Make your Raspberry Pi more secure

Most of the users connect their Raspberry Pi to the network and use it just as a regular PC for reading mail and web surfing. The other common applications include file sharing server and home multimedia centers. However, by connecting it to the outside world you basically make the target for different kinds of attacks. If you are running different services on your RPi (like web or ftp server), your little device has even more chances to get attacked. If some of these attacks is successfull you can loose the information stored on your device or end as a spam server. Several precaution measures that can make your Pi more secure will be presented in this article. But keep in mind that securing the computer is a complex task and your Pi will never be secure as you are expecting. And yes, read our disclaimer.

Keep your system up to date

Well, the good news that RPi runs on different Linux distributions. In thay way you are secured from many malwares, worms and viruses that are present these days and affect Windows based machines. But the good practice is to keep your system updated and patched. Therefore, regularly run package update:

sudo apt-get update
sudo apt-get upgrade

Apart from that, it is wise to sometimes update the RPi firmware:

sudo rpi-update

If this package is not present at your system, just install it with the following command:

sudo apt-get install rpi-update

SSH

Many users remotely connect to their RPi over SSH. While this is a great way to communicate with your device, it can become major security hole if you are using authentication with weak password. By using brute force attack someone can guess your password and gain access to your system.

There are several way to improve the security of your SSH connection. Default installation of RPi will probably have an SSH daemon running. Basically, this means that the RPi is listening particular port the connections. If the remote host asks for the connection this will be logged to /var/log/auth.log. If you are running a RPi for a couple of days connected to the internet, you are likely to see a number of attempts with different usernames and password that are logged to this file. These are brute force attacks performed by automatic scripts which are using dictionaries that contain common usernames and passwords (like username: root, password: 1234). What can you do? At first, use strong password. Secondly, disable remote root login. This can be done through the sshd config files:

sudo nano /etc/ssh/sshd_config

by changing the line PermitRootLogin to no. In this config file you can change the default port for SSH (22) to something else (e.g. 2100). This usually lowers the number of attempts. However, certain number of (un)successfull attempts will be still present so you can make additional security measures. One is key pair authentication. Here is a great tutorial about key authentication setup. In essence, the remote connection is based on key pair: public and private. The public key is stored on your Raspberry Pi and the private key on the computer from where you wish to connect to Raspberry Pi. Since the password is never transferred between remote host and the computer from where you are trying to access remote host, this way is much secure than password based authentication. However, you must keep your private key at a safe place. The keys can be generated on RPi with the ssh-keygen command or with Putty program. Once you have set up a key based login, you should disable the password based authentication in sshd_config file by setting line PasswordAuthentication to no.

Install and configure fail2ban

As already stated, remote authentication over SSH is logged to your Raspberry Pi. You can see the log by running the following command:

sudo cat /var/log/auth.log | more

Usually, you will see a number of brute-force attempts (too many password failures, search for exploits and so on). To prevent these brute-force attacks you can use firewall that comes with linux distributions - iptables. This firewall can be quite confusing at first, therefore I recommend to read this tutorial

Basically what you want to do is to ban IP adresses that are suspicious according to log files. In order to ban the IP adress you have to add it to the iptables. Luckily, we don't have to look at log files and manually add suspicious IP addresses to the iptables. There is a daemon called fail2ban that scans (parse) log files and automatically bans suspicious IP address with iptables. Install fail2ban with the following command:

sudo apt-get install fail2ban

You can use fail2ban with any service that makes log files like Apache, FTP, etc. The configuration for different services can be found in /etc/fail2ban/jail.conf. The default configuration only monitors SSH and bans the suspicious IP after 6 unsuccessful attempts for 600 seconds. You can change this settings by adding appropriate lines in /etc/fail2ban/jail.local. For example, I want to permamently ban the suspicious IP address after only 2 attempts. Apart from that, I want to ban access for this IP on all ports, so I changed default banaction to iptables-allports. So, part of my jail.local file looks like this:

[ssh]
banaction = iptables-allports
bantime = -1
maxretry = 2

However, I soon realized that all bans disappear from iptables after reboot. To deal with this issue, I added the following line to my /etc/fail2ban/action.d/iptables-allports.conf file to the actionstart:

cat /etc/fail2ban/ip.list-<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

and following line to the actionban

echo '<ip>/24' >> /etc/fail2ban/ip.list-<name>

These commands log the banned IP addresses to the /etc/fail2ban/ip.list file and after restart the contest of this file is added to the iptables. Careful reader will notice that IP address are stored in ip.list file with suffix /24. In that way iptables will block the whole range from xxx.xxx.xxx.0 to xxx.xxx.xxx.255 :)

When you did the necessary updates of the config files, make sure to restart service:

sudo service fail2ban restart

After couple of days you should see some of the IPs that are permanently banned. You can check your iptables with the following command:

sudo iptables -L -n --line

My RPi is now constantly running for about two months and there are about sixty IPs that are permanently banned due to the unsuccessful SSH authorizations.

Share:  Add to Facebook Tweet This Add to Delicious Submit to Digg Stumble This