5 security tips for the Raspberry Pi
By default, the Raspberry Pi comes with a poor level of security. If you use the Pi at home or in a small network, that's not a big deal.
But if you open ports on the Internet, use it as a WiFi hotspot, or if you install the Pi in a larger network, you need to take security measures to protect your Raspberry Pi.
The following article will show you how to do this.
1. Always update the system
This first may be obvious, but very important. With the updates in the Raspbian repository, you not only get the latest features, but mainly security fixes to the installed software.
Try to update your Raspberry Pi regularly with:
sudo apt update sudo apt upgrade
You can also automate this process with an unattended upgrade package. This process allows you to automatically install security fixes every day:
- Install the upgrade package unattended
sudo apt install unattended-upgrades
- Open the configuration file
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
- Change what you want in this file
By default, it will only download security updates, but you can change this if you want to install all the Debian updates or even other repositories.
At least you should note this line:
Unattended-Upgrade::Mail "root";
This will send mail to root (or any other address if you have a mail server installed).
- Save and exit ( CTRL + O, CTRL + X )
- Then, you'll need to set up periodic upgrades:
- Open this file:
sudo nano /etc/apt/apt.conf.d/02periodic
-
- Paste these lines (file should be empty, otherwise change the values):
APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "1"; APT::Periodic::Verbose "2";
This will allow daily automatic updates. You ask apt to: Update, download upgrades, install upgrades, and do daily cleaning automatically.
The last line is the level of detail you will get in / var / log / unattended-upgrade and email (1 = low, 3 = max).
-
- Save and exit ( CTRL + O, CTRL + X ).
- You can debug your configuration with this command:
sudo unattended-upgrades -d
Don't forget to check the log files and / or emails received to make sure everything is working as expected
2. Don't use automatic login or blank passwords
Passwords are an important part of system security. The first thing to do is make sure that all important accesses require passwords.
Don't use automatic login and add login steps for each app that you can directly access
The article won't list all the apps, but for example, if you have a web server, make sure that your personal data or admin pages can't be accessed without a password.
Make sure no one is using a blank password on the Raspberry Pi. If you have few accounts, it's easy, check all permissions. If you have multiple user accounts, these commands can help you:
- Search for a blank password
sudo awk -F: '($2 == "") {print}' /etc/shadow
This will only show accounts with blank passwords.
- Account lock is not secure
passwd -l
3. Change the default password for Pi
A common mistake is to leave the default passwords for pi ( raspberry ) users as they are. Anyone who has used a Raspberry Pi knows this password. So many people are scanning SSH ports and trying to login using pi / raspberry.
Changing the default password is the first thing to do when doing a fresh install. Doing this is very easy, log in with pi and enter this command:
passwd
Try to use a sentence with more than 15 characters to be safe from Brute-force attacks and easy to remember it (eg iloveraspberrytips is a good password, easy to remember).
4. Disable pi user
Hackers have a list of commonly used credentials and often try them out
If possible, create a new user and disable pi user to prevent brute-force attack type:
- Create a new user:
sudo adduser
- Grant sudo privileges if needed:
sudo adduser sudo
This will add your new user to the sudo group.
- Check if everything is working properly (ssh, sudo, etc . access)
- Copy files from pi user to new user if needed
sudo cp /home/pi/Documents/* /home//Documents/ .
- Delete user pi
sudo deluser -remove-home pi
If you want, you can start by locking the account (as said before) and deleting it after a few weeks, when you're sure everything is okay.
5. Stop unnecessary services
On the Raspberry Pi, people do a lot of projects on everything, and that can be a bad habit for security.
Let's say you installed PHPMyAdmin 3 months ago to try something, but you are no longer using it
This could create a vulnerability for an attacker, allowing him to enter your system. So try to stop or uninstall unnecessary services and apps.
- To stop using the service:
sudo service stop
- If it does boot automatically on boot, try:
sudo update-rc.d remove
- Or to uninstall it use the following command:
sudo apt remove
You should read it
- How to set up livestream Raspberry Pi security camera
- 7 security tips you can learn from the movie The Avengers
- 10 online security tips from Google
- 10 tips to help Windows security
- Don't ignore these 10 security tips when creating a new website
- Security tips for Google, Facebook and online services
- 8 Cyber Security Tips that Everyone Should Be Aware of
- 7 Cisco security tips
- Security tips when browsing online
- Four Important Internet Security Tips While Abroad
- 7 Useful Tips to Improve Your Workplace Security
- 7 steps to use a secure credit card online