, then it becomes an easy target for hackers.
To change the password of the Pi in case you are using the GUI for logging in, open the menu and go to Preferences and Raspberry Pi Configuration, as shown in Figure 10.1:
Within Raspberry Pi Configuration under the System tab, select the change password option, which will prompt you to provide a new password. After that, click on OK and the password is changed (refer Figure 10.2):
If you are logging in through PuTTY using SSH, then open the configuration setting by running the sudo raspi-config command, as shown in Figure 10.3:
On successful execution of the command, the configuration window opens up. Then, select the second option to change the password and finish, as shown in Figure 10.4:
It will prompt you to provide a new password; you just need to provide it and exit. Then, the new password is set. Refer to Figure 10.5:
Changing the username
All Raspberry Pis come with the default username pi, which should be changed to make it more secure. We create a new user and assign it all rights, and then delete the pi user.
To add a new user, run the sudo adduser adminuser command in the terminal. It will prompt for a password; provide it, and you are done, as shown in Figure 10.6:
Now, we will add our newly created user to the sudo group so that it has all the root-level permissions, as shown in Figure 10.7:
Now, we can delete the default user, pi, by running the sudo deluser pi command. This will delete the user, but its repository folder /home/pi will still be there. If required, you can delete that as well.
Making sudo require a password
When a command is run with sudo as the prefix, then it’ll execute it with superuser privileges. By default, running a command with sudo doesn’t need a password, but this can cost dearly if a hacker gets access to Raspberry Pi and takes control of everything. To make sure that a password is required every time a command is run with superuser privileges, edit the 010_pi-nopasswd file under /etc/sudoers.d/ by executing the command shown in Figure 10.8:
This command will open up the file in the nano editor; replace the content with pi ALL=(ALL) PASSWD: ALL, and save it.
To get the latest security updates, it is important to ensure that the Raspbian OS is updated with the latest version whenever available. Visit https://www.raspberrypi.org/documentation/raspbian/updating.md to learn the steps to update Raspbain.
Improving SSH security
SSH is one of the most common techniques to access Raspberry Pi over the network and it becomes necessary to use if you want to make it secure.
Username and password security
Apart from having a strong password, we can allow and deny access to specific users. This can be done by making changes in the sshd_config file. Run the sudo nano /etc/ssh/sshd_config command.
This will open up the sshd_config file; then, add the following line(s) at the end to allow or deny specific users:
- To allow users, add the line: AllowUsers tom john merry
- To deny users, add this line: DenyUsers peter methew
For these changes to take effect, it is necessary to reboot the Raspberry Pi.
Key-based authentication
Using a public-private key pair for authenticating a client to an SSH server (Raspberry Pi), we can secure our Raspberry Pi from hackers. To enable key-based authentication, we first need to generate a public-private key pair using tools called PuTTYgen for Windows and ssh-keygen for Linux. Note that a key pair should be generated by the client and not by Raspberry Pi. For our purpose, we will use PuTTYgen for generating the key pair. Download PuTTY from the following web link:
Note that puTTYgen comes with PuTTY, so you need not install it separately.
Open the puTTYgen client and click on Generate, as shown in Figure 10.9:
Next, we need to hover the mouse over the blank area to generate the key, as highlighted in Figure 10.10:
Once the key generation process is complete, there will be an option to save the public and private keys separately for later use, as shown in Figure 10.11—ensure you keep your private key safe and secure:
Let’s name the public key file rpi_pubkey, and the private key file rpi_privkey.ppk and transfer the public key file rpi_pubkey from our system to Raspberry.
Log in to Raspberry Pi and under the user repository, which is /home/pi in our case, create a special directory with the name .ssh, as shown in Figure 10.12:
Now, move into the .ssh directory using the cd command and create/open the file with the name authorized_keys, as shown in Figure 10.13:
The nano command opens up the authorized_keys file in which we will copy the content of our public key file, rpi_pubkey. Then, save (Ctrl + O) and close the file (Ctrl + X).
Now, provide the required permissions for your pi user to access the files and folders. Run the following commands to set permissions:
chmod 700 ~/.ssh/ (set permission for .ssh directory) chmod 600 ~/.ssh/authorized_keys (set permission for key file)
Refer to Figure 10.14, which shows the permissions before and after running the chmod commands:
Finally, we need to disable the password logins to avoid unauthorized access by editing the /etc/ssh/sshd_config file. Open the file in the nano editor by running the following command:
sudo nano etc/ssh/sshd_config
In the file, there is a parameter #PasswordAuthentication yes. We need to uncomment the line by removing # and setting the value to no:
PasswordAuthentication no
Save (Ctrl + O) and close the file (Ctrl + X). Now, password login is prohibited and we can access the Raspberry Pi using the key file only.
