There are a few simple steps I consider important to securing a new Raspbian installation:
- Remove the default pi user
- Prevent root login
- Use ssh key-pair authentication
Remove the default pi user
Every default Raspbian installation comes preconfigured with the same default user, 'pi'. To make it hard for an attacker to gain access to your system, create a new user in place of 'pi' with the same group memberships.
Login as user 'pi' and type the command groups to see a list of groups the user belongs to. You will get a list similar to this (pay attention, your version may differ):
pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi
Create a user belonging to all the above groups except the first one ('pi'):
sudo useradd -m -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,netdev,input newuser
Replace newuser above with the username you want to create.
Now set a password for newuser:
sudo passwd newuser
Make some adjustments to sudo:
By default, members of group sudo will have access to everything. Whether this is a good idea or not is outside the scope of this article. For now we will simply add our new user in place of 'pi'.
sudo visudo # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d pi ALL=(ALL) NOPASSWD: ALL
Change (or remove altogether) the last line from 'pi' to the newly created user.
Note be very careful with this visudo! Making a mistake can here may not be undoable. It is a good idea to have a second session open, logged on as root, in case a mistake is made. Log in as 'pi' and use sudo su to gain root privileges.
At the point you end your session and begin a new session logged in as newuser.
Disable the 'pi' user:
sudo passwd -l pi
When you're sure and ready, you may delete the 'pi' user (and all their files) completely:
sudo deluserremove all files pi
Use ssh key-pair authentication
Disabling the default 'pi' account is a good first setp in securing your Raspbian based system. If for some reason you don't do this, or you enable remote ssh logins, then you should consider ssh key-pair authentication.
If you enable remote ssh logins from a publicly facing IP address, you should disable password authentication and use ssh key-pair authentication, which is far superior. Fail to do this, and I can almost guarantee your system will be hacked.
To set up key-pair authentication, you need to generate a set of keys. Each key will have a public and a private component. The public part is copied to the server and is used to verify the incoming connection. Only users with the corresponding private key (which is kept secret) will be allowed access to the system.
Download PuTTY and PuTTYgen:
These are two standalone executables; save them in a convenient location of your choice. Chances are you already use PuTTY to access your system.
Generate your public private key pair with puttygen.exe
The default settings are fine. Click Generate to start the process. Move the mouse around the blank square to generate random input for use in the key.
Once this process is done, the public key will be displayed in the first text box, Copy this key into notepad and save it as raspberrypi.pub.txt. Do not use the 'Save public key' button!
The private key should be encrypted with a passphrase. This adds an extra layer of security in that if the key is ever comprimised, it cannot be used without the passphrase. Needless to say, choose a passphrase you will remember, and don't store it with your private key!
Click on 'Save private key'. Remember the name and location you save it to, and do not share this file with anyone!
Next we configure PuTTY to use our private key for authentication. Run putty.exe
Go to the settings in the left hand pane, under Connection - SSH - Auth. Click the browse button and find the private key file you created in the last step.
Connect as usual. You will be prompted for your username and password as normal. To use key-pair authentication we need to save the public key in the correct location.
Create the directory .ssh under the user's home directory (if it doesn't already exist). Also set appropriate permissions:
mkdir ~/.ssh touch ~/.ssh/authorized_keys chmod 700 ~/.ssh
The .ssh directory should only be writeable by its owner. You might want to lock down the authorized_keys file too:
chmod 600 ~/.ssh/authorized_keys
Now we need to import the public key. I found the easiest way to do this was to use an sftp client like FileZilla to upload a text file containing the public key to the user's home directory, then append it to the authorized_keys. Suppose the file was named raspberrypi.pub.txt, I would run:
cat raspberrypi.pub.txt >> ~/.ssh/authorized_keys
If all went well, the next login attempt will result in a prompt for the private key's passphrase:
login as: xxx Authenticating with public key "rsa-key-20151108" Passphrase for key "rsa-key-20151108":
Assuming the key-pair authentication is working, we can now disable password authentication.
Set the following configuration option:
Restart the ssh service:
sudo service ssh restart
From now on, if someone tries to log in without the appropriate private key, they will be rejected:
A few things to keep in mind
Setting up a (reasonably) secure home web-server with Raspberry Pi:
Linode has an excellent tutorial covering key-pair authentication, as well as other useful tips:
A good explanation of how key-pair authentication works:
Some stackexchange discussions on securing Raspberry Pi: