Raspberry Pi comes with a poor security level by default

If you use it at home or in a small network, it’s not a big deal

But if you open ports on Internet, use it as a WiFi access point, or if you install it in a bigger network, you need to take security measures to protect your Raspberry Pi

I’ll show you how to do this

How to secure a Raspberry Pi?

Improving the security on a Raspberry Pi is similar to any other Linux device.

There are logical steps, like using a strong password. And there are also more complex steps like detecting attacks or using encryption.

I’ll show you the first 17 security tips you need to follow to get a good security level for your Raspberry Tips (and they mostly apply to all Linux systems)

It all depends on what you are doing, but it should be enough in most of the cases

Introduction

Should I follow all these tips?

As I wrote at the beginning, if your Raspberry Pi is at home, with a few services and no forwarded ports in your Internet box, you are already pretty safe

The risk level of your Raspberry Pi depends on how it’s exposed to the “real” world

You’ll not take the same measure for a Retropie game console at home, and for a DMZ in your network open on the Internet

But the 17 tips are good to know, and easy to apply, so if you share something on Internet, take 30min to read this and apply it

How I wrote this article

I selected the 17 main security tips I want to share with you, which apply to everyone who hosts a Raspberry Pi and share services on it

They are in order of risk level

If you think you are highly exposed, follow all the steps and you’ll be safe

If not too much, follow only the first ones

17 tips to secure your Raspberry Pi

1 – Keep your system updated

The first one may be obvious, but it’s an important one

With updates in the Raspbian repository, you not only get last features, but mainly security fixes for your installed softwares

Try to update your Raspberry Pi regularly with:

sudo apt update sudo apt upgrade

You can also automate this process with the unattended-upgrades package

This procedure allows you to install security fixes each day automatically:

Install the unattended-upgrades package sudo apt install unattended-upgrades

Open the configuration file sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Change what you want in this file

By default it’ll download only security updates, but you can change this if you want to install all Debian updates, or even other repositories

I recommend to at least comment out this line: Unattended-Upgrade::Mail "root"; This will send a mail to root (or any other address if you have a mail server installed)

By default it’ll download only security updates, but you can change this if you want to install all Debian updates, or even other repositories I recommend to at least comment out this line: Save and Exit (CTRL+O, CTRL+X)

Then we need to set the periodic upgrade

Open this file: sudo nano /etc/apt/apt.conf.d/02periodic

Open this file: Paste these lines (the file should be empty, if not, change the values): APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "1"; APT::Periodic::Verbose "2"; This will enable the automatic update every day

We ask apt to make: update, download upgrades, install upgrades, auto-clean every day

The last line is the verbose level you’ll get in the /var/log/unattended-upgrades and email (1= low, 3=max)

Save and exit (CTRL+O, CTRL+X)

This should be ok, you can debug your configuration with this command: sudo unattended-upgrades -d

Don’t forget to check the log file and/or the email received to assure everything is working as expected

2 – Don’t use auto-login or empty passwords

Passwords are a big part of the system security

First thing: make sure that all critical access are asking for a password

Don’t use auto login and add a login step for each application you can access directly

I’ll not list all apps, but for example, if you have a web server, make sure that personal data or administration pages are not accessible without password

Make sure that nobody uses an empty password on the Raspberry Pi

If you have few accounts, it’s easy, check all access

If you have a lot of user accounts, these commands could help you:

Search for empty password sudo awk -F: '($2 == "") {print}' /etc/shadow This will display only accounts with an empty password

Lock unsafe accounts passwd -l <username>

3 – Change the default password for pi

A common mistake is to leave the default password on the pi user (raspberry)

Anyone who already used a Raspberry Pi know this password

So many people are scanning SSH ports and trying to login with pi / raspberry

Changing the default password should be the first thing to do on a new installation

Doing this is easy, login as pi and enter this command:

passwd

Try to use a sentence with over 15 characters to be safe against brute-force attacks, and to remember it easily (ex: iloveraspberrytips is a good password easy to remember ^^)

4 – Disable the pi user

As I said, the pi user is one of the most brute forced login with root

Hackers have a list of commonly used logins and try mainly these ones

If possible, create a new user and disable the pi user to prevent this kind of attacks:

Create a new user sudo adduser <username>

Give him the sudo privilege if needed sudo adduser <username> sudo This will add your new user in the sudo group

Check that everything is working correctly (ssh access, sudo, …)

Copy files from the pi user to the new user if needed sudo cp /home/pi/Documents/* /home/<username>/Documents/ ...

