Today we are going to show you how to secure Raspberry Pi 4 server on your network. We will look to limit the common attack surface by making some important security changes.
At the very least we recommend that you follow all the Easy security changes. This will add a good basic level of protection for your raspberry pi server.
Table of Contents
Prerequisites:
You will need to be connected to your Raspberry Pi via an SSH terminal or via a monitor and keyboard.
Change the default password.
Difficulty = Easy
The Raspberry Pi OS uses the following default credentials:
Username: pi Password: raspberry
Now every hack tool on the market knows this and is actively searching networks to find Raspberry Pi’s that have not had their passwords changed. At a very minimum, you should change this password the moment you log into your Raspberry Pi.
We can change this through the raspi-config software configuration tool.
sudo raspi-config
Select 1. System Options
Press “Enter”
Then navigate down to S3 Password
Press “Enter”
Press “Enter” again at the prompt
Make sure you are creating secure passwords!
Type your new password
Retype your new Password
Press Enter to return to the raspi-config splash screen.
Navigate down and press “Enter” on “Finish” to exit the raspi-config.
Change the default pi user to something less likely to be guessed.
Difficulty = Medium
sudo adduser user1
Then enter a new password for your new user account
Press “enter” or enter the optional fields and when asked “Is the information correct?” type “y”
We now need to add our new user to the administrator group to give it the correct permissions to administrate the server.
sudo gpasswd -a user1 adm
We now want to add our user account to the sudo group so we can run commands as root
sudo gpasswd -a user1 sudo
To confirm the user is now a member of both groups we can run this command to check
sudo groups user1
We now need to test the new user account by connecting to the server through a new SSH terminal.
Open a fresh PUTTY or Terminal window and enter the IP address for your Raspberry Pi.
Then attempt to log in using your new user account credentials.
Once you have access attempt to run a sudo command by typing the following:
sudo hostname
If the command executes and shows you the hostname then your sudo privileges are working correctly.
Now you have confirmed the credentials work you can close the old Terminal window which is connected using the pi user account.
Under our new user account we are now going to lock the pi user account by typing the following:
sudo passwd -l pi
We are not completely removing or disabling the pi user account as the Raspberry Pi OS relies on this account for package management and updates. So we have only locked anyone from logging into the pi using the pi user.
Secure SSH against script and automated attacks by changing the port.
Difficulty = Medium
We can further secure the Raspberry Pi 4 by changing the SSH port. Doing so won’t completely stop determined attackers but it will stop many automated scripts or hack tools that search for the default SSH port to launch brute force attacks.
So we are going to edit the sshd_config file and change the default SSH port from 22 to 1984
From the Pi terminal enter this command
sudo nano /etc/ssh/sshd_config
In this file you will need to navigate down until you see the following line:
#Port 22
You want to remove the hash and replace the whole line with this
Port 1984
You now want to save and exit nano editor by pressing Ctrl +X and y to save. Then press “Enter” to exit.
Now we will need to restart to SSH service so it gets the updated configuration settings
sudo service ssh restart
It is best to check the port changed as expected. Open up a fresh PuTTY window and reconnect to the server. But this time instead of using port”22″ you want to replace this in PuTTY with “1984”.
If you connect successfully than all is working correctly.
Keep your Raspberry Pi 4 Up to date.
Difficulty = Easy
You will want to keep your Raspberry Pi OS up to date with the latest Kernel, OS and software package updates. The developers work hard patching security vulnerabilities to prevent hackers from exploiting the system. This is why it is critical to periodically manually run updates on your Raspberry Pi.
We recommend running this command at least once per month.
sudo apt update -y && sudo apt upgrade -y
It is also important to check over your raspberry pi to make sure the updates haven’t broke anything. Check over any installed software or docker containers to see if all works as expected.
There is ways to automate the update/upgrade process however as we are using our Raspberry Pi 4 as a server it is in a live environment. An auto update can cause problems and as if it has been done in the background unattended it will not be obvious to the administrator that there is a problem until the system is unreachable.
Limit the user accounts allowed to connect via SSH
Difficulty = Medium
As an extra security measure, you can specify the user accounts allowed to access your Raspberry Pi 4 over the network Via SSH.
This is more useful if you have multiple users or specific services that run under a user that need to connect via SSH.
