Pi-Hard

A user friendly, one-click, educational interface and series of scripts for learning more about securing Raspberry Pi.

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

Quickstart

You can pipe this script through bash by running the following command:
If you trust us blindly, you can put this through bash

One-click installer:

curl -sSl https://github.com/appliedsciencegroup/pi-hard/blob/master/pihardener.sh | sudo bash

Manual Install:

If you prefer not to use the one-click installer (or if you’re new to this), you can follow these steps to install Pi-Hard manually:

1. Clone this repository by running: git clone https://github.com/appliedsciencegroup/pi-hard
2. Open the directory by running: cd pi-hard
3. Make the script executable by running: sudo chmod +x pihardener.sh
4. Start the program by running: sudo ./pihardener.sh

Introduction

The Internet of Things (IoT) is growing rapidly, and it’s only a matter of time before internet-connected devices are everywhere. Unfortunately, many of these devices have minimal security and non-upgradeable firmware. This means that when new vulnerabilities are discovered, they may be permanent. As someone who often prototypes on the Raspberry Pi, I wanted to create an interface that brings together all the scripts I use for security.

Pi-Hard allows you to set up security right out of the box. It’s recommended to run Pi-Hard after a fresh install of Raspberry Pi.

Security Modes

Pi-Hard offers different security modes based on your needs. Below is a list of the available modes, along with links to more information about each one:

Minimum Security Mode

Minimum Security Mode provides a set of security enhancements that are designed to be applied to a Raspberry Pi right out of the box. This mode includes the following security measures:

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

• Installing ClamAV antivirus
• Configuring automatic system updates
• Disabling Bluetooth and other services (avahi, triggerhappy, hciuart)
• Enhancing SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01)
• Removing all Diffie-Hellman keys that are less than 3072 bits long for SSHD
• Disabling Pluggable Authentication Modules (PAM)
• Removing default password change reminder
• Changing SSH pi user password with 2 random words and 2 letters

Features

Configure Automatic System Updates

• Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Installing ClamAV

• ClamAV is an open-source antivirus and malware scanner for Linux, developed by Sourcefire (owned by Cisco). ClamAV complements other security products, such as Snort, a widely used intrusion detection software.

Enhanced SSH Security (based on Mozilla’s OpenSSH Guidance)

• OpenSSH now prioritizes key algorithms: ED25519 > RSA > ECDSA for Host Keys (keypairs for connecting to computers remotely via SSH).
• Password-based logins are disabled; only public key logins are allowed.
• Log level is set to verbose for detailed and understandable audit trails.
• Ed25519 signatures are generated by default, offering high-speed and high-security public key encryption.

Disabling Bluetooth and Other Services

• Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Removing Weak Diffie-Hellman Keys for SSHD

• Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.

Disabling Pluggable Authentication Modules (PAM)

• Disables PAM to reduce the risk of unauthorized access.

Removing Default Password Change Reminder

• Removes the default reminder to change the password, as it is automatically changed during setup.

Changing SSH Pi User Password

• Automatically changes the SSH pi user password to a secure combination of 2 random words and 2 letters.

Enable Automatic Updates on System Boot (To-Do)

• Configure the system to automatically check for and install updates upon booting.

Pi-Hard: High Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

High Security Mode provides a comprehensive set of security enhancements designed to significantly strengthen the security posture of your Raspberry Pi device. This mode includes a range of measures to protect against various threats and attack vectors.

Features

Installing ClamAV Antivirus

• Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

• Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

• Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

• Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
• Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
• Disables Pluggable Authentication Modules (PAM) to reduce the risk of unauthorized access.
• Disables SSH password authentication, allowing only public key authentication.

Locking User Pi

• Locks the default "pi" user account to prevent unauthorized access.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

• Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
• Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
• Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
• Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

• Configures the firewall to allow access only for specific services (SSH, HTTP, HTTPS, FTP, DNS, SMTP).
• Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated SSH Keys

• Creates a new sudo user with randomly generated SSH keys (PuTTY format) for secure remote access.

Installing System Upgrades

• Ensures that the system is running the latest software versions by installing available upgrades.

Maximum Security Mode

Maximum Security Mode provides a comprehensive set of security enhancements designed to significantly strengthen the security posture of your Raspberry Pi device. This mode includes a range of measures to protect against various threats and attack vectors.

Features

Installing ClamAV Antivirus

• Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

• Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

• Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

• Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
• Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
• Disables Pluggable Authentication Modules (PAM) to reduce the risk of unauthorized access.
• Disables SSH password authentication, allowing only public key authentication.
• Changes the default SSH port (22) to a randomly generated number for added security.

Locking User Pi and Removing Default Password Reminder

• Locks the default "pi" user account to prevent unauthorized access.
• Removes the default reminder to change the password, as security measures are automatically applied.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

• Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
• Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
• Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
• Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

• Configures the firewall to allow access only for specific services (SSH, HTTP, HTTPS, FTP, DNS, SMTP).
• Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated Credentials

• Creates a new sudo user with randomly generated SSH keys (PuTTY format) and a randomly generated password (2 words + 2 letters) for secure access.

Paranoid Security Mode

Paranoid Security Mode provides the highest level of security enhancements for your Raspberry Pi device. This mode is designed for users who require maximum protection against a wide range of threats and attack vectors. Paranoid Security Mode includes the following security measures:

Features

Installing ClamAV Antivirus

• Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

• Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

• Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Disabling Power on USB Ports

• Disables power on USB ports to prevent unauthorized devices from being connected.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

• Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
• Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
• Disables SSH password authentication, allowing only public key authentication.
• Changes the default SSH port (22) to a randomly generated number for added security.
• Adds Google 2FA (Two-Factor Authentication) for SSH login to enhance access control.

Locking User Pi and Removing Default Password Reminder

• Locks the default "pi" user account to prevent unauthorized access.
• Removes the default reminder to change the password, as security measures are automatically applied.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

• Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
• Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
• Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
• Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

• Configures the firewall to allow access only for SSH, restricting access to other services.
• Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated Credentials

• Creates a new sudo user with randomly generated SSH keys (PuTTY format) and a randomly generated password (2 words + 2 letters) for secure access.

By applying these security measures, Paranoid Security Mode aims to provide the most robust protection for your Raspberry Pi device, making it highly resilient against potential threats.

Paranoid Security Mode

Paranoid Security Mode provides the highest level of security enhancements for your Raspberry Pi device. This mode is designed for users who require maximum protection against a wide range of threats and attack vectors. Paranoid Security Mode includes the following security measures:

Features

Installing ClamAV Antivirus

• Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

• Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

• Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Disabling Power on USB Ports

• Disables power on USB ports to prevent unauthorized devices from being connected.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

• Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
• Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
• Disables SSH password authentication, allowing only public key authentication.
• Changes the default SSH port (22) to a randomly generated number for added security.
• Adds Google 2FA (Two-Factor Authentication) for SSH login to enhance access control.

Locking User Pi and Removing Default Password Reminder

• Locks the default "pi" user account to prevent unauthorized access.
• Removes the default reminder to change the password, as security measures are automatically applied.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

• Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
• Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
• Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
• Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

• Configures the firewall to allow access only for SSH, restricting access to other services.
• Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated Credentials

• Creates a new sudo user with randomly generated SSH keys (PuTTY format) and a randomly generated password (2 words + 2 letters) for secure access.