Chapter 9: Tips And Tricks To Use Raspberry Pi3

The following steps should be done by new and experienced Raspberry Pi users and will improve the security of your system tenfold.

I will discuss how to delete the default Raspberry Pi ‘pi’ user as well as changing the password for any other users you create. This is a good first step because if a hacker identify’s that your system is running the Rasbian distro then one can assume that there is a user called ‘pi’ on the system and can begin trying to crack that users password. Deleting the default ‘pi’ user and creating a new Raspberry Pi username and password will make it much harder to gain access to your system.

I will also be discussing about installing Fail2Ban which will block hackers from bruteforcing your username and password. This is good because it will block the hackers IP Address if they fail to login to your system and they will be unable to perform an unlimited number of username and passwords trying to gain access to your system. Another item that I will be discussing is setting up unique SSH keys, this will allow only clients that have the correct keys that you generated to login to your Raspberry Pi. This is one of the most secure ways of logging into your Raspberry Pi because only computers that you give the generated key file will be able to login and anyone who doesn’t have the key file will be blocked.

The final security tip and trick I will show you will be how to setup automated security updates. This is great if you are using your Raspberry Pi as a server and don’t access it often. All Raspbian security updates will be downloaded and applied in the background so you know you are running the latest and most secure software.

Objective

To learn about and perform basic security steps on our Raspberry Pi to improve our overall security on the Raspberry Pi system

Material

You will need the following:

• Raspberry Pi
• 8GB Micro SD Card
• 2.5A Power Supply
• Raspbian OS (I will assume you are running Raspbian although this tutorial will apply to any Debian based Linux distro)

1. Remove The Default ‘Pi’ User From Your Raspberry Pi

The first Raspberry Pi tip and trick I will be showing you is removing the default ‘pi’ user from your Raspberry Pi. You will first need to login to the ‘pi’ user and create your new user. I will be creating a user with the username ‘dayz’ in my example. After that we will be able to delete the ‘pi’ user.

Go ahead and open a terminal window or SSH into your Raspberry Pi and run the following command to create your new user (Use the sudo command to run the command as a root user):

1 sudo adduser dayz

You will be asked to enter a password for your new user, enter in the new password and then hit Enter and confirm your password by typing it again. It will ask you to enter the Full Name of this user as well as other information like a Phone number. You can just hit Enter to leave these values blank or you can fill them out.

Once you get the ‘Is this information correct [Y/n]’ screen you can type Y and then hit Enter.

Now that you created your new user you can log in to your new user with the password you created earlier and we can delete the default ‘pi’ user. Login to your newly created user and type the following command (Use the sudo command to run the command as root):

1 sudo userdel r pi

Note: The r flag will remove the home folder for the ‘pi’ user. Be sure to save any files in this folder if you have anything important in them. You can also remove the ‘r’ flag if you want to keep the home folder.

2. Change The Default Raspberry Pi User ‘Pi’ Password

I highly suggest to remove the ‘pi’ user if you can but if for any reason you do not want to or you can’t then the next best thing to do would be to change the password.

Login to the Raspberry Pi with your ‘pi’ user and open a terminal window and type the following command to change your password:

1 passwd

You will be prompted to enter in your current password followed by the new password. I suggest using a strong password that you can remember or using a password generator and writing you password down if you will not be logging into the system often.

Once your password is changed you will get the following message:

1 passwd: password updated successfully

Your password change will take effect immediately.

3. Install Fail2Ban To Ban BruteForce Attempts On Our Raspberry Pi

Fail2Ban is very easy to install and setup and will drastically improve security on your Raspberry Pi. Fail2Ban works by monitoring your logs for failures and depending on the settings you setup it will ban or timeout an IP Address for a certain amount of time if it fails to login to your server. It is a great tool and a must have tool to protect your from bruteforce attacks. If you want to find out more information about Fail2Ban check out my article here. It goes into more detail as to what exactly we will be doing and more configuration options.

