The Raspberry Pi series: Securing The Pi / 라즈베리파이 셋업 시리즈: 보안강화 편

<The Raspberry Pi series: Securing The Pi>

 

Hello, this is Babae :)

Hope everyone was able to successfully set up the Pi from the guide last week.

 

This week, we will be securing the Pi, which is very important as I will eventually walk you through installing a web server.

Even if your Pi is not directly facing the internet as a web server, if your Pi has access to the Internet, someone potentially has access to your Pi.

 

There are three things that I will go over, and each addresses a point of entry. Typically, your Pi is connected to the Internet like this:

 

your Pi -> local area network (LAN) via your router -> Internet via your modem

 

Many of our Internet Service Providers (ISP) today will have a modem combined with the router, called a gateway.

The most basic way to get into your Pi is to hook it up to a display, mouse, and keyboard. You don't have to be on any network. This requires physical access to your Pi. Unfortunately, if someone has physical access to your Pi, there is nothing stopping them from just taking the microSD card. I believe there are ways to actually encrypt the microSD card but the process is much more complicated as you will have to encrypt only the root partition or else your Pi cannot boot.

I personally do not think that the risk warants the effort considering:

 

1. The Raspberry Pi works great for home projects and as a hobby but should not be used in a production environment.
2. Encryption will make your Pi much slower than it already is, as encrypting and decrypting are CPU-intensive processes.
3. You will not be able to remotely reboot your Pi as you will have to plug in a display, mouse, and keyboard to enter the encryption password before boot.

So then, the very minimum you can do to secure your Pi is to create a new user and delete the default user "pi".

First, SSH into the Pi:

ssh pi@raspberrypi

Enter the default password "raspberry", then:

sudo adduser <your desired username>

The command "sudo" means that the system should recognize the following command as executed by the superuser, which is probably more popularly known as the administrator. Therefore, "adduser" is the actual command you want to execute but without sudo, the Pi will let you know that you do not have permissions. Be very careful when you use the sudo command as it means you will be able to do anything, including modifying and deleting system files.

Also, if you were to create a file or install an application with sudo, the file or application will have root as the owner, and it will affect your access under your username.

Next, give the user you have just created permissions to your Pi system files, including sudo:

sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi <your username>

Now, switch user:

sudo su - <your username>

Then let's remove the default user 'pi' and its home folder. You will have to first kill any processes running by the 'pi' user:

sudo pkill -u pi

Finally:

sudo deluser -remove-home pi

This is a good time to mention that we should have all of the software up to date on the Pi. To do an update:

sudo apt update

The above will just grab a list of software and their latest versions from the repository. To actually update, you will need to:

sudo apt upgrade

You may notice if you find older tutorials on the web using "apt-get", which is an outdated but still working command. It has since been replaced by "apt".

Now, we move on to securing the Pi on your local area network. The risks here, again, are not too great unless you are using a public network. If you are worried about someone physically accessing your Pi, that person should probably not be in your home. Likewise, if you are worried about someone accessing your Pi from within your network, what are they doing on your network, or why are you on that network?

Anyhow, there are apps, such as fing, that will detect the other devices connected on the same network. Someone with that knowledge will be able to attempt to SSH into your Pi. This is why having a strong password is important.

However, we can add a layer of security by only allowing certain devices to access your Pi through SSH. So even with your username and password, if the device does not have a key, the Pi will deny the access.

On Linux or Windows, open a terminal or PowerShell, respectively, and enter:

ssh-keygen

It will ask you where to save the key pair. On Linux, by default, they will be in "home/<your username>"/.ssh/id_rsa".

 

On Windows, the default path will be "C:\Users\<yourusername>\.ssh\id_rsa". You will be asked for a passphrase.

You may enter one or press "enter" on your keyboard to skip.

There a keypair generated - a private key, and a public key.

The private key stays on your computer and should not be shared. Anyone with the private key will be allowed to SSH into your Pi. The public key will be stored on your Pi through this command on your computer's terminal/PowerShell:

ssh-copy-id <your Pi's username>@<your Pi's IP address>

Enter the password to your user on your Pi when prompted.

Now SSH into your Pi. If you successfully log into the Pi without password, then the above instructions were successful and we can now disable password logins:

sudo nano /etc/ssh/sshd_config

Change the "yes" to "no" on the following lines:

ChallengeResponseAuthentication noPasswordAuthentication noUsePAM no

Press Ctrl + X to exit. Type Y and press enter to confirm the save. All SSH authentication will now be done through key pairs.

Finally, let's secure the Pi from external threats. We need to install a Firewall and the one I use is Uncomplicated Firewall (UFW).

The way UFW works is that it allows or blocks traffic based on a port.

Let's start with a simple analogy: Remember before the days of HDMI, we had the three color (RCA) cables? Aside from the color, they all look the same but one is for video, one is for left audio, and one is for right audio. You cannot just plug in the video cable to one of the audio ports because the audio port expects audio signal.

The same is true for ports in regards to computer networking. The Pi sends and receive HTTP requests on port 80, HTTPS requests on port 443, DNS lookups on port 53, SSH on port 22. If we are not expecting the Pi to be communicating on a port, then we should close it off.

Now, let's get a little bit more technical. A port address is made up of a 16 bit unsigned number. An unsigned number means that it only allows for positive numbers, effectively doubling the positive range of a signed 16-bit number.

In short, a 16-bit unsigned number can store a value between 0 and 65535, meaning there can be up to 65535 usable ports to access your computer, and in our case, the Pi.

There are two transport protocols that are typically used - Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). UFW can allow or deny a port on either or both protocols.

To install UFW, enter the following:

sudo apt install ufw

Before we enable it, we should allow SSH, which is through port 22:

sudo ufw allow 22

If you do not know the port that an application uses, you can enter the application name. For example:

sudo ufw allow ssh

Now, we enable UFW:

sudo ufw enable

UFW is very powerful as you have a lot of control over what you want to allow and what you want to deny. You can deny certain IP's or only allow certain IP's over a certain port. You can limit access attempts. You can also specify whether to allow the port only through LAN, or Wi-Fi.

Let me introduce on last command for those new to Linux:

man <command>

Say you have installed a new application and not sure how to use it. You can always use the "man" command to look up the manual for the command you want to use. For example, with UFW:

man ufw

The "man" command works on all of the built-in Linux commands too. So try the following for example:

man sudo

Up until now, your Pi's hostname is "raspberrypi". You can change your hostname by the following command on your Pi:

sudo rasp-config

 

Use your arrow keys to navigate up and down, enter for single select, space for multi-select, and esc to go back. Hostname is under "Network Options". Feel free to browse through other settings, such as locale for time-zone and language settings. 

Well, that's all for this week as you have learned to secure your Pi locally, on the local network, and on the Internet. 

 

Next week, we will be back to introducing software that I use on my Pi.