randy/randy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

made into a cheap advice column

Browse source
This commit is contained in:
Randy Bush 2017-09-14 14:09:17 +09:00
parent 27ec6e9133
commit 4193dfca90
No known key found for this signature in database
GPG key ID: D5597695EA37E360
1 changed files with 72 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

72
raspberry-pi-security.md Normal file
View file

@ -0,0 +1,72 @@
# Securing a Raspberry Pi
The first thing is the usual securing of sshd. Stitch the following
into `/etc/ssh/sshd_config`:
```
PermitRootLogin without-password
...
PasswordAuthentication no
...
UsePAM no
```
Then use iptables to only allow ssh into the Pi. In this case, my Pi is
an access point, also providing dhcp and dns, so allow those too.
```
cat > /etc/iptables/rules.v4 << EOF
# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
*nat
:PREROUTING ACCEPT [27851:3746961]
:INPUT ACCEPT [26149:3634209]
:OUTPUT ACCEPT [28562:1538866]
:POSTROUTING ACCEPT [22900:1099401]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 13 07:43:44 2017
# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
*filter
:INPUT ACCEPT [124423:27809824]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [57693:3752807]
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
#
#
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Allows all outbound traffic
-A OUTPUT -j ACCEPT
#
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#
# allow dhcp and dns because we're an access point
-A OUTPUT -p udp --dport 67:68 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 53 -j ACCEPT
#
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
#
COMMIT
# Completed on Wed Sep 13 07:43:44 2017
EOF
```
Then apply the iptables hack with timeout so you can be sure you are not
locking yourself out.
```
iptables-apply -t 20 /etc/iptables/rules.v4
```