Locking Down / Securing the RPi

9 posts
by c1223 » Sat Nov 03, 2012 3:58 am
Hi there, few questions:

What is the best way to keep on top of having a secure, updated and patched OS?

What is the best way to secure these? Correct me if I'm wrong but I should only want:

Drop all connections except:
Port 80 accepting incoming (for RaspControl), and accepting outgoing once established
Port 22 accepting incoming (for SSH), and accepting outgoing once established

The only applications running will be RaspControl and MPD.

However I assume I also need to allow port 80 outgoing because there are some WGET scripts that I use? Will I need anything else for MPD?

What other precautions can I take for security?

Posts: 9
Joined: Wed Oct 24, 2012 10:56 pm
by LetHopeItsSnowing » Sat Nov 03, 2012 9:48 am
I would start by changing the default password..

Seeriously tho, its often the simple things which are overlooked.

Dont leave it in on the sill of an open window!

"am I getting slower, or is stuff more complicated; either way I now have to write it down - stuffaboutcode.com"
User avatar
Posts: 212
Joined: Sat May 26, 2012 6:40 am
Location: UK
by ghans » Sat Nov 03, 2012 10:35 am
Use keys instead of passwords for SSH. Have a look into iptables for basic
security settings.

• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
Posts: 5159
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany
by c1223 » Sat Nov 03, 2012 11:52 am
Default password has been changed, and actually default user deleted.

Posts: 9
Joined: Wed Oct 24, 2012 10:56 pm
by alexeames » Sat Nov 03, 2012 12:27 pm
keys for ssh, disable ssh password login and change the ssh port


It's not bombproof, but it's a good start :)
Alex Eames RasPi.TV HDMIPi.com RasP.iO
User avatar
Posts: 2102
Joined: Sat Mar 03, 2012 11:57 am
Location: UK
by c1223 » Sat Nov 03, 2012 1:23 pm
However after firewall rules and the keys with SSH what else can I possibly do? I don't know where to start!
Posts: 9
Joined: Wed Oct 24, 2012 10:56 pm
by pluggy » Sat Nov 03, 2012 2:04 pm
Linux is living in a leafy cul-de-sac, Windows is living in a ghetto. Running a Pi isn't anything like the problem Windows is because the threat (on the whole) isn't there. I have a rule for my life, I don't log onto web sites which involve my money from a Windows machine (An indication of paranoia perhaps). If you don't run any services on the Pi that need to be accessed from the outside world, there is no threat.

The biggest is running a globally accessible SSH with passwords enabled, and then you get kiddy scripts trying to get in with common passwords.
Don't judge Linux by the Pi.......
User avatar
Posts: 3097
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK
by bgirardot » Sat Nov 03, 2012 2:32 pm
As mentioned above, you for sure want to make sure any ports not required are closed, although as pluggy mentioned, default linux is usually not running very many services listening for connections, unlike windows and os x.

I use iptables on my linux boxes to restrict the ip addresses that can access port 22 because if port 22 is open to the internet you will get dozens to hundreds of brute force attempts to guess username/passwords every day. Same thing with FTP, which you should avoid, but sometimes can't.

Changing the port ssh listens on helps only a little as people will port scan your machine and brute force just about any port they find open. Even if you have ssh set to use key access only, people will still pound the port which in itself can cause issues, probably even more so on a low power machine like the RPi. If you like to play with ports for security, "port knocking" is the most fun way to use ports for increased security, but slightly complicated.

If you are behind a router that is doing NAT it will probably close off everything to the internet except things you set up to forward to your RPi so that provides some protection there.

Just for education, you can download nmap and port scan your own machines and router to see what it turns up.

But the biggest thing to my mind is if you have anything facing the public running on any machine, you need to make sure the software is properly secured. Things like changing default passwords and keeping the software up to date being the most important.

So if you are running Apache, php, mysql, wordpress, joomla, etc, you will want to do an internet search for securing apache, securing mysql, etc. and then making sure you follow the best practices for locking all the software and packages you run down. That will probably be your biggest vulnerability, the software you run being misconfigured or out of date.
Posts: 517
Joined: Wed Oct 10, 2012 6:20 am
Location: Switzerland
by pluggy » Sat Nov 03, 2012 3:16 pm
I use a firewall called shorewall which makes iptables a little less intimidating. It masquerades as a service but in reality its just tweaking iptables. I just run a static website using lightttpd, there isn't much to hack without a tasty sql system in there. I have SSH blocked out to all but a few select subnets which I want to access from. Keeps the Chinese and the Russians out......

National stereotypes ?, Me ?, Nahhhh.
Don't judge Linux by the Pi.......
User avatar
Posts: 3097
Joined: Thu May 31, 2012 3:52 pm
Location: Barnoldswick, Lancashire,UK