Skip to content

Harden your Raspberry

Jump to bottom
ferguman edited this page May 30, 2018 · 1 revision

DISCLAIMER

We are not security professionals. Please consult an expert before making any decision regarding the security of your Raspberry PI or any connected system or LAN.

Please see Securing your Raspberry Pi for information.

Here are some security related configurations that our team has tried in the past:

Make sure your pi is up to date.

  • sudo apt-get update
  • sudo apt-get install
  • sudo apt-get upgrade

Install your favorite text editor.

Skip this step if you don't want vim on your pi.

  • sudo apt-get install vim

Change your hostname

You may want to be able to differentiate this installation from other pis that are on your network. If so then give it a unique hostname.

  • sudo vim /etc/hosts -> In this file change "raspberrypi" to what name you want your host to have such as "viper" or "hostnumber345322" or whatever.
  • sudo vim /etc/hostname -> Do the same in this file.
  • sudo reboot now -> this will reboot your pi causing you to lose your shell connection. Wait about 10 seconds and then test that you see the your new host name in your routers DHCP lease table.
  • ssh pi@mvp1.local -> log back on your pi. You may be able to use the new host name if your network supports .local DNS resolution as my network does.

Restrict ssh access to key based

This change will disable password based ssh access to your pi and restrict access to keys that you place on the pi. See here or herefor more details. You might find the preceding references or others you can find by searching on the Internet more accessible to your needs in which case you can ignore the following steps in this section.

The following instructions assume you currently have an SSH public key and know how to use them. If not then check the references listed above for further information.

Create the ssh directory on your pi

  • run cd ~
  • run install -d -m 700 ~/.ssh
  • run exit -> at this point verify that you are logged out of your pi and back "at" your local machines shell prompt.

Upload your public ssh key to your pi.

  • run scp [name of your ssh public key file] pi@[ip address of your pi]:~/.ssh -> this will upload your public ssh key from your local machine (i.e your desktop or laptop) to the .ssh directory on the pi.
  • run ```ssh pi@[ip address of your pi] -> to log back onto the pi
  • cd .ssh
  • mv [name of your publish ssh key file] authorized_keys -> this all assumes you have a fresh install of Raspbian with no pre-existing authorized_keys file. If you do have a pre-existing authorized_keys file then simply place a copy of your public key in it.
  • exit - get back out of you pi and into your local machine's shell.
  • ssh pi@[ip address of your pi] - Confirm that you can logon to your pi without having to specify your raspberry pi account (in this case pi) password. If the pi does ask for your password then something is wrong and don't perform the next step.
  • sudo vim /etc/ssh/sshd_config - change the line that reads "# PasswordAuthentication yes" to "PasswordAuthentication no". Remember to remove the "#" which changes the line from a comment to a command that the system will honor.
  • sudo /etc/init.d/ssh restart -> restarts the ssh server
  • exit - get back out of you pi and into your local machine's shell.
  • ssh pi@[ip address of your pi] - Confirm that you can log back onto your pi via ssh.

Next Step

Install mvp blossom

Clone this wiki locally