Take These Steps to Secure Your Raspberry Pi Against Attackers

Change your default password

Popular Topics
Install a firewall There are many firewall solutions available for Linux. Before doing this, create a new account on the system. You need full and utter trust in the creator, who may have cut corners and installed vulnerable software or even backdoors. This documentation will describe some ways of improving the security of your Raspberry Pi. Sign up using Facebook. But this popularity could lead to your Pi being hacked or even stolen, resulting in you losing time, effort and data. Thanks for your submission.

Changing your username

Is The Raspberry Pi Secure?

If necessary, you can use the command below to remove the home folder for the pi user at the same time. Note the data in this folder will be permanently deleted, so make sure any required data is stored elsewhere.

Placing sudo in front of a command runs it as a superuser, and by default, that does not need a password. In general, this is not a problem. However, if your Pi is exposed to the internet and somehow becomes exploited perhaps via a webpage exploit for example , the attacker will be able to change things that require superuser credential, unless you have set sudo to require a password.

This can be as simple as ensuring your version of Raspbian is up-to-date, as an up-to-date distribution contains all the latest security fixes. Full instructions can be found here. If you are using SSH to connect to your Raspberry Pi, it can be worthwhile to add a cron job that specifically updates the ssh-server. The following command, perhaps as a daily cron job, will ensure you have the latest SSH security fixes promptly, independent of your normal update process.

More information on setting up cron can be found here. SSH is a common way of accessing a Raspberry Pi remotely. An even more secure method is to use key based authentication.

The most important thing to do is ensure you have a very robust password. If your Raspberry Pi is exposed to the internet, the password needs to be very secure. This will help to avoid dictionary attacks or the like. You can also allow or deny specific users by altering the sshd configuration. Add, edit, or append to the end of the file the following line, which contains the usernames you wish to allow to log in:. After the change you will need to restart the sshd service using sudo systemctl restart ssh or reboot so the changes take effect.

Key pairs are two cryptographically secure keys. One is private, and one is public. The client generates two keys, which are cryptographically linked to each other. The private key should never be released, but the public key can be freely shared. The SSH server takes a copy of the public key, and, when a link is requested, uses this key to send the client a challenge message, which the client will encrypt using the private key.

If the server can use the public key to decrypt this message back to the original challenge message, then the identity of the client can be confirmed. Generating a key pair in Linux is done using the ssh-keygen command on the client ; the keys are stored by default in the. The key will be bits long: You can make longer keys if the situation demands it. Note that you should only do the generation process once: Anything relying on those old keys will need to be updated to the new keys.

You will be prompted for a passphrase during key generation: For the moment, leave this blank. The public key now needs to be moved on to the server. This can be done by email, or cut and paste, or file copying. Once on the server it needs to be added to the SSH systems authorised keys. Finally, we need to disable password logins, so that all authentication is done by the key pairs.

There are three lines that need to be changed to no , if they are not set that way already:. Save the file and either restart the ssh system with sudo service ssh reload or reboot. This will ensure you can still reach the Internet. That Raspberry Pi of yours is certainly an impressive box of tricks. Small dimensions do make this little computer extremely easy to pocket, so it is a good idea to keep it and your data under lock and key.

Also, remember to make backups of your SD cards and any other connected data regularly, lest they be stolen or subverted. Everyone with an Internet connection can use Google to find the default username and password of your Raspberry Pi. Your email address will not be published. I'm looking at using Jasper and was concerned about password security for my Google account.

First project is a magic mirror with calendar function so it needs the password. BTW I'm a complete noob to this so any Tech answers can you include links to give me further education I found an error in the deluser picture.

I get the same error, when I try to delete the pi user. I think the pi user is auto log in when booting up the device on tty1. I am seeing this with the who command. Should I force deluser? That was my case. If you can't find the process number in the error log , look for it with "ps aux less".

Then, just reconnect with newUsername raspberrypi don't reconnect through "pi" user. What about adding a password to the root account? Next, generate an SSH key. Be sure to set the permissions properly otherwise the key based authentication will fail:. Be sure to restart SSH to ensure the changes take effect using the command:. For good measure, you can configure the firewall so that it logs a message whenever a firewall rule is activated and a connection is blocked.

First make sure that iptables is installed using the command:. Note that using the iptables firewall will require new kernel modules to be loaded. The easiest way to load them is to reboot your Pi. Once iptables is installed, go ahead and check the current iptables rules with the command:. This will list the rules, which are probably empty. You can save these rules off to a text file and edit it using the command:. This is the file that iptables-persistent uses when your system boots or reboots to make sure that the firewall is still running.

Save, then edit the file so that it looks somewhat like the following altering whatever rules you need:. Next, ensure your iptables are working properly. Thankfully, there is a command that will help you by applying rules and asking for confirmation that you can still connect.

If you do respond, it will apply your changes permanently. To accomplish this use the command:. Turn off what you do not need. Ensure your firewall only exposes the services you want, preferably on non-default ports. Put it on its own network. Ensure the Pi is installed on its own network and that it cannot reach other parts of the network while ensuring its outbound connections to the internet are known and filtered for daily use.

You should not be able to contact your home file server or other systems from the Pi, and its internet connectivity should be limited. Update your packages regularly. Check the Raspberry Pi website for updates. Your SD card will fail. Expect failure and backup your data, or the SD card as a whole, to an external USB thumb drive as part of an encrypted package, file, or filesystem. Avoid pre-installed ready-to-go images if you can.

If you are using a pre-installed image from somewhere, ask yourself why. You need full and utter trust in the creator, who may have cut corners and installed vulnerable software or even backdoors. This can even be unintentional. See if you can install the image or software yourself. If you absolutely need to use a pre-made image:. Raspberry Pi comes with a Broadcom hardware watchdog timer that can reboot the Pi in case it becomes unresponsive.

Changing The Default Username

Leave a Reply