Coding truck

Harden your Raspberry Pi Linux Server

A few days ago we looked at basic headless Raspberry Pi setup. A headless setup will allow the pi to exist in your house with only a single micro usb power supply plugged into it. You will can use a bash terminal window to ssh into your pi and run commands on it from the command line. This may not seem super exciting, but it allows you to turn your pi into all sorts of things. You can:

  • Use it in as part of your smart home
  • Make it a local web server
  • Use it as a git repository
  • Make it into a network database

Because we are using a Raspberry Pi, the cost is significantly cheaper than using a full desktop computer and the power consumption is minimal.

The story so far

We completed some basic configuration including:

Today, we will look at some additional setup that we can do to improve our raspberry pi setup. These include:

IP Setup

Before we get started, I would like to talk briefly about home networks. Most networks use DHCP, which will assign an ip address to a computer when it joins the network. This is useful since it manages which address is assigned to which computer.

Our raspberry pi is built to be headless. This means that it will not have a keyboard, mouse, monitor, or even a GUI attached to it. We will be connecting to it from another computer on our network and using its monitor, keyboard and mouse to interact with it.

This means that we will need to know how to find the raspberry pi on our network. To do that, we will need to know the ip address. Normally, DHCP will assign an address to a computer when it joins the network. It will keep that address until it leaves the network. This will generally happen when it turns off.

Linux is a stable operating system. It is unlikely that you will be rebooting your raspberry pi frequently. It will happen. When it does, the ip address may change. This means that you will need to go find out what it changed to.

Most modern routers can help. Look in your router config and see if there is a way to assign an ip address to your raspberry pi. Routers are different, but you will usually find it under LAN Setup. It may be called something like "Address reservation"

What it does is identify your raspberry pi by its mac address which is like a fingerprint on the network for the raspberry pi. When your router sees the raspberry pi join the network it will always use the same ip address for it. This is what we want since we will always know where to find it.

TL;DR Make your Raspberry Pi's ip address static to make sure you can find it

Naming your pi

If the computer that you will log into your raspberry pi from is Mac or Linux you can associate a name with its ip address. This makes it easier to remember how to connect to it.

Open a terminal window and type:

sudo nano /etc/hosts

At the bottom of the file add a line that is the ip address of your pi followed by a tab and the name.

For a pi with an ip address of 192.168.0.2 and a name jester, I would add the following line:

192.168.0.2	jester

Save and exit nano with CTRL-O, Enter, and CTRL-X

Note: In Windows the file is: c:\Windows\System32\Drivers\etc\hosts

Now you should be able to reference your pi by name.

Try:

ping -c 4 jester

If your pi is connected to the network and you updated your hosts file correctly, you should see a response like:

PING jester (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=146.548 ms
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=9.840 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=8.492 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=8.513 ms

--- jester ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.492/43.348/146.548/59.585 ms

Generate keys

The next thing that we are going to do is setup key based authentication to our raspberry pi. You will need keys crated on your computer to be able to proceed. You may already have these. Run the following command in bash:

ls -al ~/.ssh/*.pub

If you see a file returned, you already have keys generated. If you do not see files returned, you will need to generate ssh keys using the next section

More info on Github

Make keys

If you don't already have keys, generating them is easy enough. You can do it with the following command (just use your own email address, or not).

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

More info on Github

Copy keys to your raspberry pi

Next we want to copy our public key to the raspberry pi so that we can use the keys to log into the server. Use the ssh-copy-id command followed by username@hostname

ssh-copy-id j@jester

More info on Digital Ocean

You should now be able to connect to your pi via ssh using the keys

ssh j@jester

You are now logged into your raspberry pi from your other computer

Disabling password authentication

Key based authentication is generally more secure than password based authentication. Since we have setup key based authentication, we will now disable password based authentication. This will prevent someone from logging into your pi with a password.

In the terminal that is connected to your raspberry pi open the raspberry pi SSH configuration file.

sudo nano /etc/ssh/sshd_config

Inside the file look for a line with the PasswordAuthentication setting. You will want to set it to no

PasswordAuthentication no

You may also want to set PermitRootLogin to no as well.

Save the file with CTRL-O, Enter, and CTRL-X. Put the changes into effect with:

sudo service ssh restart

Test settings

Exit your ssh session by typing

exit

This should bring you back to your local computer. Now connect to your pi again

ssh j@jester

If all is well, you are able to connect to your pi and password authentication has been disabled.

Note: You have only disabled password authentication using SSH. If you find yourself locked out you can still connect a keyboard and monitor and login with your username and password.

Update software

Your software is updated frequently to patch bugs and add features. Update your software to the latest versions.

sudo apt-get update && sudo apt-get upgrade -y

The first time you run this on your raspberry pi, it may take a while to complete.

Add a firewall

Now let's add a firewall to our pi. This will help prevent our pi from responding to requests that we don't want it to. It's kind of like closing the windows on your house.

We will be using a tool called uncomplicated firewall (UFW). UFW is a nice tool that makes setting up a firewall easy. Let's install it.

sudo apt-get install ufw

Now let's restart our pi.

sudo shutdown -r now && exit

Give it a minute to restart and then log back in.

ssh j@jester

We are now logged back into our pi. Let's use UFW. Right now the only traffic that we want coming into our pi is ssh traffic. This is because we are connecting to the pi with ssh. UFW has configurations for different applications. Let's see the list

sudo ufw app list

This list should contain OpenSSH, which is what we want. Let's tell UFW to allow OpenSSH. We haven't told it anything else so it will block other traffic.

sudo ufw allow OpenSSH

Ok, we have configured our firewall. Now let's turn it on.

sudo ufw enable

If you are connected via ssh and you didn't allow OpenSSH above, it will disconnect you from your pi. It will tell you this. As long as you have been following along, you should be fine.

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

If you got disconnected, and ssh is blocked, you can connect a keyboard, mouse, monitor, etc and login.

Additional security

These are a few things that you can do to improve the security of your pi. It is a good start, but not an exhaustive list. I highly recommend that you look around and make yourself familiar with security.

Your own personal linux server

Congratulations! You now have a nice little linux server living on your network. What are you going to do with it? There are ideas and tutorials on Digital Ocean. Most of them are written for Ubuntu, but will generally work on Raspbian as well. Here are some ideas of what you can do

Next
Prev