Satish BysanyArchiveAbout

Set up and secure Raspberry Pi

I just got my Raspberry Pi 3. The best part is it’s got WiFi. For now, I’ve installed Raspbian.

Initial connection

Powering it up automatically starts an SSH server. However, I haven’t connected it to a display monitor (no HDMI cable) or keyboard. So, how do I access the RPi ? It was easier than I thought. Simply connect an ethernet cable (LAN cable) from your laptop to RPi. My laptop also runs Debian, so it was easy to enable Internet sharing.

ssh pi@raspberrypi
Password: raspberry

Now that you’re in, install VNC server on RPi and start it:

sudo apt-get install xorg tightvncserver
vncserver -alwaysshared -geometry 1900x980
 New 'X' desktop is raspberry:1

From your host machine (laptop), you can connect to the VNC by installing a VNC viewer:

sudo apt-get install xtightvncviewer
vncviewer raspberrypi:1

It logs in to an LXDE desktop. Just connect to your WiFi access point from the Network drop down menu. This choice will be remembered in later reboots. So, you don’t need to connect ethernet cable anymore. Now logout of LXDE, kill VNC server on RPi:

vncserver -kill :1
sudo reboot

After it reboots, RPi will auto-connect to your WiFi network. Just login via ssh now.

Create a new user

The default user pi occurs on every RPi ever sold. So, if you’re exposing your RPi on the Internet, a potential hacker will likely target that user name. So, we’re going to create a new user and delete the user pi.

sudo adduser satish

It prompts for password (mandatory) and full name (etc. which are optional). Make sure to put yourself in the sudoers group.

sudo adduser satish sudo

Now log out and login again for the group settings to take effect. As a simple test, try:

sudo apt-get update

It’s a good idea to run sudo apt-get upgrade now so that your RPi’s software is upgraded.

If it all works out ok, delete the default user:

sudo deluser --remove-home pi

SSH configuration

Let’s change RPi’s hostname to something more meaningful. The default is raspberrypi.

sudo raspi-config

Scroll down a bit to “Advanced Options”, then choose “A2 Hostname”. Let’s say the new hostname is rpihome.

Generate an SSH key for RPi:

ssh-keygen

It is recommended to give a decent password, though you can leave it empty. Open another terminal on your laptop and run:

ssh-copy-id satish@rpihome

This will add your laptop’s SSH keys to RPi. Now log out of RPi and login again. You should not be prompted for password anymore !

To make it secure, let’s disable password authentication altogether. This implies that you can only login if your laptop’s SSH keys are copied to rpihome. For example, if you try to login from your work computer, access will be denied (You need to ssh-copy-id again). Run sudo nano /etc/ssh/sshd_config and add these lines at the end of the file:

PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin No

DenyUsers admin Admin test root pi

It is also recommended to disable outdated authentication methods. For example Mozilla has a good example:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,...
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,...
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,...

(Please don’t copy-paste the above. Use the latest values from Mozilla’s link.)

sudo service ssh restart

Firewall

ufw (universal firewall) is a simple tool to block access from external IP addresses and unallowed ports. It’s a nice front-end to iptables.

sudo apt-get install ufw

The rules are applied in the order these commands are given. By default, we deny all incoming traffic. Then we add exceptions:

# Logs are stored in /var/log/ufw.log
sudo ufw logging on

# Deny everything by default
sudo ufw default deny

# Allow access from internal networks
sudo ufw allow from 192.168.0.0/16
sudo ufw allow from 10.0.0.0/8

# Allow SSH (=> port 22), HTTP (=> port 80) from anywhere
sudo ufw allow 22
sudo ufw allow 80

# This also works, see /etc/services
sudo ufw allow https
sudo ufw allow rsync

# Rate-limit SSH (6 attempts in 30 seconds, default)
sudo ufw limit ssh/tcp

Finally, activate the settings:

sudo ufw status verbose
sudo ufw enable

UFW will automatically start on bootup. If you add more rules, remember to reload the config:

sudo ufw reload