Delete the pi user sudo deluser -remove-home pi If you prefer, you can start by locking the account (like said previously), and delete it only after a few weeks, when you’re sure everything is fine

5 – Stop unnecessary services

On Raspberry Pi, we do a lot of projects about everything, and it could be a bad habit for security

Let’s say you installed PHPMyAdmin 3 months ago to try something, but you’re not using it anymore

This could create a breach for an attacker that will allow him to enter your system

Try to stop or uninstall unneeded services and apps

To stop a service use: sudo service <service-name> stop If it starts automatically on boot, try: sudo update-rc.d <service-name> remove

Or to uninstall it, it should be something like: sudo apt remove <service-name>

6 – Make sudo require a password

As you should know, sudo not always asks for a password

Most of the time you don’t need to type your password again

It’s cool for productivity, but for security reasons it’s not a good idea

If someone succeeds to get terminal access to your Raspberry Pi main user, super-user privileges will be accessible without password

I recommend you to ask for a password when you use sudo:

Edit this file sudo nano /etc/sudoers.d/010_pi-nopasswd

Find this line pi ALL=(ALL) NOPASSWD: ALL Or any other users if you followed the previous steps

Replace by this pi ALL=(ALL) PASSWD: ALL

Do the same for each user with sudo access

Save and exit (CTRL+O, CTRL+X)

7 – SSH: Prevent root login

As I said previously, root and pi users are often the main target for brute-force attacks

It’s usually with SSH

So you need to make sure that root don’t have a direct SSH access

If you need root, login with your normal user (not pi) and then use sudo to get super-user privileges

By default, root access is disabled

You can check this:

Open the SSH server configuration file sudo nano /etc/ssh/sshd_config

Find this line #PermitRootLogin prohibit-password

If you have something else, comment this line (by adding # at the beginning)

Save and exit (CTRL+O, CTRL+X)

Restart SSH server sudo service ssh restart

8 – SSH: Change the default port

The SSH default port is 22

So basically, attackers will create bots to make login attempts on this port

To prevent this, you can change the default port and set another one

Edit the SSH server configuration file sudo nano /etc/ssh/sshd_config

Find this line #Port 22

Replace the port by what you want Port 1111 Make sure you don’t take a port you use for something else

List of known ports on Wikipedia

Save and exit (CTRL+O, CTRL+X)

Restart your server sudo service ssh restart

Don’t forget to adjust the firewall rules if you have one

Make a new connection test before closing the current one, it could help you if you made a mistake 🙂

9 – SSH: Use SSH keys instead of passwords

With the previous steps, we already block most of the script kiddies

We are now moving to things that could protect you even if you are facing a strong hacker that wants only your system

Using a strong password will slow his attack, but it’s always possible he finds it, even if it takes weeks to get the correct password

What you could do to block him, is to use SSH keys instead of password for your SSH connections

An attacker could guess a 15 characters password, but not an SSH key

The main idea is to generate a key on your computer, and then to add it on the Raspberry Pi to allow a connection from your computer (with or without a password)

I give you the step-by-step procedure at the end of this article

Once this is working, you could disable SSH connections with password only

Change this line in the SSH configuration file we saw before:

PasswordAuthentication no

10 – Install Fail2ban

Fail2ban is a tool to detect brute-force attacks and block them

In the previous steps, I said that an attacker could try to find you password during months, and maybe he could succeed

The main purpose of Fail2ban is to avoid this

Fail2ban will block attackers IP if they fail to login more than X times

You can configure the number of tries before a ban, and the ban duration

Follow these steps to install Fail2ban on your Raspberry Pi:

Install the package sudo apt install fail2ban

By default fail2ban will ban attacker 10min after 5 failures

I think it’s ok to start, but if you want to change this, all the configuration is in the /etc/fail2ban folder

Mainly in /etc/fail2ban/jail.conf

I think it’s ok to start, but if you want to change this, all the configuration is in the /etc/fail2ban folder Mainly in /etc/fail2ban/jail.conf Restart the service if you made any changes sudo service fail2ban restart

This should really slow your attacker

5 attempts every 10 minutes, it’s 720 tries a day

If your password is not like “password” or “123456789” it should take a long time to find it

Here is a link to my tutorial on how to use Fail2ban on your Raspberry Pi. Feel free to check it if you need more details.

