Raspberry pi security - autorooters

[drdevil44]

Dear all

Looks like the pi has been added to the autorooters used by script kiddies - found this in my log today - clearly scanning for the pi user:

May 3 06:20:03 piserver sshd[5708]: Invalid user pi from 186.103.144.18
May 3 06:20:03 piserver sshd[5708]: input_userauth_request: invalid user pi [preauth]
May 3 06:20:03 piserver sshd[5708]: pam_unix(sshd:auth): check pass; user unknown
May 3 06:20:03 piserver sshd[5708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.103.144.18
May 3 06:20:05 piserver sshd[5708]: Failed password for invalid user pi from 186.103.144.18 port 35844 ssh2
May 3 06:20:05 piserver sshd[5708]: Received disconnect from 186.103.144.18: 11: Bye Bye [preauth]
May 3 06:20:07 piserver sshd[5712]: reverse mapping checking getaddrinfo for 186-103-144-18.static.tie.cl [186.103.144.18] failed - POSSIBLE BREAK-IN ATTEMPT!

Best
Gareth

[pluggy]

Its probably a safe bet they'll find a few. It won't get them into mine though.

[xenoist]

Install denyhosts and fail2ban if you have build in iptables modules in the kernel.
denyhosts just looks for false logins and add the hosts to hosts.deny.
Don't forget to set white lists: Your incoming IP if it's a fixed to hosts allow.

I accept only sshkey login and no password for login too on my servers.
To use this the user ssh must have a sshkey from the client to connect with on the remote machine:
http://www.linuxproblem.org/art_9.html

The .ssh dir for the user must have 700 permission.
chmod 700 ~/.ssh
In "/etc/ssh/sshd_config" set "PasswordAuthentication no" now only keylogin is accepted.
But test it before you kick off your self.
I also changed the fail2ban settings for sshd to keep of sshkey only logins with fails:

/etc/fail2ban/filter.d/sshd.conf
failregex
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: 11: Bye Bye\s*$

[gstreeter]

Modify your SSH server port in sshd_config to something other than the default 22 as they don't usually probe for alternative ports. Note it has to be above 1024. Since doing this I've not had a single attempt at SSH break ins. As already noted earlier, using public key-only authentication denies external password based access and renders such attempts futile.

[jojopi]

Install denyhosts and fail2ban if you have build in iptables modules in the kernel.

If you have not changed the default pi password then these theatrical scripts will not help you, because the attacker will be in first attempt. If you have changed the password then they are not necessary.

They should never be your first advice, especially when you have better suggestions with real security advantages later in your post.

The .ssh dir for the user must have 700 permission.
chmod 700 ~/.ssh

That is a myth. 0755 is absolutely fine.

[sprinkmeier]

The .ssh dir for the user must have 700 permission.
chmod 700 ~/.ssh

That is a myth. 0755 is absolutely fine.

Security is about 'defence in depth', aka 'belts and suspenders'.

755 might be OK, but 700 is better and shouldn't cause any problems, so use it.

An example:
The known_hosts file used to list plaintext hostnames for other hosts.
An attacker who gained a toe-hold on your system could use it to map out which other systems you visited, aiding their attack plan.
The more accessible this file, the greater the risk.

Also...if you change the SSH port on a server you can use ~/.ssh/config to automatically override the default port when connecting to that box:

Code: Select all

host paranoid
        hostname paranoid.example.com
        user bob
        port 54321

Now you can

Code: Select all

ssh paranoid

instead of

Code: Select all

ssh -l bob -p 54321 paranoid.example.com

Automagcally works for scp, sftp, git/rsync over ssh, etc.

Note that you're now leaving clues around for an attacker ala. the old known_hosts file, so remember to "chmod 700 ~/.ssh ; chmod 600 ~/.ssh/*"