User avatar
Posts: 17424
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspberry Pi Security

Mon Sep 02, 2019 8:08 am

tpyo kingg wrote:
Mon Sep 02, 2019 7:08 am
As far as I can tell, in regards to running OpenSSH on the Raspberry Pi, the single best mitigation tactic is to use SSH key-based or SSH-certificate based logins with password authentication disabled. Most bots seem to be able to determine this and back off on first contact, regardless of which port SSH is listening on.
That is probably the safest option.

One other that I have used when I have occasionally had to log in from a device that I hadn't used before is One Time Passwords. There is a package in Debian/Raspbian that will let you set up a series of random passwords that can only be used once.
You run a command on the system to be accessed and that gives you a list of ten or so numbered passwords that are valid. There is also as keyword that you set up in advance.

Then when you log in you get a password prompt that is something like (sorry, a while since I used this and can't remember exactly)

Code: Select all

which means you have to enter the keyword followed by the 12th password on the list.

If the keyword and password are correct you get logged in and that password is deleted. If not correct it gets left as it is.

I used to use this when I logged in from my phone which didn't support shared keys at the time.
Unreadable squiggle

Posts: 5421
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Raspberry Pi Security

Mon Sep 02, 2019 8:55 am

jcyr wrote:
Mon Sep 02, 2019 3:38 am
Any Pi on public Internet will probably have ssh enabled for remote access.
Certainly not. Your average router comes without SSH enabled (or any other service on the WAN port, for that matter), with good reason.

It is preferable to run a client VPN or something to the same tune that actively connects and “phones home” rather than having the ssh daemon waiting for connections. Within that safer zone you can have remote login enabled for maintenance.

An IDS like fail2ban, tripwire etc is only good as long as the machine is monitored by an admin. Otherwise it just adds load and thrashes logfiles. Active IDS like fail2ban are the absolute worst; attackers know and use the behavior of those tools and you end up causing your own denial of service... No monitoring, no IDS.

Google has authored a PAM module that goes along with the free Authenticator app, you can use that to setup 2 factor authentication if remote login has to be possible from the Internet. This one is useful.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Return to “General discussion”