In our use case, we limited the pi user earlier so it already can’t be used to log in to SSH. However, we can lock SSH access to our new user “user1” this will only allow this user to connect and reject all others.
To do this we need to be connected via SSH using our user1 account which has admin and sudo privileges.
In the terminal window type the following:
sudo nano /etc/ssh/sshd_config
The nano editor should show the output from the sshd_config file. Scroll down using the down arrow key until you reach the section # Authentication.
Under “# Authentication” enter this value. Remember to replace “user1” with your own user name.
Allowusers user1
You can add multiple users by adding a comma like this
Allowusers user1,user2,user3
now you can press Ctrl+x and type “y” to exit nano editor.
All we need to do know is restart the SSH service to update the changes
sudo service ssh restart
It would be wise to open up a new terminal window and attempt to SSH into the Raspberry Pi using the authorized user “user1”.
If you can connect ok all is well.
If you have any problems please check to make sure you have entered the line correctly as well as the correct username.
Additional Security Services worth mentioning.
We will be covering the below services in more detail in dedicated Youtube tutorials and Blog posts in due course. If you are interested in any of these services please subscribe to our Youtube channel and click the Notification bell so you can be among the first to be notified when these tutorials are available.
Install a firewall UFW.
Difficulty = Advanced
A Firewall is arguably optional, as our Raspberry Pi 4 server is running behind a network router which has a built-in Firewall and NAT routing. What this means is it does have some protection from the outside world.
However, depending on how your local area network is set up, you may want to protect your server from local malware (infected devices) or other users on the network.
As we are going to be running many headless services which will be using many different ports if you enable a Firewall then you will need to make sure that you take an extra step each time to add an exception in the UFW firewall rules.
We have explained how to do this in our guide HOW TO INSTALL AND CONFIGURE UFW FIREWALL ON A RASPBERRY.
If you fail to open the required ports then the services will not be able to be accessed on your local network.
It is an extra step but does give an extra level of security.
Also bear in mind that if you changed the default SSH port which was port 22 you will need to add an exception for port 1984 instead.
However, for our Raspberry Pi Series and weighing up the security vs usability risks.
We wouldn’t recommend enabling a Firewall because in later episodes we will be using reversed proxies and port forwarding to securely enable public access outside the LAN for the installed services.
However, if you would like to use a Firewall follow our guide: HOW TO INSTALL AND CONFIGURE UFW FIREWALL ON A RASPBERRY.
Enable Raspberry Pi SSH Keys and Disable Password Authentication.
Difficulty = Advanced
As this is quite an in-depth subject we will create a dedicated post on HOW TO ENABLE RASPBERRY PI SSH KEYS AND DISABLE PASSWORD AUTHENTICATION – Coming Soon!
We need your support.
We hope you enjoyed this episode and that it was helpful and you got benefit out of it.
If you did, please consider supporting our channel by Subscribing to our YouTube channel, and liking and sharing our content.
You can also make a donation via Paypal or become a Patreon if you wish to do so.
You can also follow us on Facebook or Twitter.
If you have any questions or any requests please ask in the comments below or on YouTube.
Hi, after a bit of googling, because I couldn’t login via ssh after performing the steps in the “Limit the user accounts allowed to connect via SSH” section, I have discovered a slight syntax issue in the below command:
sudo nano /etc/ssh/sshd_config “Allowusers user1,user2” I believe should read:
“AllowUsers user1 user2” this fixed my problem, so I hopes this helps anyone else having issues. See this page on the official Raspberry Pi site: https://www.raspberrypi.org/documentation/configuration/security.md
Thanks for the tutorials, they’ve been a great help.
Thanks
Jamie
Thank you Jamie for pointing that out. All the best.
Exactly, and how did you log back in? I have the same issue after following the guide. Do I have to intsall the OS again and start from the beginning?
You could plug in in a monitor and keyboard and then you can login to make the fix. I hope you managed to sort it out.
Any ETA when you publish ‘HOW TO INSTALL AND CONFIGURE FAIL2BAN ON RASPBERRY PI 4’? Will you setup Fail2Ban on the host or as a Docker container? Possibly discuss both scenario’s? Pros and Cons? Do you include the setup/configuration of protecting the host as well as all hosted Docker containers? Thx.