Quick points on hardening a Raspberry Pi installation.

Make sudo require a password

Browse to sudo nano /etc/sudoers.d/010_pi-nopasswd and change the entry for the (eg. user pi) to the following:


Enable automatic security updates

Install the unattended-upgrades package:

sudo apt-get install unattended-upgrades

Set up desired package update stream(s) in the configuration file by uncommenting the respective line(s).

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Weekly software updates

Create a crontab file with sudo crontab -e (for the root user) that checks for and, if necessary upgrades all software

apt-get update && apt-get upgrade --yes --with-new-pkgs


Quick-install of Uncomplicated Firewall

sudo apt-get install ufw
sudo ufw allow ssh
sudo ufw status
sudo ufw enable
sudo ufw limit ssh/tcp


fail2ban blocks brute-force attacks by automatically writing firewall rules based on parsed auth.log activity.

sudo apt-get install fail2ban

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
enabled  = true
port     = ssh
logpath  = /var/log/auth.log
maxretry = 6
bantime = -1

/etc/fail2ban/filter.d/sshd.conf filter settings file defines filter action while /etc/fail2ban/action.d/iptables-multiport.conf defines ban actions.

Disable ipv6

Edit /etc/sysctl.conf and add the following line:

Note that [interface] refers to any specific additional network interface (use ifconfig to list all interfaces). This can be wlan0 (in the case of a wireless interface).

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.[interface].disable_ipv6 = 1

Activate new settings using sysctl -p and verify the lack of ipv6 assignment using ifconfig.