Restart Raspberry Pi to make sure all the changes come into effect with the following command:
sudo reboot
Here, we are assuming that both Raspberry Pi and the system that is being used to log in to Pi are one and the same.
Now, you can log in to Raspberry Pi using PuTTY. Open the PuTTY terminal and provide the IP address of your Pi. On the left-hand side of the PuTTY window, under Category, expand SSH as shown in Figure 10.15:
Then, select Auth, which will provide the option to browse and upload the private key file, as shown in Figure 10.16:
Once the private key file is uploaded, click on Open and it will log in to Raspberry Pi successfully without any password.
Setting up a firewall
There are many firewall solutions available for Linux/Unix-based operating systems, such as Raspbian OS in the case of Raspberry Pi. These firewall solutions have IP tables underneath to filter packets coming from different sources and allow only the legitimate ones to enter the system. IP tables are installed in Raspberry Pi by default, but are not set up. It is a bit tedious to set up the default IP table. So, we will use an alternate tool, Uncomplicated Fire Wall (UFW), which is extremely easy to set up and use ufw.
To install ufw, run the following command (refer to Figure 10.17):
sudo apt install ufw
Once the download is complete, enable ufw (refer to Figure 10.18) with the following command:
sudo ufw enable
If you want to disable the firewall (refer to Figure 10.20), use the following command:
sudo ufw disable
Now, let’s see some features of ufw that we can use to improve the safety of Raspberry Pi.
Allow traffic only on a particular port using the allow command, as shown in Figure 10.21:
Restrict access on a port using the deny command, as shown in Figure 10.22:
We can also allow and restrict access for a specific service on a specific port. Here, we will allow tcp traffic on port 21 (refer to Figure 10.23):
We can check the status of all the rules under the firewall using the status command, as shown in Figure 10.24:
Restrict access for particular IP addresses from a particular port. Here, we deny access to port 30 from the IP address 192.168.2.1, as shown in Figure 10.25:
To learn more about ufw, visit https://www.linux.com/learn/introduction-uncomplicated-firewall-ufw.
Fail2Ban
At times, we use our Raspberry Pi as a server, which interacts with other devices that act as a client for Raspberry Pi. In such scenarios, we need to open certain ports and allow certain IP addresses to access them. These access points can become entry points for hackers to get hold of Raspberry Pi and do damage.
To protect ourselves from this threat, we can use the fail2ban tool. This tool monitors the logs of Raspberry Pi traffic, keeps a check on brute-force attempts and DDOS attacks, and informs the installed firewall to block a request from that particular IP address.
To install Fail2Ban, run the following command:
sudo apt install fail2ban
Once the download is completed successfully, a folder with the name fail2ban is created at path /etc. Under this folder, there is a file named jail.conf. Copy the content of this file to a new file and name it jail.local. This will enable fail2ban on Raspberry Pi. To copy, you can use the following command:
sudo /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, edit the file using the nano editor:
sudo nano /etc/fail2ban/jail.local
Look for the [ssh] section. It has a default configuration, as shown in Figure 10.26:
This shows that Fail2Ban is enabled for ssh. It checks the port for ssh connections, filters the traffic as per conditions set under in the sshd configuration file located at path etcfail2banfilters.dsshd.conf, parses the logs at /var/log/auth.log for any suspicious activity, and allows only six retries for login, after which it restricts that particular IP address.
The default action taken by fail2ban in case someone tries to hack is defined in jail.local, as shown in Figure 10.27:
This means when the iptables-multiport action is taken against any malicious activity, it runs as per the configuration in /etc/fail2ban/action.d/iptables-multiport.conf.
To summarize, we learned how to secure our Raspberry Pi single-board. If you found this post useful, do check out the book Internet of Things with Raspberry Pi 3, to interface various sensors and actuators with Raspberry Pi 3 to send data to the cloud.
Read Next:
Build an Actuator app for controlling Illumination with Raspberry Pi 3
Should you go with Arduino Uno or Raspberry Pi 3 for your next IoT project?