Disabling root and pi accounts
- We need to change passwords and/or disable root and pi usernames.
- First create our own account (logged in as pi)
- sudo /usr/sbin/useradd --groups sudo --shell /bin/bash -m <myusername>
- sudo passwd <myusername>
- Login as the new username and change root and pi passwords
- sudo passwd root
- sudo passwd pi
- sudo passwd --lock pi
Securing ssh
- Create a key on the host you are attaching from (if not already done so)
- ssh-keygen -t rsa
- providing a keyphrase
- Copy the created key (in ~/.ssh) to the raspberrypi
- ssh-copy-id -i ~/.ssh/id_rsa.pub <remote_user>@<remote_host>
- Add host key to known hosts - (this removes existing entry (if any) and allows new host key to be added to the ~.ssh/known_hosts file at next ssh login
- ssh-keygen –R <remote_host>
- login to host with ssh
- Disable password authentication for ssh
- Edit the ssh config file
- sudo emacs /etc/ssh/sshd_config
- and set
- PasswordAuthentication no
- PermitRootLogin no
- UsePAM no
- Load new ssh configuration and restart
-
- sudo service /etc/init.d/ssh reload
- sudo service ssh restart
Enabling Firewall
- for older Raspbian
-
- Install iptables
- sudo apt-get install iptables iptables-persistent
- check iptables
- sudo /sbin/iptables -L
- for Buster
- use nftables
Securing wpa_supplicant
- encrypt the wifi access password in wpa_supplicant
- encrypt the section for wpa_supplicant which contains the wifi password, by running
- wpa_passphrase <YOUR_SSID> <YOUR_PASSWORD>
- cut and paste the output into the file
- /etc/wpa_supplicant/wpa_supplicant.conf
- removing the existing network={ section and removing the commented out line line #psk= that has the unencrypted password