How To Secure Raspberry Pi 4 Server On Your Network – Episode 4

10, Jan 2021 | Raspberry Pi Series | 5 comments

Today we are going to show you how to secure Raspberry Pi 4 server on your network. We will look to limit the common attack surface by making some important security changes.

At the very least we recommend that you follow all the Easy security changes. This will add a good basic level of protection for your raspberry pi server.

Prerequisites:

You will need to be connected to your Raspberry Pi via an SSH terminal or via a monitor and keyboard.

Change the default password.

Difficulty = Easy

The Raspberry Pi OS uses the following default credentials:

Username: pi
Password: raspberry

Now every hack tool on the market knows this and is actively searching networks to find Raspberry Pi’s that have not had their passwords changed. At a very minimum, you should change this password the moment you log into your Raspberry Pi.

We can change this through the raspi-config software configuration tool.

sudo raspi-config

Select 1. System Options

Press “Enter”

Then navigate down to S3 Password

Press “Enter”

Press “Enter” again at the prompt

Make sure you are creating secure passwords!

Type your new password

Retype your new Password

Press Enter to return to the raspi-config splash screen.

Navigate down and press “Enter” on “Finish” to exit the raspi-config.

Change the default pi user to something less likely to be guessed.

Difficulty = Medium

sudo adduser user1

Then enter a new password for your new user account

Press “enter” or enter the optional fields and when asked “Is the information correct?” type “y”

We now need to add our new user to the administrator group to give it the correct permissions to administrate the server.

sudo gpasswd -a user1 adm

We now want to add our user account to the sudo group so we can run commands as root

sudo gpasswd -a user1 sudo

To confirm the user is now a member of both groups we can run this command to check

sudo groups user1

We now need to test the new user account by connecting to the server through a new SSH terminal.

Open a fresh PUTTY or Terminal window and enter the IP address for your Raspberry Pi.

Then attempt to log in using your new user account credentials.

Once you have access attempt to run a sudo command by typing the following:

sudo hostname

If the command executes and shows you the hostname then your sudo privileges are working correctly.

Now you have confirmed the credentials work you can close the old Terminal window which is connected using the pi user account.

Under our new user account we are now going to lock the pi user account by typing the following:

sudo passwd -l pi

We are not completely removing or disabling the pi user account as the Raspberry Pi OS relies on this account for package management and updates. So we have only locked anyone from logging into the pi using the pi user.

Secure SSH against script and automated attacks by changing the port.

Difficulty = Medium

We can further secure the Raspberry Pi 4 by changing the SSH port. Doing so won’t completely stop determined attackers but it will stop many automated scripts or hack tools that search for the default SSH port to launch brute force attacks.

So we are going to edit the sshd_config file and change the default SSH port from 22 to 1984

From the Pi terminal enter this command

sudo nano /etc/ssh/sshd_config

In this file you will need to navigate down until you see the following line:

#Port 22

You want to remove the hash and replace the whole line with this

Port 1984

You now want to save and exit nano editor by pressing Ctrl +X and y to save. Then press “Enter” to exit.

Now we will need to restart to SSH service so it gets the updated configuration settings

sudo service ssh restart

It is best to check the port changed as expected. Open up a fresh PuTTY window and reconnect to the server. But this time instead of using port”22″ you want to replace this in PuTTY with “1984”.

If you connect successfully than all is working correctly.

Keep your Raspberry Pi 4 Up to date.

Difficulty = Easy

You will want to keep your Raspberry Pi OS up to date with the latest Kernel, OS and software package updates. The developers work hard patching security vulnerabilities to prevent hackers from exploiting the system. This is why it is critical to periodically manually run updates on your Raspberry Pi.

We recommend running this command at least once per month.

sudo apt update -y && sudo apt upgrade -y

It is also important to check over your raspberry pi to make sure the updates haven’t broke anything. Check over any installed software or docker containers to see if all works as expected.

There is ways to automate the update/upgrade process however as we are using our Raspberry Pi 4 as a server it is in a live environment. An auto update can cause problems and as if it has been done in the background unattended it will not be obvious to the administrator that there is a problem until the system is unreachable.

Limit the user accounts allowed to connect via SSH

Difficulty = Medium

As an extra security measure, you can specify the user accounts allowed to access your Raspberry Pi 4 over the network Via SSH.

This is more useful if you have multiple users or specific services that run under a user that need to connect via SSH.

In our use case, we limited the pi user earlier so it already can’t be used to log in to SSH. However, we can lock SSH access to our new user “user1” this will only allow this user to connect and reject all others.

To do this we need to be connected via SSH using our user1 account which has admin and sudo privileges.

In the terminal window type the following:

 sudo nano /etc/ssh/sshd_config

The nano editor should show the output from the sshd_config file. Scroll down using the down arrow key until you reach the section # Authentication.

Under “# Authentication” enter this value. Remember to replace “user1” with your own user name.

