randy/raspberry-pi-security.md

# Securing a Raspberry Pi

The first thing is the usual securing of sshd.  Stitch the following
into `/etc/ssh/sshd_config`:

```
PermitRootLogin without-password
...
PasswordAuthentication no
...
UsePAM no
```

Then use iptables to only allow ssh into the Pi.  In this case, my Pi is
an access point, also providing dhcp and dns, so allow those too.

```
cat > /etc/iptables/rules.v4 << EOF
# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
*nat
:PREROUTING ACCEPT [27851:3746961]
:INPUT ACCEPT [26149:3634209]
:OUTPUT ACCEPT [28562:1538866]
:POSTROUTING ACCEPT [22900:1099401]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 13 07:43:44 2017
# Generated by iptables-save v1.4.21 on Wed Sep 13 07:43:44 2017
*filter
:INPUT ACCEPT [124423:27809824]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [57693:3752807]
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
#
#
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Allows all outbound traffic
-A OUTPUT -j ACCEPT
#
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#
# allow dhcp and dns because we're an access point
-A OUTPUT -p udp --dport 67:68 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 53 -j ACCEPT
#
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
#
COMMIT
# Completed on Wed Sep 13 07:43:44 2017
EOF
```

Then apply the iptables hack with timeout so you can be sure you are not
locking yourself out.

```
iptables-apply -t 20 /etc/iptables/rules.v4
```