PiHardening.md

How To Harden A Raspberry Pi

Here's a curated some best practices how to secure a Raspberry Pi. We will also implement and enable the security features to make the Pi secure.

Changing Default Password

Every Raspberry Pi that is running the Raspbian operating system has the default username pi and default password raspberry, which should be changed as soon as we boot up the Pi for the first time. If our Raspberry Pi is exposed to the internet and the default username and password has not been changed, then it becomes an easy target for hackers.

• Open Up A Terminal
• Type sudo raspi-config And Press Enter
• Select Option 1
• Enter New Password
• Re-Enter Password
• You're Done

Changing The Username

All Raspberry Pis come with the default username pi, which should be changed to make it more secure. We create a new user and assign it all rights.

• Open Up A Terminal
• Type sudo adduser brucewayne And Press Enter
• Enter New Password
• Re-Enter Password
• Fill or Skip The Rest
• Enter Y When Prompted

Now, We Have Our User brucewayne Created. It's Time To Add It To The Group sudo By The following Command.

sudo adduser brucewayne sudo

Deleting pi user

If You're Logged In As pi , Log In As Another User Before Proceeding Further. To delete the pi user, type the following:

sudo deluser pi

This command will delete the pi user but will leave the home/pi folder. If necessary, you can use the command below to remove the home folder for the pi user at the same time.

sudo deluser -remove-home pi

If You Directly Deleted User pi Without The -remove-home Tag And Are Stuck With The User's Home Directory, Run This Command.

sudo rm -r /home/pi

Making sudo Require A Password

When a command is run with sudo as the prefix, then it’ll execute it with superuser privileges. By default, running a command with sudo doesn’t need a password, but this can cost dearly if a hacker gets access to Raspberry Pi and takes control of everything. To make sure that a password is required every time a command is run with superuser privileges, do the following.

• Open Up A Terminal
• Type sudo nano /etc/sudoers.d/010_pi-nopasswd And Press Enter
• Replace All With pi ALL=(ALL) PASSWD: ALL
• Save The File And Reboot Your Pi

Improving SSH Security

SSH is one of the most common techniques to access Raspberry Pi over the network and it becomes necessary to use if you want to make it secure.

Disable SSH Login as root

Apart from having a strong password, we can allow and deny access to specific users. This can be done by making the following changes.

• Open Up A Terminal
• Type sudo nano /etc/ssh/sshd_config And Press Enter
• At The End of The File, Add AllowUsers newguy To Allow Access To Non-Root User Via SSH
• Add Another Line DenyUsers brucewayne To Deny Access To Root User Via SSH
• Save The File And Reboot Your Pi

Key-Based Authentication

Using a public-private key pair for authenticating a client to an SSH server (Raspberry Pi), we can secure our Raspberry Pi from hackers. To enable key-based authentication, we first need to generate a public-private key pair using tools called PuTTYgen for Windows and ssh-keygen for Linux. Note that a key pair should be generated by the client and not by Raspberry Pi. For our purpose, we will use PuTTYgen for generating the key pair. Download PuTTY from here and follow the following instructions.

On The Client Side :

• Open the puTTYgen client and click on Generate
• hover the mouse over the blank area to generate the key
• name the private key file rpi_privkey.ppk
• copy the whole thing from the text area and paste into a text file named rpi_pubkey.txt
• transfer the public key file rpi_pubkey.txt to the Pi's Desktop

On The Raspberry Pi :

• Open Up A Terminal And Run The Following Commands
• cd /home/brucewayne
• mkdir .ssh
• cd .ssh
• sudo nano authorized_keys
• cp /home/brucewayne/Desktop/rpi_pubkey.txt /home/brucewayne/.ssh/authorized_keys Now, provide the required permissions for your pi user to access the files and folders. Run the following commands to set permissions:
• chmod 700 ~/.ssh/
• chmod 600 ~/.ssh/authorized_keys Finally, we need to disable the password logins to avoid unauthorized access by editing the /etc/ssh/sshd_config file.
• sudo nano etc/ssh/sshd_config
• Look For #PasswordAuthentication yes And Replace With PasswordAuthentication no
• Restart Your Pi For The Changes To Take Effect

Disabling Bluetooth

lqkjngjk

Disabling on-board Bluetooth

The steps below shows how to disable on-board Bluetooth and related services. Those steps also disable loading the related kernel modules such as bluetooth, hci_uart, btbcm, etc at boot.

• Open /boot/config.txt file.

sudo nano /boot/config.txt

• Add below, save and close the file.

# Disable Bluetooth
dtoverlay=pi3-disable-bt

• Disable related services.

sudo systemctl disable hciuart.service
sudo systemctl disable bluealsa.service
sudo systemctl disable bluetooth.service

• Reboot to apply the changes

sudo reboot

Even after disabling on-board Bluetooth and related services, Bluetooth will be available when a Bluetooth adapter (e.g. Plugable Bluetooth Adapter) is plugged in.

Disable Bluetooth completely

If Bluetooth is not required at all, uninstall Bluetooth stack. It makes Bluetooth unavailable even if external Bluetooth adapter is plugged in.

• Uninstall BlueZ and related packages.

sudo apt-get purge bluez -y
sudo apt-get autoremove -y

Uninstalling Bluetooth stack also disabling related services, and loading related kernel modules.

Disabling Onboard Audio Jack

• Open /etc/modprobe.d/raspi-blacklist.conf
• Append blacklist snd_bcm2835
• Reboot to apply the changes

sudo reboot

• Test Changes

speaker-test -c2 -twav -l7