-
Notifications
You must be signed in to change notification settings - Fork 1
Harden your Raspberry
We are not security professionals. Please consult an expert before making any decision regarding the security of your Raspberry PI or any connected system or LAN.
Please see Securing your Raspberry Pi for information.
Here are some security related configurations that our team has tried in the past:
- sudo apt-get update
- sudo apt-get install
- sudo apt-get upgrade
Skip this step if you don't want vim on your pi.
- sudo apt-get install vim
You may want to be able to differentiate this installation from other pis that are on your network. If so then give it a unique hostname.
-
sudo vim /etc/hosts
-> In this file change "raspberrypi" to what name you want your host to have such as "viper" or "hostnumber345322" or whatever. -
sudo vim /etc/hostname
-> Do the same in this file. -
sudo reboot now
-> this will reboot your pi causing you to lose your shell connection. Wait about 10 seconds and then test that you see the your new host name in your routers DHCP lease table. -
ssh pi@mvp1.local
-> log back on your pi. You may be able to use the new host name if your network supports .local DNS resolution as my network does.
This change will disable password based ssh access to your pi and restrict access to keys that you place on the pi. See here or herefor more details. You might find the preceding references or others you can find by searching on the Internet more accessible to your needs in which case you can ignore the following steps in this section.
The following instructions assume you currently have an SSH public key and know how to use them. If not then check the references listed above for further information.
- run
cd ~
- run
install -d -m 700 ~/.ssh
- run
exit
-> at this point verify that you are logged out of your pi and back "at" your local machines shell prompt.
- run
scp [name of your ssh public key file] pi@[ip address of your pi]:~/.ssh
-> this will upload your public ssh key from your local machine (i.e your desktop or laptop) to the .ssh directory on the pi. - run ```ssh pi@[ip address of your pi] -> to log back onto the pi
cd .ssh
-
mv [name of your publish ssh key file] authorized_keys
-> this all assumes you have a fresh install of Raspbian with no pre-existing authorized_keys file. If you do have a pre-existing authorized_keys file then simply place a copy of your public key in it. -
exit
- get back out of you pi and into your local machine's shell. -
ssh pi@[ip address of your pi]
- Confirm that you can logon to your pi without having to specify your raspberry pi account (in this case pi) password. If the pi does ask for your password then something is wrong and don't perform the next step. -
sudo vim /etc/ssh/sshd_config
- change the line that reads "# PasswordAuthentication yes" to "PasswordAuthentication no". Remember to remove the "#" which changes the line from a comment to a command that the system will honor. -
sudo /etc/init.d/ssh restart
-> restarts the ssh server -
exit
- get back out of you pi and into your local machine's shell. -
ssh pi@[ip address of your pi]
- Confirm that you can log back onto your pi via ssh.