Wednesday, 11 September 2013

How to make your Raspberry Pi more secure

Basic security hardening of a Raspberry Pi

NB: This is just for casual home users and hobbyists who have a Pi at home, behind a domestic broadband router. Further security is needed for any other use, and is not covered by this tutorial. Skip to the further reading at the end of this tutorial for some suggestions on where to go next.

Introduction
The default, or common, configuration on the Raspberry Pi is to allow a login straight to the desktop without a password being asked for, even if one is set or left at the default. Once logged in, root access is then available with the command sudo. This applies to direct access, i.e. using the Pi directly with your tv as a display - which is how most people will be using it.

Remote desktop, ssh, or other remote access will require a login and password. However, the default password might not have been changed. Root access is then available as above with the sudo command. No root password is even asked for. I have a tutorial on this blog for enabling remote desktop access.

This is clearly crazy! So let's fix it.

Make sure everything is uptodate on your Pi

Login to your Pi and go to the Terminal. Run the update process:

$ sudo apt-get update

This may take 5 minutes or more depending on your connection and how much needs to be updated. Did you notice how you just logged into your Pi, and ran a root command probably without any password challenge? We're going to put a stop to that right now.

Change your login password

If you just installed your Pi and didn't change the password for the "pi" login, it will be set at default, probably 'raspberry'. Login to your Pi and go to the LX Terminal. Change your password:

$ passwd

You'll be asked to enter it a second time for confirmation. Make sure it isn't easy to guess, and that only you know it.

Disallow sudo commands for the default 'pi' user

The sudo command allows you to run root commands from a non-root login. The command after sudo is the root command you wish to execute, for example "$ sudo vi /boot/config.txt". sudo access is controlled by a file called /etc/sudoers. You mustn't edit this file with vi, or any other editor, you must edit with the command visudo, which you need to be root for.

Open a terminal, or ssh to the pi. Make a copy of the original sudoers file:

$ su
# cp /etc/sudoers /etc/sudoers.orig

# visudo

Change the line that reads

pi ALL=(ALL) NOPASSWD: ALL
To
pi ALL=(ALL) PASSWD: ALL

Ctrl-x to exit visudo, press y to save, it will ask to save to a temporary file, this is fine, just enter. When it asks "What now?" enter Q to save and exit. The words above in bold underline are simply to show you where to edit.

This means that you can no longer use the sudo command when logged in as pi (the default user). You can only gain root access with the command

$ su

And entering the root password. I have a tutorial on this blog for setting the root password.

NB
Whilst this may be a nuisance for the many instructions that use the command "sudo" you might want to further research the visudo command to enable certain IP addresses to have access without needing the password.

Give yourself a login that can use sudo

You should have a separate login so that you can regularly perform sudo commands without this restriction. Create the login to be used, and set a password.

$ su
# useradd <the login name>
# passwd <the login name>

Now enable <the login name> with visudo as above but allow it without passwords, e.g.

<the login name> ALL=(ALL) NOPASSWD: ALL

Exit and save visudo as you did above. Note, <the login name> is meant to be replaced by the login name you want to use, e.g. mypi or whatever. Some will want to use www-data as the login name for webserver maintenance. The < and > are for illustration only, you don't type them.

Further reading


  • Restrict access to sudo to only trusted IP addresses
  • Enable ssh key exchange and disallow password login
  • iptables
  • Restrict remote desktop access by IP address
  • Enable remote access via ssh


Document in progress. Please keep coming back to see what's added.