Quick points on hardening a Raspberry Pi installation.
sudo require a password
sudo nano /etc/sudoers.d/010_pi-nopasswd and change the entry for the (eg. user
pi) to the following:
Enable automatic security updates
Set up desired package update stream(s) in the configuration file by uncommenting the respective line(s).
Weekly software updates
Create a crontab file with
sudo crontab -e (for the root user) that checks for and, if necessary upgrades all software
fail2ban blocks brute-force attacks by automatically writing firewall rules based on parsed
/etc/fail2ban/filter.d/sshd.conf filter settings file defines filter action while
/etc/fail2ban/action.d/iptables-multiport.conf defines ban actions.
/etc/sysctl.conf and add the following line:
Note that [interface] refers to any specific additional network interface (use
ifconfig to list all interfaces). This can be wlan0 (in the case of a wireless interface).
Activate new settings using
sysctl -p and verify the lack of ipv6 assignment using