 Allowusers user1

You can add multiple users by adding a comma like this

Allowusers user1,user2,user3

now you can press Ctrl+x and type “y” to exit nano editor.

All we need to do know is restart the SSH service to update the changes

sudo service ssh restart

It would be wise to open up a new terminal window and attempt to SSH into the Raspberry Pi using the authorized user “user1”.

If you can connect ok all is well.

If you have any problems please check to make sure you have entered the line correctly as well as the correct username.

Additional Security Services worth mentioning.

We will be covering the below services in more detail in dedicated Youtube tutorials and Blog posts in due course. If you are interested in any of these services please subscribe to our Youtube channel and click the Notification bell so you can be among the first to be notified when these tutorials are available.

Install a firewall UFW.

Difficulty = Advanced

A Firewall is arguably optional, as our Raspberry Pi 4 server is running behind a network router which has a built-in Firewall and NAT routing. What this means is it does have some protection from the outside world.

However, depending on how your local area network is set up, you may want to protect your server from local malware (infected devices) or other users on the network.

As we are going to be running many headless services which will be using many different ports if you enable a Firewall then you will need to make sure that you take an extra step each time to add an exception in the UFW firewall rules.

We have explained how to do this in our guide HOW TO INSTALL AND CONFIGURE UFW FIREWALL ON A RASPBERRY.

If you fail to open the required ports then the services will not be able to be accessed on your local network.

It is an extra step but does give an extra level of security.

Also bear in mind that if you changed the default SSH port which was port 22 you will need to add an exception for port 1984 instead.

However, for our Raspberry Pi Series and weighing up the security vs usability risks.

We wouldn’t recommend enabling a Firewall because in later episodes we will be using reversed proxies and port forwarding to securely enable public access outside the LAN for the installed services.

However, if you would like to use a Firewall follow our guide: HOW TO INSTALL AND CONFIGURE UFW FIREWALL ON A RASPBERRY.

Enable Raspberry Pi SSH Keys and Disable Password Authentication.

Difficulty = Advanced

As this is quite an in-depth subject we will create a dedicated post on HOW TO ENABLE RASPBERRY PI SSH KEYS AND DISABLE PASSWORD AUTHENTICATIONComing Soon!

We need your support.

We hope you enjoyed this episode and that it was helpful and you got benefit out of it.

If you did, please consider supporting our channel by Subscribing to our YouTube channel, and liking and sharing our content.

You can also make a donation via Paypal or become a Patreon if you wish to do so.

You can also follow us on Facebook or Twitter.

If you have any questions or any requests please ask in the comments below or on YouTube.

5 Comments

  1. Jamie Scott ewis

    Hi, after a bit of googling, because I couldn’t login via ssh after performing the steps in the “Limit the user accounts allowed to connect via SSH” section, I have discovered a slight syntax issue in the below command:

    sudo nano /etc/ssh/sshd_config “Allowusers user1,user2” I believe should read:

    “AllowUsers user1 user2” this fixed my problem, so I hopes this helps anyone else having issues. See this page on the official Raspberry Pi site: https://www.raspberrypi.org/documentation/configuration/security.md

    Thanks for the tutorials, they’ve been a great help.

    Thanks

    Jamie

    Reply
    • Addicted2Tech

      Thank you Jamie for pointing that out. All the best.

      Reply
    • Fred

      Exactly, and how did you log back in? I have the same issue after following the guide. Do I have to intsall the OS again and start from the beginning?

      Reply
      • Addicted2Tech

        You could plug in in a monitor and keyboard and then you can login to make the fix. I hope you managed to sort it out.

        Reply
  2. RPiForLife

    Any ETA when you publish ‘HOW TO INSTALL AND CONFIGURE FAIL2BAN ON RASPBERRY PI 4’? Will you setup Fail2Ban on the host or as a Docker container? Possibly discuss both scenario’s? Pros and Cons? Do you include the setup/configuration of protecting the host as well as all hosted Docker containers? Thx.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

<a href="https://www.addictedtotech.net/author/attadmin/" target="_self">Addicted2Tech</a>

Addicted2Tech

We love technology and enjoy sharing helpful FREE content for others to enjoy. We believe in community. If you like what we do please support us by sharing and liking our tutorials & Subscribing to our YouTube channel. You can also follow us on social media.

Support Our Work!

Donate Via Patreon

Raspberry Pi 4 Model B [8GB] RAM Single Board Computer

Last update on 2022-12-02 / Affiliate links / Images from Amazon Product Advertising API

CanaKit Raspberry Pi 4 Extreme Kit – 128GB Edition (4GB RAM)

Last update on 2022-12-02 / Affiliate links / Images from Amazon Product Advertising API

We Are An Affiliate!

Just so you know, we may collect a share of sales or other compensation from the links on this page. As an Amazon Associate I earn from qualifying purchases.

The Affiliate link recommendations come at no extra cost to you.

We hope you love the products we recommend!

Thank you if you use our links, we really appreciate it!

Related Posts