Pi-Hard: Best Practices for Securing IoT and Embedded Devices: High Security Mode (Part 2 of 4)

Published on Apr 2, 2023
By adrian

Pi-Hard: High Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

High Security Mode provides a comprehensive set of security enhancements designed to significantly strengthen the security posture of your Raspberry Pi device. This mode includes a range of measures to protect against various threats and attack vectors.

Features

Installing ClamAV Antivirus

  • Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

  • Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

  • Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

  • Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
  • Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
  • Disables Pluggable Authentication Modules (PAM) to reduce the risk of unauthorized access.
  • Disables SSH password authentication, allowing only public key authentication.

Locking User Pi

  • Locks the default "pi" user account to prevent unauthorized access.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

  • Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
  • Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
  • Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
  • Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

  • Configures the firewall to allow access only for specific services (SSH, HTTP, HTTPS, FTP, DNS, SMTP).
  • Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated SSH Keys

  • Creates a new sudo user with randomly generated SSH keys (PuTTY format) for secure remote access.

Installing System Upgrades

  • Ensures that the system is running the latest software versions by installing available upgrades.

By applying these security measures, High Security Mode aims to provide robust protection for your Raspberry Pi device, making it more resilient against potential threats.

Related Stories

Blog
Step-by-Step Guide to Open Proxmox VMs Using SPICE and Remote-Viewer

Improve your remote VM management with SPICE with this quick start guide.
Blog
Mastering Technical Due Dilligence

Technical and scientific due diligence is crucial during an acquisition or merger. A thorough evaluation of intellectual property, technology stack, security, financials, talent, and integration can help ensure a successful outcome.
Blog
Seeing the Unseen: The Fascinating World of Decorrelation Stretching

Decorrelation stretching enhances color differences in images, making it easier to distinguish between different features. It has been used to find cave art, identify minerals and ore deposits, and map land cover types.