Niko Kultalahti

Niko Kultalahti

Current Cloud Specialist, ex-RevOps, future Cloud Developer / Engineer. A father (of one) and a husband (also of one).

Secure setup for Rasperry Pi

Posts

This post is a documentation I’ve written for myself for securely set up a new Raspberry Pi. Hopefully it’s some use to someone else as well.

The steps below have been tested for Rasperry 4 B running Raspberry Pi Lite. They might work for other models and OS’s too.

The assumption is that you are able to access the Raspberry Pi through SSH.

Outline:

  1. Initial configuration
  2. User access
  3. Secure SSH
  4. Essential software
  5. Automatic updates
  6. Remote access

Initial configuration

Configure settings by running sudo raspi-config and set (at least):

  • Hostname
  • Locale(s), set default to en_US.UTF-8 UFT-8
  • Timezone

If connected to internet by cable, disable wlan (and optionally bluetooth if not needed)

  1. Open file for editing with sudo nano /boot/config.txt
  2. Add the following to the file:

`

Disable wireless services

dtoverlay=disable-wifi
dtoverlay=disable-bt
`

Finally, reboot by running sudo reboot

User access

If you have not set user during the creation of install image (and thus are currently using the default pi user):

  1. Change password for pi user with passwd
    • Create new user with sudo adduser <username> and add sudo priviledges with sudo adduser <username> sudo
    • Delete pi user with sudo deluser -remove-home pi
  2. Make sudo require a password
    • Open file for editing with sudo nano /etc/sudoers.d/010_pi-nopasswd
    • Find line <username> ALL=(ALL) NOPASSWD: ALL
    • Replace the line with: <username> ALL=(ALL) PASSWD: ALL

Secure SSH

  1. Change default SSH port (for example to 1111)
    • Edit file: sudo nano /etc/ssh/sshd_config
    • Replace #Port 22 with Port 1111 (or any other free/available port of your choosing
    • Save, exit and restart ssh server with sudo service ssh restart
  2. Set up SSH keys
    • On host machine run ssh-keygen -t ed25519 and save with raspberrypi as file name
    • Copy keys to RPi: ssh-copy-id -i raspberrypi.pub -p 1111 <username@hostname>
  3. Configure SSH settings with sudo nano /etc/ssh/sshd_config
    • Disable root login by uncommenting and changing: PermitRootLogin no
    • Force pubkey authentication by uncommenting and changing: PubkeyAuthentication yes
    • Disable password authentication by uncommenting and changing: PasswordAuthentication no
    • Disable PAM by uncommenting and changing: UsePAM no

Finally, restart SSH with sudo service ssh restart

Essential software

  1. Run sudo apt update && sudo apt upgrade to update packages and repositories
  2. Install Fail2ban: sudo apt install fail2ban
  3. Install firewall: sudo apt install ufw
  4. Configure and enable firewall by running following commands :
    • sudo ufw default deny incoming
    • sudo ufw default allow outgoing
    • sudo ufw allow from <ip> proto tcp to any port 1111 to allow ssh access from host to custom port
    • sudo ufw limit 1111
    • sudo ufw allow http
    • sudo ufw allow https
    • sudo ufw logging on
    • sudo ufw enable

Automatic updates

  1. Install packages with sudo apt install unattended-upgrades mailutils
  2. Configure settings with sudo nano /etc/apt/apt.conf.d/50unattended-upgrades and:
    • Uncomment line //Unattended-Upgrade: :Mail "";
    • Add local user to receive notifications by changing the line to Unattended-Upgrade: :Mail "<username>";
  3. Set periodic upgrades with `sudo nano /etc/apt/apt.conf.d/02periodic and paste the following (the file should be empty) to enable automatic daily updates:

APT::Periodic::Enable “1”;  APT::Periodic::Update-Package-Lists “1”;  APT::Periodic::Download-Upgradeable-Packages “1”;  APT::Periodic::Unattended-Upgrade “1”;  APT::Periodic::AutocleanInterval “1”;  APT::Periodic::Verbose “2”;

Remote access

  1. Install prerequisite packages with sudo apt install lsb-release curl
  2. Grab GPG key for Tailscale reposityory with curl -L https://pkgs.tailscale.com/stable/raspbian/$(lsb_release -cs).noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
  3. Add Tailscale repository with echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/raspbian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tailscale.list
  4. Update package list with sudo apt update and install Tailscale with sudo apt install tailscale
  5. Run sudo tailscale up and follow instructions
  6. Update UFW to allow SSH access to tailscale with: sudo ufw allow in on tailscale0/

Sources and more information: