IoT Application (Raspberry security setup)

Some security goes a long way for sure. Well, maybe the plan is to keep the system in an intranet environment, but threats may come in many forms.

Change the default user:

Changing the default pi user, to your own, is a nice personalization option and it also brings some extra security as well.

You can achieve this by creating a new user:

This command adds a user with the specified name , creates him a home folder, and lists the new user in the sudo-ers group.  Just change ‘yourusername’ with  yours.

Next you need a password for the new user:

After the password is set, delete the default user pi so no doors are left open. Reboot your raspberry to kill all the processes for user pi, log in with your new user and:

Some extra reading, regarding users, could be found in the official Raspberry documentation.

Change the default SSH port:

Scans for default ports are on a daily basis these days, so a bit of a security is also gained through changing the default SSH port. To do that you should edit the sshd_config file:

Find Port 22, and change it with one that you prefer. Make sure you do not choose from a predefined port , and do not forget to bind it to your raspberry’s static ip , in your router port forward settings.

Hit ctrl+x to save , and then restart the ssh service:

Next time you are SSH-ing , use the new SSH port:

Setup SSH keys:

Using a key based authentication for SSH is a smart approach since it provides better protection then standard password auth.

This is done by generating a public and a private key with the help of your computer:

If you wish to use the default location for the files , hit enter when prompted on that matter, i tend to use the default. When it comes to the passphrase, it adds extra security, i do not use it since sometimes the SSH login fails. Could be some Ubuntu / gnome-keyring issue.

Now you need to transfer the public key to the Raspberry:

After you type your Raspberrry’s password, the key gets copied.

Finally to disable the standard password authentication, SSH to your Raspberry and open this file for edit:

Search for ‘#PasswordAuthentication yes’, remove the ‘#’ to make it active, and change yes to no. Save using Ctrl+x to save, and restart the service:

All done, now the next time you connect to your Raspberry through SSH, the connection will be authorized by verifying your private key.

Note: If you somehow get locked outside, just connect your Raspberry to a monitor and comment PasswordAuthentification by adding a # in the front of it.

Try to identify what you have missed regarding this configuration.

For some extra reading and configuration you can read this tutorial from Digital Ocean, and this one from Kamil`s lab.

Add  a firewall:

By default your raspberry accepts any kind of traffic , hence all the accepts:

With the help of UFW configuring the firewall gets more manageable. It will serve as a interface for setting and manage firewall rules. The debian wiki covers this topic so well, it gets redundant to try to explain it myself. Some extra reading and somehow more detailed, could be found here. Note that for now we aim to apply rules for TCP connections, and port wise , SSH port. Block incoming for now.


Some footnote:

This step regarding security it pretty important, it brings some level of protection and might prevent you from unpleasant issues.

Do you feel like you have missed something, try getting your bearings in the intro post for this project, since it also contains a so called glossary where you can access what part is especially relevant to you.

Recommended Posts

Leave a Comment

Start typing and press Enter to search

Raspberry logoraspberry mirror