Secure setup for Rasperry Pi

This post is a documentation I’ve written for myself for securely set up a new Raspberry Pi. Hopefully it’s some use to someone else as well.

The steps below have been tested for Rasperry 4 B running Raspberry Pi Lite. They might work for other models and OS’s too.

The assumption is that you are able to access the Raspberry Pi through SSH.

Outline:

1. Initial configuration
2. User access
3. Secure SSH
4. Essential software
5. Automatic updates
6. Remote access

Initial configuration

1. Configure settings by running sudo raspi-config and set (at least):
   1. Hostname
   2. Locale(s), set default to en_US.UTF-8 UFT-8
   3. Timezone
   4. Finally, reboot by running sudo reboot
2. If connected to internet by cable, disable wlan (and optionally bluetooth if not needed)
   1. Edit file: sudo nano /boot/config.txt
   2. Add the following to the file:

 # Disable wireless services
 dtoverlay=disable-wifi
 dtoverlay=disable-bt

User access

1. If you have not set user during the creation of install image (and thus are currently using the default piuser):
   1. Change password for piuser with passwd
   2. Create new user with sudo adduser and add then sudo priviledge with sudo adduser sudo
   3. Delete piuser with sudo deluser -remove-home pi
2. Make sudo require a password
   1. Edit file: sudo nano /etc/sudoers.d/010_pi-nopasswd
      1. Find line: ALL=(ALL) NOPASSWD: ALL
      2. Replace with: ALL=(ALL) PASSWD: ALL

Secure SSH

1. Change default SSH port (for example to 1111)
   1. Edit file: sudo nano /etc/ssh/sshd_config
   2. Replace #Port 22with Port 1111 (or any other port of your choosing)
   3. Save, exit and restart server with sudo service ssh restart
2. Set up SSH keys
   1. On host machine run ssh-keygen -t ed25519and save with raspberrypias file name
   2. Copy keys to RPi: ssh-copy-id -i raspberrypi.pub -p 1111
3. Configure SSH settings with sudo nano /etc/ssh/sshd_config
   1. Disable root login by uncommenting and changing: PermitRootLogin no
   2. Force pubkey authentication by uncommenting and changing: PubkeyAuthentication yes
   3. Disable password authentication by uncommenting and changing: PasswordAuthentication no
   4. Disable PAM by uncommenting and changing: UsePAM no
4. Finally, restart SSH with sudo service ssh restart

Essential software

1. Run sudo apt update && sudo apt upgrade to update packages and repositories
2. Install Fail2ban: sudo apt install fail2ban
3. Install firewall: sudo apt install ufw
4. Configure and enable firewall by running following commands :
   1. sudo ufw default deny incoming
   2. sudo ufw default allow outgoing
   3. sudo ufw allow from proto tcp to any port 1111 to allow ssh access from host to custom port
   4. sudo ufw limit 1111
   5. sudo ufw allow http
   6. sudo ufw allow https
   7. sudo ufw logging on
   8. sudo ufw enable

Automatic updates

1. Install packages with sudo apt install unattended-upgrades mailutils
2. Configure settings with sudo nano /etc/apt/apt.conf.d/50unattended-upgradesand:
   1. Uncomment line //Unattended-Upgrade: :Mail "";
   2. Add local user to receive notifications by changing the line to Unattended-Upgrade: :Mail "";
3. Set periodic upgrades with sudo nano /etc/apt/apt.conf.d/02periodic and paste the following (the file should be empty) to enable automatic daily updates

APT::Periodic::Enable “1”;   
APT::Periodic::Update-Package-Lists “1”;   
APT::Periodic::Download-Upgradeable-Packages “1”;   
APT::Periodic::Unattended-Upgrade “1”;   
APT::Periodic::AutocleanInterval “1”;   
APT::Periodic::Verbose “2”;

Remote access

1. Install prerequisite packages with sudo apt install lsb-release curl
2. Grap GPG key for Tailscale reposityory with curl -L https://pkgs.tailscale.com/stable/raspbian/$(lsb_release -cs).noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
3. Add Tailscale repository with echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/raspbian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tailscale.list
4. Update package list with sudo apt update and install Tailscale with sudo apt install tailscale
5. Run sudo tailscale upand follow instructions
6. Update UFW to allow SSH access to tailscale with: sudo ufw allow in on tailscale0/

Sources:

• https://chrisapproved.com/blog/raspberry-pi-hardening.html#configure-automatic-updates
• https://raspberrytips.com/security-tips-raspberry-pi/
• https://www.raspberrypi.com/documentation/computers/configuration.htm#securing-your-raspberry-pi