Quick points on hardening a Raspberry Pi installation. A standard Raspbian OS installation can leave your Raspberry Pi rather vulnerable to the internet. This tl;dr style guide should give it a fighting chance.
The following points are covered:
- Enable a firewall
- Disable ipv6 support
- Require a password for privilege escalation
- Enable SSH key-based authentication (optional - for remote access)
- Disable SSH password-based authentication (optional - for remote access)
- Set up
fail2ban- an intrustion prevention system
Uncomplicated Firewall. Substitute
ssh for any other port or system service you may require. Ports 80 and 443 are used for
https protocols respectively.
/etc/sysctl.conf and add the following line:
[interface] refers to any specific additional network interface (use
ifconfig beforehand to list all interfaces). Tip: This can be wlan0 in the case of a wireless interface.
Activate new settings using
sysctl -p and verify the lack of ipv6 assignment using
sudo require a password
sudo nano /etc/sudoers.d/010_pi-nopasswd and change the entry for the (eg. user
pi) to the following:
Enable automatic system and security updates
Debian-based linux distribution (eg. Raspbian) offer a convenient package for users. The
unattended-upgrades package allows for configurable unattended-upgrades and can be installed as follows:
Once installed, the user must set up desired package update stream(s) in the configuration file by uncommenting the respective line(s).
Lastly, you must configure the general schedule during which each function is to be carried out.
fail2ban blocks brute-force attacks by automatically writing firewall rules based on the parsed log activity of configured system services.
A more detailed instruction set can be found in this dedicated post.