Skip to content

Securing Raspbian

Posted by Sylvester Rac on

There are a few simple steps I consider important to securing a new Raspbian installation:

  • Remove the default pi user
  • Prevent root login
  • Use ssh key-pair authentication

Remove the default pi user

Every default Raspbian installation comes preconfigured with the same default user, 'pi'. To make it hard for an attacker to gain access to your system, create a new user in place of 'pi' with the same group memberships.

Login as user 'pi' and type the command groups to see a list of groups the user belongs to. You will get a list similar to this (pay attention, your version may differ):

pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

Create a user belonging to all the above groups except the first one ('pi'):

sudo useradd -m -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,netdev,input newuser

Replace newuser above with the username you want to create.

Now set a password for newuser:

sudo passwd newuser

Make some adjustments to sudo:

By default, members of group sudo will have access to everything. Whether this is a good idea or not is outside the scope of this article. For now we will simply add our new user in place of 'pi'.

sudo visudo

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
pi ALL=(ALL) NOPASSWD: ALL

Change (or remove altogether) the last line from 'pi' to the newly created user.

Note be very careful with this visudo! Making a mistake can here may not be undoable. It is a good idea to have a second session open, logged on as root, in case a mistake is made. Log in as 'pi' and use sudo su to gain root privileges.

At the point you end your session and begin a new session logged in as newuser.

Disable the 'pi' user:

sudo passwd -l pi

When you're sure and ready, you may delete the 'pi' user (and all their files) completely:

sudo deluser --remove-all-files pi

Use ssh key-pair authentication

Disabling the default 'pi' account is a good first setp in securing your Raspbian based system. If for some reason you don't do this, or you enable remote ssh logins, then you should consider ssh key-pair authentication.

If you enable remote ssh logins from a publicly facing IP address, you should disable password authentication and use ssh key-pair authentication, which is far superior. Fail to do this, and I can almost guarantee your system will be hacked.

To set up key-pair authentication, you need to generate a set of keys. Each key will have a public and a private component. The public part is copied to the server and is used to verify the incoming connection. Only users with the corresponding private key (which is kept secret) will be allowed access to the system.

Download PuTTY and PuTTYgen:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

These are two standalone executables; save them in a convenient location of your choice. Chances are you already use PuTTY to access your system.

Generate your public private key pair with puttygen.exe

puttygen.exe
Click Generate to create a new public/private key pair

The default settings are fine. Click Generate to start the process. Move the mouse around the blank square to generate random input for use in the key.

Once this process is done, the public key will be displayed in the first text box, Copy this key into notepad and save it as raspberrypi.pub.txt. Do not use the 'Save public key' button!

The private key should be encrypted with a passphrase. This adds an extra layer of security in that if the key is ever comprimised, it cannot be used without the passphrase. Needless to say, choose a passphrase you will remember, and don't store it with your private key!

Click on 'Save private key'. Remember the name and location you save it to, and do not share this file with anyone!

Next we configure PuTTY to use our private key for authentication. Run putty.exe

Go to the settings in the left hand pane, under Connection - SSH - Auth. Click the browse button and find the private key file you created in the last step.

Connect as usual. You will be prompted for your username and password as normal. To use key-pair authentication we need to save the public key in the correct location.

Create the directory .ssh under the user's home directory (if it doesn't already exist). Also set appropriate permissions:

mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 700 ~/.ssh

The .ssh directory should only be writeable by its owner. You might want to lock down the authorized_keys file too:

chmod 600 ~/.ssh/authorized_keys

Now we need to import the public key. I found the easiest way to do this was to use an sftp client like FileZilla to upload a text file containing the public key to the user's home directory, then append it to the authorized_keys. Suppose the file was named raspberrypi.pub.txt, I would run:

cat raspberrypi.pub.txt >> ~/.ssh/authorized_keys

If all went well, the next login attempt will result in a prompt for the private key's passphrase:

login as: xxx
Authenticating with public key "rsa-key-20151108"
Passphrase for key "rsa-key-20151108":

Assuming the key-pair authentication is working, we can now disable password authentication.

Edit /etc/ssh/sshd_config

Set the following configuration option:

PasswordAuthentication no

Restart the ssh service:

sudo service ssh restart

From now on, if someone tries to log in without the appropriate private key, they will be rejected:

Password authentication not available

A few things to keep in mind

 

Further reading

Setting up a (reasonably) secure home web-server with Raspberry Pi:

Linode has an excellent tutorial covering key-pair authentication, as well as other useful tips:

A good explanation of how key-pair authentication works:

Some stackexchange discussions on securing Raspberry Pi:

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

The author does not allow comments to this entry

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5


Form options