2019-04-22 - By Robert Elder
Securing your Raspberry Pi is a very large topic can cover many aspects of computer security, and as a great starting point I would recommend that you first read the Raspberry Pi foundation's own guide on Securing your Raspberry Pi. In addition, I will provide some commentary on this guide in order to emphasize what I think are the most important points, but also to add a few details that aren't reflected in the guide. I will make reference to the Raspberry Pi foundation's security guide a number of times in the paragraphs below.
The Most Important Thing
The absolute most import part of securing your Raspberry Pi is to make sure that you haven't left on password based SSH access with the default password. There are many bots scanning the internet constantly trying to log into things with a username of 'pi' and password 'raspberry' since this is a common default login for SSH on Raspberry Pi. If you fail to disable password-based SSH authentication and leave the password as default, you are effectively leaving your Raspberry Pi openly accessible to anyone on the local area network it is connected to. If your Raspberry Pi is behind a router on a home-based network, this will make it harder for hackers to attack you, but not impossible. If you want to be super safe, you should try to secure your Raspberry Pi as if it were directly connected to the internet, and it that case, you DON'T want to have password-based SSH connections enabled with the default password!
To fix this potential huge security problem you need to either disable password based SSH authentication, or change your password to be a strong password. I recommend doing both. To change the password to a more secure one, use this command:
you'll be prompted to update the password for whoever the current user is.
To disable password based SSH authentication, you need to edit the file located at '/etc/ssh/sshd_config' and make sure it contains the following line somewhere:
If instead you find the line 'PasswordAuthentication no' OR if you find a line that starts with a '#' character ('#' means commented out), then you'll need to update or add this line as written above. Also, before you disable password based authentication, make sure that you first set up SSH key based authentication with public and private keys so that you can still access the Pi remotely. Otherwise, you won't have any way to log into the Pi using SSH. Once you add this new configuration, you need to restart the SSH server for it to take effect:
sudo service ssh restart
Another big win you can do to improve security is to require require a password when running the 'sudo' command. This is explained in the guide linked above, and the solution involves editing the sudoers file. Editing the sudoers file (or any file it includes) can be a potentially dangerous operation: If you manage to put a syntax error in the sudoers file and save it, then you won't be able to use sudo to become root and edit the file again! If you get into this situation, there may or may not be certain workarounds fix the problem, so take care to avoid it. There is a command called 'visudo' that can be used to edit sudoers file safely:
sudo visudo -f /etc/sudoers
The '-f' option of visudo is used to edit other files than the default one at '/etc/sudoers '. You'll need to search for a line that looks like this:
pi ALL=(ALL) NOPASSWD: ALL
and replace it with one that looks like this:
pi ALL=(ALL) PASSWD: ALL
You may need to snoop around in some of the included files. In my case, I found it in '/etc/sudoers.d/010_pi-nopasswd'.
Another important part of staying secure is making sure you have the latest security fixes. You can get yourself up to date by running the following two commands:
sudo apt-get update sudo apt-get upgrade
The Raspberry Pi security guide suggests installing a cron job to keep SSH up to date, but you can also look into installing Unattended Upgrades to do this without a cron job. You can also get more flexibility in how and when you upgrade by reading more on the unattended upgrades documentation.
Another common security-minded practice is to change your SSH server configuration so that your SSH client runs on a non-standard port other than the default of 22. This doesn't prevent anyone from doing anything that they couldn't do if you used port 22, but it does make your SSH server less likely to be detected by dumb scans of every host on the internet for port 22. However, some would argue that if you change your SSH port to a port over 1024 that this could actually be a security risk since non-privileged user processes are allowed to bind to ports over 1024, but you must be root in order to bind to ports less than 1024.
Yet another thing you can consider is removing the default Raspberry Pi user of 'pi' and replacing that with another hard to guess username. This makes it even harder for attackers to guess what login information they would need to use to gain access to your system. It would also make various other kinds of blind attacks more difficult. It should be noted though, that some versions of the Raspberry Pi require the 'pi' user to exist in order to function properly, so be sure to research this before deleting the 'pi' user.
One final thing you can do to make your setup more secure is password-protect your SSH private keys. When you use 'ssh-keygen' to generate your keys the private key is itself as good as password. Therefore, anyone who gains access to your computer with the private keys, even for a short time, can steal the private key and user it over and over like a password. If you password protect the private key, you'll have to type a password every time you log into something and use the private key since it will be encrypted.
If you've followed through all of the above, you're well on your way to having a Raspberry Pi setup that is much more secure than the default. Keeping your systems secure is, however, a never-ending task and you should err on the side of being paranoid. What is considered standard practice today, may not be tomorrow. If you're interested in going even further to enhance security, I would suggest reading up on guides for securing other Linux distributions like Ubuntu/Debian, Arch Linux, or Fedora. Raspberry Pi is mainly used as a teaching platform for students, so a lot of the technical instructions you'll find about Raspberry Pi aren't written by highly experienced people. Learning how to secure other more mainstream Linux distrutions will provide you with a lot of transferrable knowledge that you can also use to secure your Raspberry Pi.