Quick points on hardening a Raspberry Pi installation. A standard Raspbian OS installation can leave your Raspberry Pi rather vulnerable to the internet. This tl;dr style guide should give it a fighting chance.

The following points are covered:

  • Enable a firewall
  • Disable ipv6 support
  • Require a password for privilege escalation
  • Enable SSH key-based authentication (optional - for remote access)
  • Disable SSH password-based authentication (optional - for remote access)
  • Enable unattended-upgrades
  • Set up fail2ban - an intrustion prevention system

Firewall

Quick-install of Uncomplicated Firewall. Substitute ssh for any other port or system service you may require. Ports 80 and 443 are used for http and https protocols respectively.

sudo apt-get install ufw
sudo ufw allow ssh
sudo ufw status
sudo ufw enable
sudo ufw limit ssh/tcp

Disable ipv6

Edit /etc/sysctl.conf and add the following line:

Note that [interface] refers to any specific additional network interface (use ifconfig beforehand to list all interfaces). Tip: This can be wlan0 in the case of a wireless interface.

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.[interface].disable_ipv6 = 1

Activate new settings using sysctl -p and verify the lack of ipv6 assignment using ifconfig.

Make sudo require a password

Browse to sudo nano /etc/sudoers.d/010_pi-nopasswd and change the entry for the (eg. user pi) to the following:

pi ALL=(ALL) PASSWD: ALL

Enable automatic system and security updates

Debian-based linux distribution (eg. Raspbian) offer a convenient package for users. The unattended-upgrades package allows for configurable unattended-upgrades and can be installed as follows:

sudo apt-get install unattended-upgrades

Once installed, the user must set up desired package update stream(s) in the configuration file by uncommenting the respective line(s).

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Lastly, you must configure the general schedule during which each function is to be carried out.

sudo nano /etc/apt/apt.conf.d/20unattended-upgrades

Fail2ban

fail2ban blocks brute-force attacks by automatically writing firewall rules based on the parsed log activity of configured system services.

A more detailed instruction set can be found in this dedicated post.