Pi-Hard: Best Practices for Securing IoT and Embedded Devices: Minimum Security Mode (Part 1 of 4)

Minimum Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

Minimum Security Mode provides a set of security enhancements that are designed to be applied to a Raspberry Pi right out of the box. This mode includes the following security measures:

  • Installing ClamAV antivirus
  • Configuring automatic system updates
  • Disabling Bluetooth and other services (avahi, triggerhappy, hciuart)
  • Enhancing SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01)
  • Removing all Diffie-Hellman keys that are less than 3072 bits long for SSHD
  • Disabling Pluggable Authentication Modules (PAM)
  • Removing default password change reminder
  • Changing SSH pi user password with 2 random words and 2 letters


Configure Automatic System Updates

  • Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Installing ClamAV

  • ClamAV is an open-source antivirus and malware scanner for Linux, developed by Sourcefire (owned by Cisco). ClamAV complements other security products, such as Snort, a widely used intrusion detection software.

Enhanced SSH Security (based on Mozilla’s OpenSSH Guidance)

  • OpenSSH now prioritizes key algorithms: ED25519 > RSA > ECDSA for Host Keys (keypairs for connecting to computers remotely via SSH).
  • Password-based logins are disabled; only public key logins are allowed.
  • Log level is set to verbose for detailed and understandable audit trails.
  • Ed25519 signatures are generated by default, offering high-speed and high-security public key encryption.

Disabling Bluetooth and Other Services

  • Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Removing Weak Diffie-Hellman Keys for SSHD

  • Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.

Disabling Pluggable Authentication Modules (PAM)

  • Disables PAM to reduce the risk of unauthorized access.

Removing Default Password Change Reminder

  • Removes the default reminder to change the password, as it is automatically changed during setup.

Changing SSH Pi User Password

  • Automatically changes the SSH pi user password to a secure combination of 2 random words and 2 letters.

Enable Automatic Updates on System Boot (To-Do)

  • Configure the system to automatically check for and install updates upon booting.

By applying these security measures, Minimum Security Mode aims to provide a solid foundation for securing your Raspberry Pi device.