Raspberry Pi boards are fantastic for any project — they’re cheap, easy to use, can run a wide range of possible operating systems, and provide programmable GPIO pins as well as multi-core CPU availability and multiple USB ports.

You can use Raspberry Pi boards for all kinds of automation and information gathering projects. But, if you are not careful, your little hobby project might result in a security risk that acts as an entry point into your network. They can’t perform secure booting such as ARM Trustzone, and the SD card and operating system are not easily encrypted. Follow these security tips to safeguard your Pi and other devices on your network.

Why would anyone hack a Raspberry Pi?

  • Its computing power can be abused for operations like mining cryptocurrency.
  • It can be used as a bounce point to attack other hosts, in order to cover the attacker’s tracks.
  • It’s an entry point to the rest of an internal network. An attacker can easily reach the file servers and try to install ransomware, obtain documents for blackmail, or manipulate the firewall and router settings to ensure persistent access in the future for later nefarious actions, either by attacking the web console of the router or performing uPNP manipulation to open up more ports to the Internet for attack.

Passwords

Change the default passwords — If you are installing a recent version of NOOBS or Raspbian, be sure to change the default password of the “pi” user to something that is long and hard to guess. A passphase like “iamasuckerfor5dollarmojitos” is much better than [email protected]! Even if you plan on disabling the account, this first step is basic protection in case you forget.

User Accounts

Your next step should be to disable the default Pi account in Raspbian. Before doing this, create a new account on the system. You can use the useradd command to do this, with some extra flags to specify that a new home directory be created for the user. Log in as the Pi user and issue the command:

$ sudo /usr/sbin/useradd --groups sudo -m makezine

Use your own username instead of “makezine.” This will create a new account, create a directory for the account (such as /home/makezine), and add the new account to the sudo group so the user can use the sudo command. Once the new user account is created we need to set a password for the account. You can do this using the command:

$ sudo passwd makezine

Next, reset the root password. Choose something long and hard to guess.

$ sudo passwd root

Finally, you’ll want to disable the Pi account:

$ sudo passwd --lock pi

Now you can log out of the Pi account and log in with your new account and password.

Securing SSH

By default, Raspbian installs a remote access shell (SSH) that can be accessed from anywhere. You can disable this by setting up SSH so that only machines with an authorized SSH key can log in. Back up your private keys in at least two locations you trust.

To set them up, edit the SSH configuration file using vi, or another text editor, with the command:

$ sudo vi /etc/ssh/sshd_config

Make sure the following lines are set and uncommented — meaning that the lines are in the file and they aren’t preceded with a hash tag symbol, which marks a line as a comment and ignores it for configuration purposes:

# Authentication:
 LoginGraceTime 120
 PermitRootLogin no
 StrictModes yes

RSAAuthentication yes
 PubkeyAuthentication yes
 AuthorizedKeysFile %h/.ssh/authorized_keys

# To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
 PasswordAuthentication no

UsePAM no

The last line is very important since it will disable Pluggable Authentication Modules (PAM), or native Linux authentication, and only allow users to log in with a key. Next, generate an SSH key. You can do this with PuTTY on Windows or with the ssh-keygen command on Linux. Create a .ssh directory in your user’s home directory and an authorized_keys file with the following commands. Be sure to set the permissions properly (otherwise the key based authentication will fail):

$ mkdir ~/.ssh
 $ chmod 0700 ~/.ssh
 $ touch ~/.ssh/authorized_keys
 $ chmod 0600 ~/.ssh/authorized_keys

Next use your text editor to edit the authorized_keys file and paste in the public key you generated so you can log in. Be sure to restart SSH to ensure the changes take effect using the command:

$ sudo systemctl restart ssh

Firewall

Once you’ve locked down SSH, you’ll want to ensure that the iptables firewall is running on your Pi. For good measure, you can configure the firewall so that it logs a message whenever a firewall rule is activated and a connection is blocked. First make sure that iptables is installed using the command:

$ sudo apt-get install iptables iptables-persistent

Note that using the iptables firewall will require new kernel modules to be loaded. The easiest way to load them is to reboot your Pi. Once iptables is installed, go ahead and check the current iptables rules with the command:

