Pi-Hard: Best Practices for Securing IoT and Embedded Devices: Paranoid Security Mode (Part 3 of 4)

Paranoid Security Mode

⚠️ Note: This was first made in 2019, and I am in the process of upgrading it to the latest standards

Paranoid Security Mode provides the highest level of security enhancements for your Raspberry Pi device. This mode is designed for users who require maximum protection against a wide range of threats and attack vectors. Paranoid Security Mode includes the following security measures:


Installing ClamAV Antivirus

  • Installs ClamAV, an open-source antivirus and malware scanner for Linux, to protect against malicious software.

Configuring Automatic System Updates

  • Keeps your system up-to-date with all software and packages by automatically running sudo apt-get upgrade.

Disabling Bluetooth and Other Services

  • Disables services such as Bluetooth, avahi, triggerhappy, and hciuart to reduce potential attack vectors.

Disabling Power on USB Ports

  • Disables power on USB ports to prevent unauthorized devices from being connected.

Enhancing SSH Security (based on Mozilla’s OpenSSH Guidance)

  • Applies best practices for SSH security based on Mozilla’s OpenSSH Guidance (as of 2019-01-01).
  • Removes all Diffie-Hellman keys that are less than 3072 bits long to strengthen SSHD security.
  • Disables SSH password authentication, allowing only public key authentication.
  • Changes the default SSH port (22) to a randomly generated number for added security.
  • Adds Google 2FA (Two-Factor Authentication) for SSH login to enhance access control.

Locking User Pi and Removing Default Password Reminder

  • Locks the default "pi" user account to prevent unauthorized access.
  • Removes the default reminder to change the password, as security measures are automatically applied.

Installing UFW Firewall, Fail2Ban, PSAD, RKHunter, and Chkrootkit

  • Installs UFW (Uncomplicated Firewall) to manage incoming and outgoing network traffic.
  • Installs Fail2Ban, an intrusion prevention system that bans IP addresses after multiple failed login attempts.
  • Installs PSAD (Port Scan Attack Detector) for intrusion detection and analysis.
  • Installs RKHunter and Chkrootkit to detect rootkits and other malicious activities.

Configuring Firewall and Intrusion Prevention

  • Configures the firewall to allow access only for SSH, restricting access to other services.
  • Configures Fail2Ban to ban IP addresses after 5 failed authentication attempts to SSH.

Adding a New Sudo User with Randomly Generated Credentials

  • Creates a new sudo user with randomly generated SSH keys (PuTTY format) and a randomly generated password (2 words + 2 letters) for secure access.

By applying these security measures, Paranoid Security Mode aims to provide the most robust protection for your Raspberry Pi device, making it highly resilient against potential threats.