Description on how I configured the installation and Security of Raspberry Pi and how I keep it fit for use and purpose.
Table of Contents
- 1 - Installation
- 2 - Configuration
- 3 - Hardening
- 4 - Maintenance
- 5 - Skipped
The goal of this project is to make a secure (or at least secure within a reasonable amount of effort) Raspberry Pi with the following network-features: Pi-Hole DNS-resolver, DNSSEC, DNS-over-HTTPS, DHCP, and OpenVPN-server. It is possible that by gaining new insights features are either removed or added.
My other goal is to gain a good understanding on DNS, Hardening and other Security-related aspects concerning Network Security. I feel that as a Lead Information Security Officer it is important to upkeep (general) knowledge about Technology and it's Security.
Scope is an important part for this project. Otherwise you can endlessly install security tools and solutions which in the end have a trade-off. This might be resources and performance, but also your own precious time to keep it running :).
The constraints are:
- Apart from OpenVPN, there is nothing that can be reached from the outside world. I always assume that there is a network-firewall present between the Internet, and the actual Pi.
- The networking-services this device delivers are meant to enhance security of other network-connected devices in a non-intrusive manner.
- And although this device delivers services in a (reasonable) secure way, it is not meant to be a device that delivers security services by it self, such as network-scanning and vulnerability scans.
- It is meant for home or small-office use. Larger companies or institutions should look at other solutions to protect their people.
The hardware I use exists of the following components:
- Raspberry Pi 3 Model B 1GB
- SDHC card Class 10 - 16GB
- Pi-Blox Case for Raspberry Pi - Black
The costs: ~ € 70,-
How it looks :)
The base image that is used to build this guide is the following:
- Image with desktop based on Debian Stretch
- Version: November 2017
- Release date: 2017-11-29
- Kernel version: 4.9
Note: there are no indications that newer versions of Debian Stretch cause glitches with this guide. But if so, please let me know!
Steps to take
- Install Pi - [Chapter 1]
- Configure Pi - [Chapter 2]
- Remove software & games - [Chapter 3]
- Update/upgrade Pi and firmware - [Chapter 4]
- Install Pi-hole - [Chapter 1]
- Install PiVPN - [Chapter 1]
- Rest of the configuration - [Chapter 2]
- Rest of the hardening - [Chapter 3]
- Rest of the maintenance - [Chapter 4]
Word of thanks
A special word of thanks goes to Jacob Salmela with his up-to-date manual (PDF). This guide is inspired on his, although I go a step further in terms of features. Nevertheless, his contribution to (not only) this guide is worth my sincere gratitude. Thanks!
All the licensing and copyrights of any of the code and applications belong to their respective owners. All other coding falls under the MIT-license: https://github.com/teusink/Home-Security-by-Pi/blob/master/LICENSE
Feel free to remake, reshape and reuse whatever you like or need.