Pi-Hard: Best Practices for Securing IoT and Embedded Devices: Minimum Security Mode (Part 1 of 4)

Published on Apr 2, 2023
By adrian

Minimum Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

Minimum Security Mode provides a set of security enhancements that are designed to be applied to a Raspberry Pi right out of the box. This mode includes the following security measures:

  • Installing ClamAV antivirus
  • Configuring automatic system updates
  • Disabling Bluetooth and other services (avahi, triggerhappy, hciuart)
  • Enhancing SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01)
  • Removing all Diffie-Hellman keys that are less than 3072 bits long for SSHD
  • Disabling Pluggable Authentication Modules (PAM)
  • Removing default password change reminder
  • Changing SSH pi user password with 2 random words and 2 letters

Features

Configure Automatic System Updates

  • Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Installing ClamAV

  • ClamAV is an open-source antivirus and malware scanner for Linux, developed by Sourcefire (owned by Cisco). ClamAV complements other security products, such as Snort, a widely used intrusion detection software.

Enhanced SSH Security (based on Mozilla’s OpenSSH Guidance)

  • OpenSSH now prioritizes key algorithms: ED25519 > RSA > ECDSA for Host Keys (keypairs for connecting to computers remotely via SSH).
  • Password-based logins are disabled; only public key logins are allowed.
  • Log level is set to verbose for detailed and understandable audit trails.
  • Ed25519 signatures are generated by default, offering high-speed and high-security public key encryption.

Disabling Bluetooth and Other Services

  • Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Removing Weak Diffie-Hellman Keys for SSHD

  • Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.

Disabling Pluggable Authentication Modules (PAM)

  • Disables PAM to reduce the risk of unauthorized access.

Removing Default Password Change Reminder

  • Removes the default reminder to change the password, as it is automatically changed during setup.

Changing SSH Pi User Password

  • Automatically changes the SSH pi user password to a secure combination of 2 random words and 2 letters.

Enable Automatic Updates on System Boot (To-Do)

  • Configure the system to automatically check for and install updates upon booting.

By applying these security measures, Minimum Security Mode aims to provide a solid foundation for securing your Raspberry Pi device.

Related Stories

Blog
Unlocking the Power of AI/ML in Digital Forensics Investigations

The article explains how AI/ML has the potential to revolutionize digital forensics by automating tedious and time-consuming tasks and providing advanced analysis of large volumes of data, images, and video. However, challenges such as transparency, explainability, and skilled personnel must be addressed to maximize their benefits.
Blog
The Alchemy of Prompt Engineering: Turning Data into Gold using AI

With the right prompt engineering approach, data can be turned into gold.
Blog
Step-by-Step Guide to Open Proxmox VMs Using SPICE and Remote-Viewer

Improve your remote VM management with SPICE with this quick start guide.