Pi-Hard: Best Practices for Securing IoT and Embedded Devices: Maximum Security Mode (Part 4 of 4)

Published on Apr 2, 2023
By adrian

Maximum Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

Maximum Security Mode provides a comprehensive set of security enhancements designed to significantly strengthen the security posture of your Raspberry Pi device. This mode includes a range of measures to protect against various threats and attack vectors.

Features

Installing ClamAV Antivirus

  • Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

  • Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

  • Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

  • Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
  • Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
  • Disables Pluggable Authentication Modules (PAM) to reduce the risk of unauthorized access.
  • Disables SSH password authentication, allowing only public key authentication.
  • Changes the default SSH port (22) to a randomly generated number for added security.

Locking User Pi and Removing Default Password Reminder

  • Locks the default "pi" user account to prevent unauthorized access.
  • Removes the default reminder to change the password, as security measures are automatically applied.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

  • Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
  • Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
  • Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
  • Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

  • Configures the firewall to allow access only for specific services (SSH, HTTP, HTTPS, FTP, DNS, SMTP).
  • Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated Credentials

  • Creates a new sudo user with randomly generated SSH keys (PuTTY format) and a randomly generated password (2 words + 2 letters) for secure access.

By applying these security measures, Maximum Security Mode aims to provide robust protection for your Raspberry Pi device, making it more resilient against potential threats.

Related Stories

Blog
Seeing the Unseen: The Fascinating World of Decorrelation Stretching

Decorrelation stretching enhances color differences in images, making it easier to distinguish between different features. It has been used to find cave art, identify minerals and ore deposits, and map land cover types.
Blog
The Alchemy of Prompt Engineering: Turning Data into Gold using AI

With the right prompt engineering approach, data can be turned into gold.
Blog
Deep Learning: A Short Primer

Deep learning is transforming the cybersecurity landscape by learning from new data in real-time and adapting its algorithms to detect unseen attacks, helping security professionals stay ahead of cybercriminals. This blog post explores the basics of neural networks and deep learning’s impact on cybersecurity.