
Raspberry Pi Hardening
Quick points on hardening a Raspberry Pi installation.
Make sudo
require a password
Browse to sudo nano /etc/sudoers.d/010_pi-nopasswd
and change the entry for the (eg. user pi
) to the following:
pi ALL=(ALL) PASSWD: ALL
Enable automatic security updates
Install the unattended-upgrades
package:
sudo apt-get install unattended-upgrades
Set up desired package update stream(s) in the configuration file by uncommenting the respective line(s).
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Weekly software updates
Create a crontab file with sudo crontab -e
(for the root user) that checks for and, if necessary upgrades all software
apt-get update && apt-get upgrade --yes --with-new-pkgs
Firewall
Quick-install of Uncomplicated Firewall
sudo apt-get install ufw
sudo ufw allow ssh
sudo ufw status
sudo ufw enable
sudo ufw limit ssh/tcp
fail2ban
fail2ban
blocks brute-force attacks by automatically writing firewall rules based on parsed auth.log
activity.
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 6
bantime = -1
/etc/fail2ban/filter.d/sshd.conf
filter settings file defines filter action while /etc/fail2ban/action.d/iptables-multiport.conf
defines ban actions.
Disable ipv6
Edit /etc/sysctl.conf
and add the following line:
Note that [interface] refers to any specific additional network interface (use ifconfig
to list all interfaces). This can be wlan0 (in the case of a wireless interface).
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.[interface].disable_ipv6 = 1
Activate new settings using sysctl -p
and verify the lack of ipv6 assignment using ifconfig
.