How to Secure a Raspberry Pi on Your Network | ITProTV
ฝัง
- เผยแพร่เมื่อ 12 มิ.ย. 2024
- Subscribe to get the latest videos: go.itpro.tv/subscribe
The Raspberry Pi is such a versatile device, and as a result, people are finding more uses for them in the office. But are they secure? The answer is complicated. With the default settings, hackers could use a Raspi as a gateway to infiltrate your network. However, with the right configuration, it can be very secure. In this special Pi Day episode, Don and Justin look at the steps you should take for securing a Raspberry Pi for use in your enterprise environment.
Enjoy this video? Get access to more online IT skills and certification training from ITProTV. Home of binge-worthy learning, ITProTV offers individuals and teams thousands of hours of engaging & effective on-demand video training for the latest technology skills. Watch live or on-demand daily.
Start learning for free: go.itpro.tv/free-signup
#raspberrypi #raspi #piday
Couldn't find them here, so here are the two lines:
"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
Thanks for the video, it is very informative!
You're welcome. Thanks so much for adding that!
Thank you so much!
THANK YOU! I see SO many Raspberry Pi "setup" videos out there that just fire up the Pi, set the basic settings and then Totally ignore any of this. I would LOVE to see more videos like this!!!
Glad it helped! We'll be working on more for sure.
Thank you for this! I followed these suggestions and also made my RPI static IP (on RPI and router sides) as I plan to use it for server work.
Learning a lot, liked and subbed
Extremely useful, thank you for the information!
Glad it was helpful!
Thank you, for the very clear video.
Extremely useful, thank you so much
This was a really great video, thank you so much!
Really useful. Thanks. I've been frustrated by just about everything I read telling me to use apt online, when I don't feel safe doing that.
Having to "sudo" commands strikes me as like playing "Simon says", and being effectively told "Ha! You didn't say "Simon says" ". Utterly pointless pseudo (sudo) security, like one of the Seven Dwarfs locking the mine shaft then putting the key on a hook, next to the door.
Great stuff. Simple security steps people skip all the time
Exactly! Glad you found it useful.
Why is this not in the top watch lists for the RPi? This was a brilliant tutorial to aiding in understanding how to protect the basics of the RPi when it's connected to the internet, such as when being used as a basic home servers. There are lots of videos out there on how to turn the RPi into a server, but they all lack protecting it. I viewed the web page linked to this video and how you write down and explain stuff is really helpful. So through four or five really good videos by various YTers I know now to install the Lite version of Raspberian, I know how to change the username, host name, password and privileges, I know how to lock out the default user, I know how to better protect the ssh side of the connection. Install a firewall and configure it. Install Apache, run a server and update my IP address so my website shouldn't be down any longer than say 15mins... Brilliant tutorial... Thank you so much!
Wonderful, wonderful video. Thank you guys!
Thanks for watching!
Thx! Keep up the good work.
Appreciate it, Frederic!
Nicely done! Will definitely follow ;)
Using my Raspberry Pi to learn Linux and CLI. Being able to SSH from my iPad makes that super easy but security has been a concern. Thanks for the tips.
thanks!
This was an excellent video
very helpful, thank you :)
You're welcome! Glad it was helpful.
What a great video - very useful! 👌👍
Glad it was helpful!
what a great tutorial, learned a lot
Glad it was helpful!
Loved you video, still confuse on firewalls. If I enable UFW and close certain ports does it just close these ports on the pi or does it also close those ports for all my other devices on my network?
When you install and edit the 50unattendedupades file, what is the txt to use if you're on the newer Raspberry Pi OS, versus Rasbian? Awesome video, thank you!
Thanks! Very useful ! Just for clarification, AllowUsers' users must be separated by spaces, not by commas.
Great tutorial, I am surprised you don't show how to secure connection with a certificate, it would be for another video maybe...
Really really cool video, subbed.
Appreciate it!
Very useful, thumbs up
Thanks for watching & liking!
I have also enabled 2 factor authentication for SSH
I see that this tutorial is for securing a Raspberry Pi that's running Ubuntu. I've followed the steps you've given and applied them to a Pi running Raspbian, and it worked out great and I appreciate it! What can I do to secure a Pi that's running Arch-based distros such as Manjaro?
Glad it worked for you. On the Arch question, that would be a whole different video to go in to all of that. Maybe we'll make one next Pi day!
I'm using my pi 0 only for pi hole. are there any extra ports I should leave open when setting up UFW so it doesn't disrupt pi hole and if, than which ports should I leave open ?
One of best tutorial I have been watched recent times about Raspberry pi. It would be good if you can also explain how to unlock the IP after it blocked for continuous wrong password.
Great idea! Maybe we'll do that for the next Pi day.
U should do a video about portforwarding ssh on raspberry pi :)
Not a bad idea. Happy Pi Day!
Can you do this on the twister OS ? Sorry first time using raspberry pi or soon to be
Can the unattended auto updates be added to the TwisterOS ?
What port does flightaware (Piaware) use? Also, does flightaware need the Pi user account for anything?
Sorry, I'm not an expert on Flightaware so I don't have the answers to your question. I would suggest you check their documentation and see if you can find out there.
Very helpful video! Set up Ufw and fail2ban exactly how you have it here in the video but cant seem to get fail2ban to ban the ip after several failed attempts. Is there anything that can be done to fix this?
Just posting again incase anyone has the same issue as me.
