Raspberry Pi: Securing your Raspberry Pi

February 16, 2020 - Last updated: February 27, 2020

All the steps on this post are in my Ansible playbook for my Raspberry PI.

Disable devices

You can disable differents components via /boot/config.txt which use Device Tree Overlays.

Device Tree makes it possible to support many hardware configurations with a single kernel and without the need to explicitly load or blacklist kernel modules.

Disable Wifi

Edit the file /boot/config.txt and add the following line.

dtoverlay=disable-wifi

Disable Bluetooth

Edit the file /boot/config.txt and add the following line.

dtoverlay=disable-bt

Install fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.

Install fail2ban in your system.

apt install fail2ban

I will show a few parameters to configure for SSH. Fail2ban recommend to create a new file in /etc/fail2ban/jail.local to overwrite parameters.

vi /etc/fail2ban/jail.local
[DEFAULT]
# Number of seconds the user will be banned
bantime = 15

# Window of time betewen fails in seconds
findtime = 600 # This are 10 minutes

# Max of failures until ban
maxretry = 3

[sshd]
# Enable SSH filters
enabled = true
port = 22
filter = sshd
# The logs to read by fail2ban and detect anomalies
logpath = /var/log/auth.log
mode = aggressive

In my case I use private and public keys to get access to the Raspberry via SSH and the package Fail2ban is an old version v0.10.2 which is not catching correctly the failures by authentication keys, so I add manually the filter.

The logs for failure authentication by ssh key is:

Feb 22 08:00:10 raspberrypi sshd[4171]: Connection closed by authenticating user root 10.1.1.150 port 56211 [preauth]

I added the following filter to detect the connections closed for invalid keys.

vi /etc/fail2ban/filter.d/sshd.local
[Definition]
# This filter is to catch closed connections by sshd for invalid private keys
failregex = %(known/failregex)s
            %(__prefix_line)sConnection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \d+ \[preauth\]$