Pi-Hard: Best Practices for Securing IoT and Embedded Devices: High Security Mode (Part 2 of 4)

Pi-Hard: High Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

High Security Mode provides a comprehensive set of security enhancements designed to significantly strengthen the security posture of your Raspberry Pi device. This mode includes a range of measures to protect against various threats and attack vectors.


Installing ClamAV Antivirus

  • Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

  • Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

  • Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

  • Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
  • Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
  • Disables Pluggable Authentication Modules (PAM) to reduce the risk of unauthorized access.
  • Disables SSH password authentication, allowing only public key authentication.

Locking User Pi

  • Locks the default "pi" user account to prevent unauthorized access.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

  • Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
  • Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
  • Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
  • Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

  • Configures the firewall to allow access only for specific services (SSH, HTTP, HTTPS, FTP, DNS, SMTP).
  • Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated SSH Keys

  • Creates a new sudo user with randomly generated SSH keys (PuTTY format) for secure remote access.

Installing System Upgrades

  • Ensures that the system is running the latest software versions by installing available upgrades.

By applying these security measures, High Security Mode aims to provide robust protection for your Raspberry Pi device, making it more resilient against potential threats.