11 – Install a firewall

If you don’t know, a firewall allows you to block all ports except the ones you need, and filter access by IP

For example, you can block everything, and just allow SSH access from your computer IP address

I’m used to install iptables for my firewall rules, but maybe for a beginner it’s not the easiest way to do this

So, I’ll explain to you how to install ufw (Uncomplicated FireWall), which is more straightforward, and then allow only what you need

It’s a basic configuration with HTTP access for anyone, and SSH only for you, but you need to adapt this to what you want to do

Install the firewall package sudo apt install ufw

Allow apache access for anyone sudo ufw allow 80 sudo ufw allow 443

Allow SSH access for your IP address only sudo ufw allow from 192.168.1.100 port 22 Don’t forget to replace values with your own settings

On a local network you can get your ip address with ipconfig (Windows) or ifconfig (Linux/Mac)

If you change the SSH port in the previous step (by 1111 or anything else), replace it here

Enable the firewall sudo ufw enable Be careful, this will enable the firewall now, and also on boot

If you lose access to your device, you’ll not be able to fix this, even after a reboot

You’ll need to change the configuration directly on the Raspberry Pi (physically)

Check that everything is fine

To display your current rules once ufw enabled, use this command:

sudo ufw status verbose

For more complex configurations, check the man page

My other tutorial about building a wireless router with firewall features can also help you

12 – Backup your system

One of the worst consequence of an attack, is to lose data

If you backup correctly and regularly your files, you’ll be safe even if the hacker destroys your SD card

I already wrote an article about how to back up and restore your Raspberry Pi, so I’ll not repeat here

But the second part is critical, assure than you can read your backup and that all important files are inside, otherwise it’s useless

13 – Crypt your connections

This is a vast topic and I’ll not give many details about this, but I’ll give you an example

With basic protocols, data flows in clear on the network

That’s to say, if you type your password, a hacker could get it while listening the network

Luckily, there are often other protocols that work safer, by encrypting all the data

The first thing to is to stop using unsafe protocols (FTP, Telnet or HTTP for example)

And then try to replace them by safer access (SFTP, SSH, HTTPS)

The procedure will depend on which protocols you are using with your Raspberry Pi

Let’s take the HTTP example

HTTP is cool if you only use it for static content, you never type a password, and don’t have sensitive data

But move your application to use the HTTPS protocol to be safer anyway

It’s pretty simple to do, you just need a certificate and change lines in the Apache or Nginx configuration

You’ll find a lot of helpful tutorials on the Internet

And most of the time it’s easy

You can switch from FTP to SFTP as your Raspberry Pi already have SSH enable

The same for Telnet, why do you need Telnet whereas SSH is available?

Then look for all the protocols you are using with sensitive data and what you can do to improve it

14 – Use a VPN

A more radical option is to access your Raspberry Pi through a VPN

VPN stands for Virtual Private Network and allows you to access remotely all services on your Raspberry Pi as if you were in the local network

All flows between you and the Raspberry Pi will be encrypted by a strong protocol

This is a good option to prevent opening many ports on the Internet without security

I have an article on how to use a Raspberry Pi as an OpenVPN server, and you can easily find more help on Internet

15 – Protect physical access

The last protection is obvious but often ignored when we talk of security

You can configure any security protocols, firewall and VPN from all the steps before

If your Raspberry Pi is physically accessible by anyone, it’s useless

Make sure that can’t be stolen easily (or the SD card), or that nobody could come plug a keyboard and screen and be logged in automatically

The steps to implement to protect that kind of attack will depend on your system

Maybe you’ll need an auto logoff after X minutes, a password in the grub boot menu or encrypt data on the SD card



Think about it, what could be the worst thing that could happen if someone gets access physically to your Raspberry Pi?

And find solutions to block him

16 – Check your logs regularly

The last two item from this list are not other protections, but more a commitment to follow

Most of the time, attacks are visible in the log files

So, try to read them regularly to detect any suspicious activity

All logs are in the /var/log folder, but the main log files to check are:

/var/log/syslog: main log file for all services

/var/log/message: whole systems log file

/var/log/auth.log: all authentication attempts are logged here

/var/log/mail.log: if you have a mail server, you’ll find a trace of recent emails sent here

Any critical application log file, for example /var/log/apache2/error.log or /var/log/mysql/error.log

Some solutions are available to simplify this work

For example, you could configure syslog to send logs to a master server, with an interface to read them, filter, etc …

You can also use logwatch to get daily reports about the system operation

17 – Read the news

To keep a good security level in your projects, try to stay constantly updated

I see new vulnerabilities in a lot of majors softwares every day, and it could take weeks or more to have the fix available in the Raspbian repository

If you read security news regularly, you could take action quickly to stay protected

Here are some good links to follow:

You could also use a vulnerability scanner like Nessus to find only the vulnerabilities that apply to your system

But if your project requires a so high level of security, you probably should not stay on Raspberry Pi 🙂

Conclusion

That’s it, you now know the main security steps to protect your Raspberry Pi

I know it’s only the first steps, and that there are other important too, but we are talking about Raspberry Pi, not high availability servers with tons of confidential data

I think you already have a good protection if you implement the 17 ideas from this article

If you have any other security tips to share with us, please leave a comment below