Hardening Raspberry Pi
Introduction
Raspberry Pi is a powerful SoC device you can use as a home server. It is very cheap, consumes very little power, and its OS is Linux based.
There are a few things you can do after downloading a Raspberry Pi image to enhance the security of your device
Enabling Headless Connection
You can easily connect to your device remotely which means you do not need a keyboard or monitor connected to your device.
To enable this, after downloading and writing the image to your SD card, insert it in a computer, for to the Boot directory and create an empty folder called ssh.
Then, insert the card into your Raspberry Pi and after a couple of minutes, try connecting to it using SSH protocol.
For a more detailed explanation of how to do SSH, you can visit our SSH webpage.
Adding a user and deleting the default pi user
Raspberry Pi comes with a default user called pi. You can add your own user and remove pi. To add a new user:
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi username
Removing the default 'pi' user:
sudo deluser -remove-home pi
Adding ROOT password
To enhance the security, you can add a pssword for the user ROOT:
Enforcing password when using sudo
By default, your account can use sudo without a need for the user to enter a password. To change this, do:
And modify
Enforce login on boot
By default, Raspberry Pi does not ask for user password after a boot. To enforce this, open a terminal and enter:
Then, choose System Options and then Boot/Auto Login.
Tip: Connecting to a WPA2 Enterprise Wi-Fi Network (EAP)
If you want to connect to a Wi-Fi network with WPA2 Enterprise security you need to do the followings:
and paste
ssid="Network_Name"
key_mgmt=WPA-EAP
group=CCMP TKIP
eap=PEAP
identity="USERNAME"
password="PASSWRD"
phase1="peapver=0"
phase2="MSCHAPV2"
}
Then, identify the network interface of your Raspberry Pi (it is usually called wlan0) using
Then
and paste
allow-hotplug wlan0
iface wlan0 inet dhcp
pre-up wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicatnt/wpa_supplicant.conf -f /var/log/wpa_supplicant.log
post-down killall -q wpa_supplicant
Restart the device to apply changes.