06 Aug 2023

Raspberry PI Security basics

Open source reformed the way software is written. Multiple armies of people are working nowadays in cyber security, one half is trying to crack every device ever, the other half trying to make the first group's life harder.

Unfortunately as these armies grew, all devices are subject to researchers who are looking for building their botnets and sell compromised data.

There is a really nice basic security howto written on mastodon installation page that I am going to use as reference.

Enable SSH

On your raspberry, you want to enable SSH. The simplest way if you have access to a screen and a keyboard is to run sudo raspi-config .

If you do not have a screen and keyboard you can just create a file named ssh on the boot partition of your Raspberry SD card. If you are planning to connect via WiFi, you also have to set your SSID and password in the /etc/wpa_supplicant/wpa_supplicant.conf file.

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=sk

network={
	ssid="WifiName"
	psk="Password125"
}

See in more details.

SSH key pair generation

First, if you do not have an SSH key pair, you'll need to generate one.

ssh-keygen -b 4096 -t rsa

Recommendation is minimum 2048, ssh-keygen's default is 3072, with 4096 it's allright. This will generate ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. This is your SSH key pair. You give out the public key, copy it to the server's .ssh/authorized_keys file. That file is a list for the SSH server that are allowed to connect.

This means, that when you are trying to connect to a server, it probably sends you a challenge encoded with your private key, which your terminal client will decode using your private key (.ssh/id_rsa) and send back a response that will prove that we are the ones who have the correct private key.

You do not have to manually do that. If you did not block password access to your server yet, you can just run the command

ssh-copy-id pi@192.168.0.123 -p 3333

ssh-copy-id [user_on_remote]@[address_of_server] - p [port_number]

` Now that you have that, you can block password access to your system. This is necessary because passwords are much easier to crack due to a number of reasons.

Disable password auth though SSH

• Disable password authentication. Use RSA keys instead.
  • In /etc/ssh/sshd_config update line to PasswordAuthentication no
  • it's advised not to use the default 22 port, so "dumber" hacking scripts will fail there already. You can do that by updating the the line containing Port to Port 1234
  • restart your SSH and see if you managed! sudo service ssh restart
• Use the uncomplicated firewall, set the

sudo apt update
sudo apt install ufw
sudo ufw allow 1234

• This installs ufw and allows your 1234 port to get connections.

Fail2Ban

Scan through security reports to block compromised IP addresses that try to hack in the system.

sudo apt install fail2ban

network raspberry pi linux security ufw ssh-keygen

---

• ◀ Raspberry Pi basics
• Stateless Functions for Unit tests ▶