Pi-Hard: Best Practices for Securing IoT and Embedded Devices: Maximum Security Mode (Part 4 of 4)
Maximum Security Mode
⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards
Maximum Security Mode provides a comprehensive set of security enhancements designed to significantly strengthen the security posture of your Raspberry Pi device. This mode includes a range of measures to protect against various threats and attack vectors.
Installing ClamAV Antivirus
- Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.
Configuring Automatic System Updates
- Keeps your system up-to-date with all software and packages by automatically running
sudo apt-get upgrade.
Disabling Bluetooth and Other Services
- Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.
Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)
- Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
- Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
- Disables Pluggable Authentication Modules (PAM) to reduce the risk of unauthorized access.
- Disables SSH password authentication, allowing only public key authentication.
- Changes the default SSH port (22) to a randomly generated number for added security.
Locking User Pi and Removing Default Password Reminder
- Locks the default "pi" user account to prevent unauthorized access.
- Removes the default reminder to change the password, as security measures are automatically applied.
Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit
- Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
- Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
- Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
- Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.
Configuring Firewall and Intrusion Prevention
- Configures the firewall to allow access only for specific services (SSH, HTTP, HTTPS, FTP, DNS, SMTP).
- Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.
Adding a New Sudo User with Randomly Generated Credentials
- Creates a new sudo user with randomly generated SSH keys (PuTTY format) and a randomly generated password (2 words + 2 letters) for secure access.
By applying these security measures, Maximum Security Mode aims to provide robust protection for your Raspberry Pi device, making it more resilient against potential threats.