Lets install Fail2Ban by typing the following commands after opening a terminal window or logging in through SSH:

1 sudo aptget update

2 sudo aptget install fail2ban

The initial settings for Fail2Ban are located at ‘/etc/fail2ban/’. You can see all the default settings for many services that you are being protected against. However do not edit any of these settings in your ‘/etc/fail2ban/’ file. You will want to edit the ‘/etc/fail2ban/’ file and add your configurations there.

Lets edit our SSH Fail2Ban configurations. Open up the ‘/etc/fail2ban/’ file with the following command:

1 sudo nano /etc/fail2ban/

Your file should be empty. Lets add the following settings:

1 [ssh]

2

3 enabled = true

4 port = ssh

5 filter = sshd

6 logpath = /var/log/

7 bantime = 900

8 banaction = iptablesallports

9 findtime = 900

10 maxretry = 3

After pasting the settings hit CTRL+X and then Y to save the configuration file.

Restart Fail2Ban with the following command to make your configuration settings live:

sudo service fail2ban restart

At this point Fail2Ban is configured and your server will be protected from bruteforce attacks however all bans will be cleared upon restarting Fail2Ban or rebooting the server. If you manage to ban yourself you can simply restart your Raspberry Pi.

4. Perform Security Updates Automatically On The Raspberry Pi

Keeping up with security on your Raspberry Pi will require some maintenance and having to check and apply for security upgrades periodically. This can be troublesome if you are using your Raspberry Pi as a server and don’t normally access it on a regular basis. There is a solution. You can setup a cron schedule to check for and perform updates using the ‘aptget update’ and ‘aptget upgrade’ commands but these command will upgrade all your software too. This can be an issue because some updated software can break other programs running in the background. Since we are focusing on easy security tips and tricks we will be installing ‘unattendedupgrades’.

Lets install unattendedupgrades with the following command:

1 sudo aptget install unattendedupgrades

Once the unattendedupgrades package is installed we will want to configure it. There are a few configurations we can perform. Type the following command to edit the configuration file for unateendedupgrades:

1 sudo nano /etc/apt/.d/50unattendedupgrades

The packages that we want to upgrade are located in between UnattendedUpgrade::OriginsPattern { } in the configuration file. You will either need to uncomment the Raspbian line or add the following line to perform only Raspbian Jessie Security updates:

1 “o=Raspbian,n=jessie,l=RaspbianSecurity”;

Your UnattendedUpgrade::OriginsPattern { } should look something similar to this:

1 UnattendedUpgrade::OriginsPattern {

2 // Codename based matching:

3 // This will follow the migration of a release through different

4 // archives (e.g. from testing to stable and later oldstable).

5 “o=Raspbian,n=jessie,l=RaspbianSecurity”;

6

7 // Archive or Suite based matching:

8 // Note that this will silently match a different release after

9 // migration to the specified archive (e.g. testing becomes the

10 // new stable).

11 // “o=Raspbian,a=stable”;

12

13 };

There are a few other configurations you can set like the time to perform the updates as well as sending you an email but this is just the basic setup tips and tricks tutorial. Now your Raspberry Pi will perform automatic security updates daily.

5. Setup SSH Key Pairing To Login To Your Raspberry Pi

SSH Keys allow you to login to your server without a password and the client and server will use these keys to authenticate the client allowing it access. This is safer because it prevents bruteforce attacks. You can however add a passphrase to your key, meaning that you would need to have a private key as well as a passphrase to connect to the server. Adding a passphrase would really lockdown our server and make it virtually impossible to connect into without the SSH key and passphrase.

Setting up SSH Keys will require you to set them up on your main computer (client) that you will be accessing the Raspberry Pi from. The Raspberry Pi in this scenario will be your server. What will happen is you will generate the SSH keys on your client and then transfer the key to the server so that way only that client will be able to access the server with those keys. Setting up SSH keys is not difficult but it is a lot more detail then I can explain in a few paragraphs. You can check out my full article on SSH keys here.

Note

Those are 5 basic Raspberry Pi security tips and tricks that every user must do. These should only take a few minutes to perform and should be done on every Raspberry Pi setup. Having so many devices being connected to the internet now really increases the risks of your network and personal information. These tips and tricks may not stop a hacker from gaining access into your system but it definitely stops hackers who are simply looking for easy ways into your network.