This post is a documentation I’ve written for myself for securely set up a new Raspberry Pi. Hopefully it’s some use to someone else as well.
The steps below have been tested for Rasperry 4 B running Raspberry Pi Lite. They might work for other models and OS’s too.
The assumption is that you are able to access the Raspberry Pi through SSH.
Outline:
- Initial configuration
- User access
- Secure SSH
- Essential software
- Automatic updates
- Remote access
Initial configuration
Configure settings by running sudo raspi-config
and set (at least):
- Hostname
- Locale(s), set default to
en_US.UTF-8 UFT-8
- Timezone
If connected to internet by cable, disable wlan (and optionally bluetooth if not needed)
- Open file for editing with
sudo nano /boot/config.txt
- Add the following to the file:
`
Disable wireless services
dtoverlay=disable-wifi
dtoverlay=disable-bt
`
Finally, reboot by running sudo reboot
User access
If you have not set user during the creation of install image (and thus are currently using the default pi
user):
- Change password for
pi
user withpasswd
- Create new user with
sudo adduser <username>
and add sudo priviledges withsudo adduser <username> sudo
- Delete
pi
user withsudo deluser -remove-home pi
- Create new user with
- Make sudo require a password
- Open file for editing with
sudo nano /etc/sudoers.d/010_pi-nopasswd
- Find line
<username> ALL=(ALL) NOPASSWD: ALL
- Replace the line with:
<username> ALL=(ALL) PASSWD: ALL
- Open file for editing with
Secure SSH
- Change default SSH port (for example to 1111)
- Edit file:
sudo nano /etc/ssh/sshd_config
- Replace
#Port 22
withPort 1111
(or any other free/available port of your choosing - Save, exit and restart ssh server with
sudo service ssh restart
- Edit file:
- Set up SSH keys
- On host machine run
ssh-keygen -t ed25519
and save withraspberrypi
as file name - Copy keys to RPi:
ssh-copy-id -i raspberrypi.pub -p 1111 <username@hostname>
- On host machine run
- Configure SSH settings with
sudo nano /etc/ssh/sshd_config
- Disable root login by uncommenting and changing:
PermitRootLogin no
- Force pubkey authentication by uncommenting and changing:
PubkeyAuthentication yes
- Disable password authentication by uncommenting and changing:
PasswordAuthentication no
- Disable PAM by uncommenting and changing:
UsePAM no
- Disable root login by uncommenting and changing:
Finally, restart SSH with sudo service ssh restart
Essential software
- Run
sudo apt update && sudo apt upgrade
to update packages and repositories - Install Fail2ban:
sudo apt install fail2ban
- Install firewall:
sudo apt install ufw
- Configure and enable firewall by running following commands :
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from <ip> proto tcp to any port 1111
to allow ssh access from host to custom portsudo ufw limit 1111
sudo ufw allow http
sudo ufw allow https
sudo ufw logging on
sudo ufw enable
Automatic updates
- Install packages with
sudo apt install unattended-upgrades mailutils
- Configure settings with
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
and:- Uncomment line
//Unattended-Upgrade: :Mail "";
- Add local user to receive notifications by changing the line to
Unattended-Upgrade: :Mail "<username>";
- Uncomment line
- Set periodic upgrades with `sudo nano /etc/apt/apt.conf.d/02periodic and paste the following (the file should be empty) to enable automatic daily updates:
APT::Periodic::Enable “1”; APT::Periodic::Update-Package-Lists “1”; APT::Periodic::Download-Upgradeable-Packages “1”; APT::Periodic::Unattended-Upgrade “1”; APT::Periodic::AutocleanInterval “1”; APT::Periodic::Verbose “2”;
Remote access
- Install prerequisite packages with
sudo apt install lsb-release curl
- Grab GPG key for Tailscale reposityory with
curl -L https://pkgs.tailscale.com/stable/raspbian/$(lsb_release -cs).noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
- Add Tailscale repository with
echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/raspbian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tailscale.list
- Update package list with
sudo apt update
and install Tailscale withsudo apt install tailscale
- Run
sudo tailscale up
and follow instructions - Update UFW to allow SSH access to tailscale with:
sudo ufw allow in on tailscale0/
Sources and more information: