In this article, we are going to discuss some tips on hardening your Raspberry Pi installation to make it harder for hackers to abuse your internet-connected pi. Like anything else connected to the internet even if you follow every best practice for security there is a chance one day someone will get in. The goal is not to make a 100% unhackable device because they don’t exist. Our goal is to make it difficult enough it is not worth the time or effort of breaking in. If you’re still setting up your Raspberry Pi you may want to check out our headless setup guide.
Updating Your Raspberry Pi
Before going any further one of the easiest ways to exploit a machine is to find a vulnerable service running on that system. New exploits are released into the wild every day, and when they are software makers (*should*) update their software so it is a good idea to always keep your packages updated. We will be using the built-in APT package manager to do this.
sudo apt update && sudo apt upgrade -y && sudo apt reboot 0The above-chained commands will execute from left to right, each command is separated by two and symbols (&&, shift + 7). Let’s break it down and see what each piece does.
sudo apt updateThis command will update the list of packages from our trusted repositories and check to make sure we are running the latest versions.
sudo apt upgrade -yNow we are going to run the update process, if you exclude the -y (yes) flag you will be prompted to enter Y/N to verify the packages we want to update. I like to keep all my packages updated so I let the update run on all packages this way.
sudo apt reboot 0Finally, we will be rebooting the Raspberry Pi so all applied updates can take effect and we can make sure everything is the way it should be.
Changing the Default SSH Port
Almost everyone uses SSH if you are not you should just go ahead and disable it. If you do though, you may want to consider changing the default SSH port. Most of the attacks these days are fully automated and knowing this we also know they will follow a standard set of rules when attacking. They will check the most common ports looking for known exploitable or brute-forcible services so if we change our port we can disguise a nice chunk of our attack surface and help with hardening our Raspberry Pi.
sudo nano /etc/ssh/sshd_configAfter running the above command nano will open, we are going to make one change inside this file. Look for the following line:
#Port 22We are going to remove the pound sign (#) from the beginning of the line and change 22 to the port we want SSH to run on. I like to use high port numbers between 20,000 and 50,000 most port scanners will not scan this high without changing default options. So our new line should look something like this (please pick your own port number):
Port 24863After making this change you are going to want to save and exit nano by pressing Ctrl + X and then Y (for yes). Finally, we need to restart SSH for the changes to take effect.
sudo service ssh restartRemoving Default Pi User
Similar to the above SSH changes, the Pi username is one of the most commonly tried usernames when cracking passwords. We want to make it as difficult as we can for people to be able to guess our username and password combinations. Before removing the user we need to add a new, it’s pretty straightforward.
sudo adduser username_hereWe are going to want to give our new user account sudo privileges so we are still able to make system changes from our new account or we will be limited on what we are able to do.
sudo adduser username_here sudoAt this point, let’s go ahead and restart our Pi and log in as the new user we created. We can restart using the following:
sudo reboot 0After logging in as the new user we created we still need to remove the pi user.
sudo deluser -remove-home piThis will remove the pi user and the home directory for it.
After Hardeining Your Raspberry Pi
After doing these 3 (relatively) simple things you will have mitigated 95% of attacks. Make sure you re-run step 1 occasionally to keep your system updated. Hopefully, you enjoyed this article on hardening your Raspberry Pi. You may also want to check out this article.