1.9 KiB
1.9 KiB
Securing a Raspberry Pi
The first thing is the usual securing of sshd. Stitch the following
into /etc/ssh/sshd_config:
PermitRootLogin without-password
...
PasswordAuthentication no
...
UsePAM no
Then use iptables to only allow ssh into the Pi. In this case, my Pi is an access point, also providing dhcp and dns, so allow those too.
cat > /etc/iptables/rules.v4 << EOF
# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
*nat
:PREROUTING ACCEPT [27851:3746961]
:INPUT ACCEPT [26149:3634209]
:OUTPUT ACCEPT [28562:1538866]
:POSTROUTING ACCEPT [22900:1099401]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 13 07:43:44 2017
# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
*filter
:INPUT ACCEPT [124423:27809824]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [57693:3752807]
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
#
#
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Allows all outbound traffic
-A OUTPUT -j ACCEPT
#
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#
# allow dhcp and dns because we're an access point
-A OUTPUT -p udp --dport 67:68 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 53 -j ACCEPT
#
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
#
COMMIT
# Completed on Wed Sep 13 07:43:44 2017
EOF
Then apply the iptables hack with timeout so you can be sure you are not locking yourself out.
iptables-apply -t 20 /etc/iptables/rules.v4