From 4193dfca90092aeaadea5dff8e3b95fa4d9fbbc0 Mon Sep 17 00:00:00 2001
From: Randy Bush <randy@psg.com>
Date: Thu, 14 Sep 2017 14:09:17 +0900
Subject: [PATCH] made into a cheap advice column

---
 raspberry-pi-security.md | 72 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 raspberry-pi-security.md

diff --git a/raspberry-pi-security.md b/raspberry-pi-security.md
new file mode 100644
index 0000000..781beef
--- /dev/null
+++ b/raspberry-pi-security.md
@@ -0,0 +1,72 @@
+# Securing a Raspberry Pi
+
+The first thing is the usual securing of sshd.  Stitch the following
+into `/etc/ssh/sshd_config`:
+
+```
+PermitRootLogin without-password
+...
+PasswordAuthentication no
+...
+UsePAM no
+```
+
+Then use iptables to only allow ssh into the Pi.  In this case, my Pi is
+an access point, also providing dhcp and dns, so allow those too.
+
+```
+cat > /etc/iptables/rules.v4 << EOF
+# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
+*nat
+:PREROUTING ACCEPT [27851:3746961]
+:INPUT ACCEPT [26149:3634209]
+:OUTPUT ACCEPT [28562:1538866]
+:POSTROUTING ACCEPT [22900:1099401]
+-A POSTROUTING -o eth0 -j MASQUERADE
+COMMIT
+# Completed on Wed Sep 13 07:43:44 2017
+# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
+*filter
+:INPUT ACCEPT [124423:27809824]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [57693:3752807]
+-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i wlan0 -o eth0 -j ACCEPT
+#
+#
+# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
+#
+# Accepts all established inbound connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+#
+# Allows all outbound traffic
+-A OUTPUT -j ACCEPT
+#
+# Allows SSH connections
+-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
+#
+# allow dhcp and dns because we're an access point
+-A OUTPUT -p udp --dport 67:68 -j ACCEPT
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A OUTPUT -p tcp --dport 53 -j ACCEPT
+#
+# log iptables denied calls (access via 'dmesg' command)
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+#
+# Reject all other inbound - default deny unless explicitly allowed policy:
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+#
+COMMIT
+# Completed on Wed Sep 13 07:43:44 2017
+EOF
+```
+
+Then apply the iptables hack with timeout so you can be sure you are not
+locking yourself out.
+
+```
+iptables-apply -t 20 /etc/iptables/rules.v4
+```