Improve Rasberry Pi Security
My ISP's gateway has a firewall, which only allows outgoing and some incoming traffic on specific ports.
I install a lot of stuff on my Raspberry Pi's.
This guide adds some extra security to a Raspberry Pi.
Step A. Run Automated Setup Script
Open a terminal window and login
The automated script does the following:
Updates, upgrades and autoremoves packages
Removes unused packages
Removes desktop packages
Disables IPv6
Improve security
Install uncomplicated firewall (ufw)
Install fail2ban
Lessen denial of service attacks
Prevent IP Spoofing
Harden sysctl configuration settings
Install logwatch
Install rootkit Checker
Install rpi-monitor
Reboots
Get the script:
$ wget "https://raw.githubusercontent.com/dumbo25/unsed_rpi/main/rpi_setup.sh"
$ wget "https://raw.githubusercontent.com/dumbo25/unsed_rpi/main/rpi_setup.cfg"
Edit the .cfg file to meet your needs (e.g., enter your SSID password)
See the help on the script and its options. Most of the items listed above can be controlled by an option.
$ sudo bash rpi_setup.sh -h
Run the script with the options selected. Since there are points that require a reboot, running the script will need to be done multiple times until you get a Success! message
$ sudo bash rpi_setup.sh
And you are done!
The steps below no longer need to be run manually. The steps are kept for reference.
Step 2. Install Fail2Ban
Step 3. Harden ssh [optional]
Step 4. Detect and Lessen Impact of Denial of Service Attacks
mod_evasive is a module for Apache, which provides evasive action in the event of a Denial of Service attack or brute force attack. Install mod_evasive by running the command:
$ sudo apt-get install libapache2-mod-evasive -y
Create a log directory:
$ sudo mkdir /var/log/mod_evasive
$ sudo chown www-data:www-data /var/log/mod_evasive
Edit:
$ sudo nano /etc/apache2/mods-available/evasive.conf
and
uncomment all lines except DOSSystemCommand.
change DOSEmailNotify to your email address.
Save and exit the editor
Restart apache2
$ sudo service apache2 restart
If failed, then install Apache2 using:
$ sudo apt install apache2 libapache2-mod-wsgi -y
$ sudo service apache2 restart
Step 5. Prevent IP Spoofing.
Open a terminal window on MacBook and login to Raspberry Pi
Edit the file
$ sudo nano /etc/host.conf
Add or edit the following lines :
order bind,hosts
Step 6. Harden sysctl configuration settings
Edit the file:
$ sudo nano /etc/sysctl.conf
Uncomment or add the following lines :
# IP Spoofing protection
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
Save and close the file (CTRL-o, ENTER, CTRL-x)
Step 7. Install logwatch
Logwatch is a log analysis program. It reads system logs and generates periodic reports based on user criteria.
$ sudo apt-get install logwatch -y
Set it to run weekly or daily:
$ sudo mv /etc/cron.daily/00logwatch /etc/cron.weekly/
Edit the file:
$ sudo nano /etc/cron.weekly/00logwatch
And change the line to be:
/usr/sbin/logwatch --output mail --range 'between -7 days and -1 days'
Step 8. Load sysctl changes
Reload sysctl by running command:
$ sudo sysctl -p
Step 9. Install rootkit Checker
A rootkit is malware designed to provide privileged access to a computer while actively hiding its presence.
rkhunter scans for rootkits, backdoors and possible local exploits.
chrootkit checks for known rootkits.
Install the tools:
$ sudo apt-get install rkhunter chkrootkit -y
Edit rkhunter's config file:
$ sudo nano /etc/default/rkhunter
and change these lines to be:
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
Edit chrootkit's config file:
$ sudo nano /etc/chkrootkit.conf
and change these lines to be:
RUN_DAILY="true"
RUN_DAILY_OPTS=""
Run the checkers weekly:
$ sudo mv /etc/cron.weekly/rkhunter /etc/cron.weekly/rkhunter_update
$ sudo mv /etc/cron.daily/rkhunter /etc/cron.weekly/rkhunter_run
$ sudo mv /etc/cron.daily/chkrootkit /etc/cron.weekly/
Notes:
By default root has no password and the root account is disabled. So, no one can login as root