$ sudo /sbin/iptables -L

This will list the rules, which are probably empty. You can save these rules off to a text file and edit it using the command:

$ sudo /sbin/iptables-save > /etc/iptables/rules.v4

This is the file that iptables-persistent uses when your system boots or reboots to make sure that the firewall is still running. Save, then edit the file so that it looks somewhat like the following (altering whatever rules you need):

$ sudo cat /etc/iptables/rules.v4
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
 -A INPUT -i lo -j ACCEPT
 -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
 # You could modify this to only allow certain traffic
 -A OUTPUT -j ACCEPT

# Allows SSH connections
 # The --dport number is the same as in /etc/ssh/sshd_config
 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
 -A INPUT -j REJECT
 -A FORWARD -j REJECT

COMMIT

Next, ensure your iptables are working properly. This can be tricky because you might be remotely connected via SSH, and if you’ve messed something up you don’t want your connection to be severed. Thankfully, there is a command that will help you by applying rules and asking for confirmation that you can still connect. If you don’t respond in a certain amount of time the program will assume you’ve gotten disconnected and it will roll back your changes. If you do respond, it will apply your changes permanently. To accomplish this use the command:

$ sudo /usr/sbin/iptables-apply /etc/iptables/rules.v4

If everything works, your changes will be applied and you can check them with the command:

$ sudo /sbin/iptables -L

Turn off what you do not need. Ensure your firewall only exposes the services you want, preferably on non-default ports.

Put it on its own network. Ensure the Pi is installed on its own network and that it cannot reach other parts of the network while ensuring its outbound connections to the internet are known and filtered for daily use. You should not be able to contact your home file server or other systems from the Pi, and its internet connectivity should be limited.

Updates and Backups

Update your packages regularly. Check the Raspberry Pi website for updates. You can set up automatic updates by installing the package “unattended-upgrades,” as described on the official Debian wiki.

Backup your configurations. Your SD card will fail. Expect failure and backup your data, or the SD card as a whole, to an external USB thumb drive as part of an encrypted package, file, or filesystem.

Avoid pre-installed ready-to-go images if you can. If you are using a pre-installed image from somewhere, ask yourself why. You need full and utter trust in the creator, who may have cut corners and installed vulnerable software or even backdoors. This can even be unintentional. See if you can install the image or software yourself. If you can’t or won’t, make sure your Pi is in its own network and cannot reach any other systems on your network. If your router has a DMZ segment or a guest Wi-Fi network, that’s an excellent choice for a Pi on the condition that only the services you want to be exposed are exposed to the Internet. If you absolutely need to use a pre-made image:

  • Change all the passwords for all accounts including but not limited to the “pi” user and “root” user. The software that comes with the Raspberry Pi might include more services. Check with “netstat” to see what services are running and check your firewall and router configuration to ensure you are only exposing what’s necessary.
  • Re-generate the SSH keys by performing the following:
# /bin/rm -v /etc/ssh/ssh_host_*
 # dpkg-reconfigure openssh-server
  • Consider changing the running services towards non-standard ports to avoid drive-by and mass scanning of the services. Most attackers are just out to get victims that use default ports.
  • Check back with the author of the image for updates and related security news.

Ensure Continuity

Hardware watchdog timer: If your Raspberry Pi crashes while you’re on vacation, your automated systems will go down too. Raspberry Pi comes with a Broadcom hardware watchdog timer that can reboot the Pi in case it becomes unresponsive.

Heatsink: It would be a shame if your Raspberry Pi ran too hot due to weather or being overclocked. Make sure you have a heatsink on the CPU to ensure that really heavy spikes don’t grind it to a halt. They only cost a few dollars and are easy to install.

Logwatch: Receive nightly emails reporting on the previous day’s activities and alerts with Logwatch. You’ll need to ensure that e-mail is working on your Pi, but the exim4 mail relay agent should work just fine. Install Logwatch using the command:

$ sudo apt-get install logwatch

Then adjust the configuration file at /usr/share/logwatch/default.conf/logwatch.conf to suit your needs. By default, Logwatch will email the root account, so you probably want to set up some sort of relay. You can check out my article on email relays for further advice.