Card image cap

Raspberry Pi Security Bootstrap

These are my notes on the first steps of improving security on a new Raspberry Pi. The default configuration that an RPi comes with might be suitable for a development environment in a private or isolated network, but if you intend on exposing your RPi to the world then you need to tweak that configuration to be more robust. The commands mentioned here have been tested on a Raspberry Pi B+, running a fresh installation of Raspbian.

Disclaimer

Security is fluid and open-ended. The following are mere suggestions. Taking these steps will hopefully reduce your exposure, but does not guarantee complete safety. Nothing does.

User configuration

  1. This goes without saying: Change the default user's password. By default, the RPi user is pi and her password is raspberry. Change that as soon as you get your operating system runnning, either by running passwd as the pi user, or by running sudo raspi-config and selecting the option for password change.

  2. Change the default user's sudo configuration. By default, the pi user can execute anything with sudo, without providing a password. As the pi user, do:

    sudo visudo
    

    ...and the change the line:

    pi ALL=(ALL) NOPASSWD: ALL
    

    ...to:

    pi ALL=(ALL) ALL
    
  3. Additionally, you might want to disable the default pi user altogether, and create another user that you will use on your RPi. As the user pi, do:

    sudo adduser myuser
    

    ...and answer the questions. Only the password question is important, the rest can be left blank. Then, to make the new user a sudoer, do:

    sudo visudo
    

    ...and add this line in the end of the file:

    myuser ALL=(ALL) ALL
    

    Additionally, since login will be disabled for pi, you might as well comment out the line in /etc/sudoers that refers to that user. Finally, to disable login for the default pi user, logout from pi and login as the new user that you created, and do:

    sudo usermod --lock pi
    sudo usermod --shell /sbin/nologin pi
    

SSH Configuration

  1. Forbid SSH login for user root. If your RPi is exposed to the world, it will get attacked with SSH attempts for common usernames and passwords, which is yet another reason to disable the default pi username. Another username that your RPi will be hammered with is root. Now, you can't disable the root account, but you can disallow logins for it. To do that, edit the file /etc/ssh/sshd_config, and change the line:

    PermitRootLogin yes
    

    ...with:

    PermitRootLogin no
    

    ...and then restart the SSH daemon:

    sudo service ssh restart
    
  2. Restrict Incoming IPs for SSH, using entries in /etc/hosts.allow and /etc/hosts.deny. For example, I allow SSH on my RPi from my internal LAN subnets (192.168.x.x), and from one public IP only (1.2.3.4 in this example). To achieve that, put in /etc/hosts.allow:

    sshd: 192.168. 1.2.3.4
    

    ...and in /etc/hosts.deny:

    sshd: ALL
    

    Attempting to login to the RPi from a restricted host will return an error to the client:

    marios@wst ~ $ ssh [email protected]
    ssh_exchange_identification: Connection closed by remote host
    

    ...and will also create a log in /var/log/auth.log:

    Dec 13 11:40:48 rpi sshd[3456]: refused connect from 172.16.1.2 (172.16.1.2)
    

Firewall Configuration with iptables

On my RPi running a freshly installed Raspbian OS, iptables was already installed, and it was running with an empty rule set, i.e. all traffic was allowed in all directions. Furthermore, Raspbian does not include a SysV script for the iptables service, but this functionality is offered by the iptables-persistent package.

  1. Install iptables-persistent, to help make the iptables rules survive a reboot:

    sudo apt-get install iptables-persistent
    

    If you accept the defaults during the installation, the currently running empty rule set of iptables will be saved in /etc/iptables/rules.v4. After the installation, you can manage your firewall with:

    service iptables-persistent {start|restart|reload|force-reload|save|flush}
    

    Here are the contents of that file, with the default configuration of the firewall:

    # Generated by iptables-save v1.4.14 on Sat Dec 13 14:23:03 2014
    *filter
    :INPUT ACCEPT [1291:113154]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [828:105910]
    COMMIT
    # Completed on Sat Dec 13 14:23:03 2014
    
  2. Next, you will need to add some rules to the iptables configuration, to start blocking some traffic. There are two methods that you can apply:

    A. Replace the line :INPUT ACCEPT that defines a default policy to accept all incoming traffic), with :INPUT DROP, and then define rules that will only allow selected traffic through the firewall.

    B. Keep the default :INPUT ACCEPT policy for incoming traffic, but have one last rule that rejects all incoming traffic.

    I'm going with the second option, simply because of the convenience of copying rules from one of my CentOS machines :) Here it is then, my rules file, implementing only the restriction to SSH port to the same IPs that I mentioned earlier:

    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --source 192.168.0.0/16 --dport 22 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --source 1.2.3.4/32     --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    

Summary

With these measures taken to improve the security of my Raspberry Pi, I am now more confident that I can assign it a public IP and expose it the the world, without it being a very easy target.

Windows Filesystem

This is a list of noteworthy directories and files on Windows-based operating systems. Note that locations might differ between versions of Windows.

  • C:\Windows\NTDS: On Windows 2008 R2, this is the default location for the Active Directory domain controller database and log files. The location can be on a FAT32 or NTFS partition.
  • C:\Windows\SYSVOL: On Windows 2008 R2, this is the default location for the Active Directory domain controller SYSVOL. Requires NTFS.
Card image cap

Install Oracle Virtualbox on Linux Mint 17

This is a quick tip on how to install the closed-source version of Virtualbox, currently at version 4.3.16, on a machine with Linux Mint 17.

Read More →

Set up an FTP Repository from RHEL DVD

RHEL can be installed from various different sources. One of them is over the network, from an FTP accessible repository. Here's how to create such a repository:

  1. You will first need to install vsftpd from the RHEL DVD. See Install packages from RHEL DVD with yum on how to do that.

  2. After you have installed vsftpd, enable it and start it:

    chkconfig vsftpd on
    service vsftpd start
    

    At this point, you should be able to open ftp://localhost/ from the same system on which you are working, which will show you the contents of the /var/ftp/pub directory, the default FTP directory on RHEL.

  3. Create a directory for the repository:

    mkdir /var/ftp/pub/rhel
    
  4. Copy all the files from the DVD to the repository. Assuming that either the DVD or the .iso image is mounted at /media/rhel:

    cp --recursive --archive /media/rhel/. /var/ftp/pub/rhel/
    
  5. Change the SELinux context of the files in the repository:

    chcon --recursive --reference=/var/ftp/pub/ /var/ftp/pub/rhel/
    
  6. At this point the repository is only accessible from the system on which it runs, since iptables by default does not allow FTP traffic from other hosts. To open this access, edit your /etc/sysconfig/iptables and add these lines before the COMMIT command:

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
    

    ...and reload the firewall:

    service iptables reload
    

    Alternatively, you can do from the command line:

    iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
    service iptables save
    
About

Hello, I'm Marios Zindilis and this is my website. Opinions are my own. You also find me on LinkedIn and GitHub.

Unless otherwise specified, content is licensed under CC0.

Search