Many of us are familiar with the constant stream of information surrounding the need to secure our computers; however, little thought seems to have been given to the potential need to secure our Raspberry Pi devices. When we consider the multitude of uses we have for a Raspberry Pi, as well as some of the types of access we give to them – such as security monitoring or controlling devices throughout our homes, it makes sense that we should take steps to ensure that we have at least some basic security in place.
Step one: change your default password. The default password for your Raspberry Pi should be changed. If you are using Raspian, open terminal and run sudo raspi-config to display the configuration tool. From there, you can select Option 2, which will allow you to change the user password. Similarly, in any of the Linux OS versions you can use the passwd command to change the password of a user account. It is important to keep in mind that a normal user can only change their own password, while a system administrator can change passwords for other users or define how a specific account’s password can be changed or used. Remember, when you change your password it is important to change it to a strong password which will be difficult for a potential attacker to guess or crack.
Step two: change your default username. If an attacker has your username they have half the information necessary to access your system. Therefore, you should change your default username; however, simply deleting the account is dangerous unless you have already set up an account with the same permissions so your first step is to create a new superuser account by running sudo useradd –m <newusername> -G sudo. This creates a home directory for the user and adds them to the group. Second, enter sudo passwd <newusername> to set a password for the new account – and, again, you will want to be sure to set a strong password. This new account should have the same permissions as pi; however, before deleing it you should logout and login to your new account an attempt to run sudo visudo. If successful, your new account should be ready to take command and you can then enter sudo deluser pi to remove the original default user account.
Step three: firewalls. There are a variety of software firewall applications available for the Raspberry Pi, but many users find they prefer Firewall Builder. This application offers an easy-to-use GUI that allows a user the ability to configure a number of firewalls, including iptables (which we will discuss below). Firewall Builder is installed using two commands, first run sudo apt-get update followed by sudo apt-get install fwbuilder. Then, in the Raspberry Pi GUI you can find Firewall Builder within the Other submenu. From here, you can follow instructions to create your firewall; however, for best results you will want to make sure that your script is loaded before your device connects to the network. This can be done by opening /etc/network/interfaces in a text editor and modifying it to add pre-up /home/pi/fwbuilder/firewall/fw and then adding route add default gw <YOUR.ROUTER.IP.HERE> eth0 to the section of the script that is marked Epilog. This will help you to ensure that you are still able to reach the internet once you are finished setting up your firewall.
Step four: disable unused services. Look at the services running on your Raspberry Pi – do you really need all of these services? If you are not using them, they should be disabled. Remember, if you are unsure what a service is, or what it does, you should fully research it before removing it to avoid removing anything necessary to your operating system. Anything you do need – such as Apache, FTP, NGINX, MySQL, etc. – should be updated and secured.
Step five: install and configure iptables. At a very basic level, iptables if a firewall utility that provides packer filtering and NAT (network address translation), among other functionality. Since configuration can be challenging for those who are unfamiliar with iptables, it is worth looking into wizards such as fwbuilder, bastille, ferm, or ufw (uncomplicated firewall).
Step six: keep your system up to date. This can be automated using cron or cron-apt, which will allow users to set up their own schedules to run system jobs on a daily, weekly or monthly basis. For example, if you place the script to update your system and place it inside /etc/cron.daily then it will execute one time daily, every day.
Step seven: configure logging to monitor logins and failed login attempts. A common method to avoid filling the SD card, and extending the life of the SD card, is to use an external hard drive to host your /var partition so as to provide you with more space. Once the logging is set up, it is important to remember that monitoring is a vital component of any logging/monitoring program. No matter how much vital information is logged, the information cannot help you if the logs are not reviewed.
Some additional considerations you may want to look into include the installation of virus protection or an antimalware program and setting up and configuring SELinux. SELinux, or Security-Enhanced Linux, was originally developed by the US Government and is designed to implement mandatory access control under Linux.
In general, some security is better than no security. So even if you only do some of these steps you are still far ahead of those users who don’t do any of them. However, keep in mind that while they initially may seem like extra work and a potential inconvenience that they are designed to protect you from the far greater inconvenience that could result from a successful attack on your Pi (and the huge amount of work that would accompany it).