I managed to resolve this by putting in the jail.local file:
[DEFAULT]
banaction = ufw.
Then in the file under /etc/fail2ban/jail.d/defaults-debian.conf I changed enabled to false and created a new file called custom.conf in the jail.d directory. Set up all the configerations for the ssh jail in that file and used logpath = /var/log/auth.log and its now working like a charm! Hope this helps anyone that has the same issue as I did :-)
**UPDATE
With a recent raspberry OS update I noticed the auth.log file stopped logging failed ssh attempts. To resolve this, inside the custom.conf file, remove the line 'logpath = /var/log/auth.log' and replace it with backend = systemd
Spent a few hours scratching my head trying to fix it but adding this update just in case someone else has the same issue as me and stumbles along this :-)
Glad you get it resolved!
Very new to all this, at the seven minute mark when testing to see if the new user has ssh access, how do you know what IP address to enter. I tried entering the one from the “hostname -I”but that didn’t work. It said authenticity couldn’t be established
Run "ip addr" on the Raspberry Pi to see what IP address it has.
I'm new to all this and for the life of me I can't figure out how you get the Terminal window on your PC monitor while running windows??????
Why "-y"? When installing ufw most guides do not add -y what does -y do or mean?
Finally found it. -y states yes to all yes and no prompts. Is this correct? Just want to make sure.
One more noob question, what are you pressing multiple times to make sure the home prompt comes up? Ctrl+c?
You are correct. I am usually in a hurry (especially in videos) and don't want to fuss with an extra confirmation prompt. It is fine in a lab environment, but you might not want to do it in a production environment if you are worried about typos.
What commands do you use to unlock the pi account?
I disagree reg. public key ssh auth, it is very easy to setup, on mac you can simply do ssh-copy to copy the public key to the authorized keys for the pi. It also makes it pretty much impossible for anyone to brute force your ssh.
Thanks for your input!
Why disable the pi user, why not just change the pi username on creating the image and changing the password too?
i cant ssh into my pi "The authenticity of host an't be established.
ECDSA"?
It could be a few things. If you haven't changed the SSH configuration on the Pi, then usuallyk either sshd on the pi, or the ssh client on your computer are out of date. If you have changed your SSH configuration, then you may need to regenerate your SSH keys on the Pi.
If I lock out my PI account according to your video, how do I reinstall it?
didnt put the links you said you were gonna put in the comments
Apologies. Just skimmed back through, and I don't see where we mentioned links, however here are the full notes we created for the show:
Basic Steps
=======================================
* Install Rapsbian
+ `sudo raspi-config`
+ Change password
+ Network
+ Localization
+ Interfacing (SSH)
+ `hostnamectl set-hostname dpserver`
* Create a custom user
+ `adduser dpezet`
+ `gpasswd -a dpezet adm`
+ `gpasswd -a dpezet sudo`
+ `visudo`
+ `dpezet ALL=(ALL) NOPASSWD:ALL`
* Lock the pi user (Optional)
+ `sudo passwd -l pi`
System Updates
=======================================
* Perform updates
+ `sudo apt update && sudo apt upgrade -y`
* Enable automatic upgrades
+ `sudo apt install unattended-upgrades`
+ `sudoedit /etc/apt/apt.conf.d/50unattended-upgrades`
+ Append
+ "origin=Raspbian,codename=${distro_codename},label=Raspbian";
+ "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
Eliminating Unused Services
=======================================
* Stop unnecessary services
+ `systemctl --type=service`
+ `systemctl --type=service --state=active`
+ `sudo systemctl disable `
Configuring a Firewall
=======================================
* Enable basic firewall
+ `sudo apt install ufw -y`
+ `sudo ufw allow 22/tcp comment "SSH"`
+ `sudo ufw enable`
+ `sudo ufw status`
Securing SSH
=======================================
* Restrict SSH2
+ `sudoedit /etc/ssh/sshd_config`
+ AllowUsers dpezet
+ Optional: `PasswordAuthentication no`
* Enable brute force protection
+ `sudo apt install fail2ban -y`
+ `sudoedit /etc/fail2ban/jail.local`
```
+ [DEFAULT]
+ bantime = 1h
+ banaction = ufw
+ [sshd]
+ enabled = true
```
@@ITProTv I think he was talking about the links to find raspberry pi update strings. I see that above - hope the OP did to, thank you. My question is does the change to "Raspberry Pi OS" change any of this? Lastly you mentioned I could find this on the Raspberry Pi page - I can't seem to locate it, can you provide a link in case I need to make a new string for future versions? Thanks & great video!
I followed the instructions and reviewed twice and triple before saving any file or issuing a command and I still got locked out after enableing fail2ban.... I had to re-image my sdcard.
My best guess now is that you need to change your location FIRST in the raspi-config before changing the pi password, the video is doing it backwards :(
The most common cause of this is setting your password while the Raspberry Pi is set to a UK keyboard, and then changing your locale to a US keyboard. This switches several keys around and will lead to an incorrect password. I don't remember what password I used in that video, but it likely didn't involve any characters switched by the keyboard locale.
how to unlock the pi account if you need it ?
If you have deleted the "pi" account, then it is gone and cannot be unlocked. If it still exists, but you don't know the password you can use "sudo passwd pi" to set a new password.
Why can't anyone answer my question?
Funny this is the only video talking about the security risks of using a raspberry pi.
We try to cover all angles objectively!
🤬🥰🤬🤬🤬🤬🤬
🤓