With its versatility and extremely compact size, the Raspberry Pi is ideal for my Allsky camera project. However, as with any internet-enabled device, protection against potential attacks is crucial. Here are what I consider to be the most important measures to ensure the security of a Raspberry Pi 5:
1. Set your own username and encrypt password
By default, the SSH user of a Raspberry Pi is – very creatively – “pi”. It makes perfect sense to change this and also to change the SSH password after the initial installation of the Raspberry Pi OS using the “passwd” command. The advantage of this is that the password is then stored in the system in encrypted form.
2. Regular system updates
As with any operating system, it is important to always keep the system up to date. Security gaps in the software can be exploited by attackers. Updates should therefore be carried out regularly. This is easily done with the following commands:
sudo apt-get update sudo apt-get upgrade
These commands ensure that all installed packages are updated to the latest version. The following command can also be used to update the kernel.
sudo apt-get dist-upgrade
Under Debian (also Raspbian) there is the cool tool “debian-goodies” with the command “checkrestart”. This command determines which processes are still using libraries that were replaced during an update. debian goodies is installed as follows:
sudo apt-get install debian-goodies
The following command then displays the processes that are working with outdated but updated packages.
sudo checkrestart
It is also possible to automatically keep the system up to date – you can find the instructions here.
3. Secure SSH
Many users access their Raspberry Pi via SSH (Secure Shell), especially if they do not have a monitor or keyboard connected. SSH is activated by default, which represents a potential attack surface. The following measures can make SSH access more secure:
Only allow SSH for certain users:
Direct root access should be blocked via SSH to prevent direct control by attackers. This can be done by editing the file /etc/ssh/sshd_config – e.g. with the text editor “nano”:
sudo nano /etc/ssh/sshd_config
The following line should be set to “no” here:
PermitRootLogin no
Then restart the SSH service with:
/etc/init.d/ssh restart
Change the SSH port:
The standard SSH port 22 is well known and is often the target of attacks. Changing the port can help here:
sudo nano /etc/ssh/sshd_config
In this file, the port is changed by setting the line “Port 22” to another port such as “Port 2222”.
Then restart SSH with the command
sudo service ssh restart
Important: Make a note of the SSH port somewhere – login works after the change with the command
ssh -p XXX
XXX is the port, the name of the indi-allsky server should be known – for example
ssh allsky.local -p 2222
Passwordless login:
The use of SSH keys is more secure than logging in with a user name and password. A key pair can be created using the “ssh-keygen” command. The public key is then stored on the Raspberry Pi to enable login without a password.
4. Install Fail2ban
A common method of attack is so-called brute forcing, in which attackers try to gain access by trying out many password combinations. To prevent this, `fail2ban` can be installed:
sudo apt-get install fail2ban
Fail2ban monitors login attempts and blocks IP addresses from which repeated failed attempts originate. This makes it more difficult for attackers to gain access.