PuppetHoundZ
Posts: 170
Joined: Wed Jan 21, 2015 2:57 am

Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 12:09 am

So I've been reading around the forum and the internet about Linux and Safety and the internet.

My main goal is using Raspberry Pi as a portable Laptop using SmartiPi Touch and official screen. So my main use of the Raspberry Pi 2B v1.1 is web browsing, typing up documents, printing documents (using Cups connected wifi printer) and streaming music and video from YouTube and Spotify.

I mostly use chromium browser and I have UBlock Origin Installed with all the Malware blockers on that plug-in.

I have SSH Disabled and occasionally use VNC that is pre-installed on the Raspbian system for remote control with my iPhone sometimes.

I also have changed my default password to a different one.

Is it necessary to activate the firewall and fail2ban as well? Or is that merely if I use SSH or VNC?

Basically I'm using the thing like a Linux Computer Laptop.

Here is what I learned:
IF you inside your own network no worries on firewall and fail2ban.

But you do want to activate password protection of the sudo command. PS Thanks gkreidl for this cool security tip and steps.

To do this:

Code: Select all

sudo nano /etc/sudoers.d/010_pi-nopasswd
shows (default):

Code: Select all

pi ALL=(ALL) NOPASSWD: ALL
Modify to:

Code: Select all

pi ALL=(ALL) PASSWD: ALL
and save it.
Last edited by PuppetHoundZ on Sun May 14, 2017 6:26 pm, edited 2 times in total.

klricks
Posts: 7028
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 12:25 am

IMO if your RPi is behind the firewall on your router then changing the password is enough. Even that is mostly to prevent physical access.

If you open ports to the public Internet for SSH, Web server etc then is when you need fail2ban.
Unless specified otherwise my response is based on the latest and fully updated RPiOS Buster w/ Desktop OS.

PuppetHoundZ
Posts: 170
Joined: Wed Jan 21, 2015 2:57 am

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 1:21 am

klricks wrote:IMO if your RPi is behind the firewall on your router then changing the password is enough. Even that is mostly to prevent physical access.
That's great to know. Thanks. :D

What if I use public wifi (like mcdonalds) and have my raspberry Pi setup the same way as I mention above, Should I use firewall with failtoban?

Or should I just make sure I'm using ssl

gkreidl
Posts: 6275
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 2:40 am

The most important thing has not been mentioned here, yet: Change your sudo settings so that sudo requires a password.

If you a are successfully attacked by an exploit (web page, flash etc), the attacker will not able to modify your root file system if sudo requires a password.

In more than 10 years of working with linux I have seen two successful attacks (not much compared to Windows), but both were restricted to user space and the crap could be easily removed.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

PuppetHoundZ
Posts: 170
Joined: Wed Jan 21, 2015 2:57 am

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 4:21 am

gkreidl wrote:The most important thing has not been mentioned here, yet: Change your sudo settings so that sudo requires a password.

If you a are successfully attacked by an exploit (web page, flash etc), the attacker will not able to modify your root file system if sudo requires a password.

In more than 10 years of working with linux I have seen two successful attacks (not much compared to Windows), but both were restricted to user space and the crap could be easily removed.
Any good suggestions/directions on how to do that properly?

gkreidl
Posts: 6275
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 5:39 am

PuppetHoundZ wrote: Any good suggestions/directions on how to do that properly?

Code: Select all

sudo nano /etc/sudoers.d/010_pi-nopasswd
shows (default):

Code: Select all

pi ALL=(ALL) NOPASSWD: ALL
Modify to:

Code: Select all

pi ALL=(ALL) PASSWD: ALL
and save it.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 25999
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 12:57 pm

gkreidl wrote:
PuppetHoundZ wrote: Any good suggestions/directions on how to do that properly?

Code: Select all

sudo nano /etc/sudoers.d/010_pi-nopasswd
shows (default):

Code: Select all

pi ALL=(ALL) NOPASSWD: ALL
Modify to:

Code: Select all

pi ALL=(ALL) PASSWD: ALL
and save it.
Hi gkreidl, would you might taking a look at this draft document for Pi security, in to which I have just added your useful information.

https://github.com/raspberrypi/document ... ecurity.md
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“My wife said to me `...you’re not even listening`.
I thought, that’s an odd way to start a conversation.."

gkreidl
Posts: 6275
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 2:10 pm

jamesh wrote:
Hi gkreidl, would you might taking a look at this draft document for Pi security, in to which I have just added your useful information.

https://github.com/raspberrypi/document ... ecurity.md
Looks fine. But perhaps you should add, in which case these options make sense. You don't need a firewall, for example, if you're behind a router, and fail2ban is only useful if you run any kind of server (including ssh, if it is accessible outside of the local network).
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 25999
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 2:13 pm

gkreidl wrote:
jamesh wrote:
Hi gkreidl, would you might taking a look at this draft document for Pi security, in to which I have just added your useful information.

https://github.com/raspberrypi/document ... ecurity.md
Looks fine. But perhaps you should add, in which case these options make sense. You don't need a firewall, for example, if you're behind a router, and fail2ban is only useful if you run any kind of server (including ssh, if it is accessible outside of the local network).
Will do, thanks.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“My wife said to me `...you’re not even listening`.
I thought, that’s an odd way to start a conversation.."

PuppetHoundZ
Posts: 170
Joined: Wed Jan 21, 2015 2:57 am

Re: Raspbian Security Question w/ SSH off.

Tue Apr 25, 2017 3:17 pm

gkreidl wrote:
PuppetHoundZ wrote: Any good suggestions/directions on how to do that properly?

Code: Select all

sudo nano /etc/sudoers.d/010_pi-nopasswd
shows (default):

Code: Select all

pi ALL=(ALL) NOPASSWD: ALL
Modify to:

Code: Select all

pi ALL=(ALL) PASSWD: ALL
and save it.
I followed your directions

But instead did sudo pcmanfm went to the file opened it and modified it as you directed.

Then....

Wow that's awesome! Every time I use sudo I have to use my password just like ubuntu.

Pretty cool and thanks.

PuppetHoundZ
Posts: 170
Joined: Wed Jan 21, 2015 2:57 am

Re: Raspbian Security Question w/ SSH off.

Sun May 14, 2017 6:20 pm

Hi all as a update on how things are going with this cool password setup for sudo.

The only way for raspi config GUI to work is to go into command line and type:

Code: Select all

sudo rc_gui
If you open raspi config gui any other way it will open but the settings are not editable because it's not opened as sudo.

It would be nice to have a prompt for a password when clicking on the rc_gui link in the start menu.

Also it would nice if raspi-config could be upgraded with a security tab that allow users to add this nice sudo password prompt for those learning Linux this is a great stepping stone to have user learn as part of programming.

Return to “Raspberry Pi OS”