Pi-Hard: Best Practices for Securing IoT and Embedded Devices: Maximum Security Mode (Part 4 of 4)

Maximum Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

Maximum Security Mode provides a comprehensive set of security enhancements designed to significantly strengthen the security posture of your Raspberry Pi device. This mode includes a range of measures to protect against various threats and attack vectors.


Installing ClamAV Antivirus

  • Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

  • Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

  • Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

  • Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
  • Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
  • Disables Pluggable Authentication Modules (PAM) to reduce the risk of unauthorized access.
  • Disables SSH password authentication, allowing only public key authentication.
  • Changes the default SSH port (22) to a randomly generated number for added security.

Locking User Pi and Removing Default Password Reminder

  • Locks the default "pi" user account to prevent unauthorized access.
  • Removes the default reminder to change the password, as security measures are automatically applied.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

  • Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
  • Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
  • Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
  • Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

  • Configures the firewall to allow access only for specific services (SSH, HTTP, HTTPS, FTP, DNS, SMTP).
  • Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated Credentials

  • Creates a new sudo user with randomly generated SSH keys (PuTTY format) and a randomly generated password (2 words + 2 letters) for secure access.

By applying these security measures, Maximum Security Mode aims to provide robust protection for your Raspberry Pi device, making it more resilient against potential threats.