Security improvements on the Raspberry Pi: Difference between revisions

From Sensors in Schools
Jump to navigation Jump to search
No edit summary
No edit summary
Line 81: Line 81:




== Protecting the raspberry pi from malicious attacks on the internet ==
== Protecting the Raspberry pi from malicious attacks on the internet using Fail2ban ==
* Fail2ban is a tool used to detect brute-force attacks and block them. If an attack is sustained for many months it is possible for an attacker to gain access to your computer system.  
* Fail2ban is a tool used to detect brute-force attacks and block them.  
* Fail2ban aims to protect your computer from repeat attacks. It does this by blocking attackers from a re-occurring IP address if they fail to login more than a certain number of times. You can configure the number of tries before a ban is put in place and how long the ban will remain.
* If an attack is sustained for many months it is possible for an attacker to gain access to your computer system.  
* Fail2ban aims to protect your computer from repeat attacks.  
* It does this by blocking attackers from a re-occurring IP address if they fail to login more than a certain number of times. You can configure the number of tries before a ban is put in place and how long the ban will remain.


* Open the Raspberry Pi Terminal.
* Open the Raspberry Pi '''Terminal'''.
* To install Fail2ban enter the command '''sudo apt-get install fail2ban'''
* To install Fail2ban enter the command '''sudo apt-get install fail2ban'''


Line 129: Line 131:


[[File:Screen Shot 2021-12-19 at 6.21.48 pm.png]]
[[File:Screen Shot 2021-12-19 at 6.21.48 pm.png]]
=== Opening Select ports ===
* If we keep all ports closed then the Raspberry Pi will not be able to interact with the outside world.
* The best approach is to only open a small number of ports.
* To open up port '''80''' for '''HTML''' requests enter the command '''sudo ufw allow 80'''
[[]]
* To open up port '''5900'' to use '''VNC''' enter the command '''sudo ufw allow 5900'''
[[]]
* To open up port '''1880''' for Node-RED enter the command '''sudo ufw allow 1880'''
[[]]

Revision as of 07:28, 19 December 2021

Overview

  • Running a Raspberry Pi computer on your home network can be done securely.
  • In this lesson we will explore different ways to improve security.

Learning Objectives

  • Updating and Upgrading your Raspberry Pi
  • Changing the default password for user pi
  • Install fail2ban
  • Install a firewall

Updating and Upgrading your Raspberry Pi

  • When you update your computer, not only do you get updates to the latest features, but you also get fixes to software bugs and security issues. You can do this process manually and you can also automate this procedure.
  • Open the Terminal on the Pi.
  • Enter the command sudo apt-get update

  • The update takes approximately 30 seconds to one minute.
  • This is the typical output.

Upgrading Raspberry Pi Software

  • Upgrading the Raspberry Pi updates all installed software to the most current version.
  • Do this by entering the command sudo apt-get full-upgrade

  • The Pi will tell you what software upgrades are required and ask for permission.
  • It will also tell you how much additional disk space will be required.

  • The first time you do an upgrade it could take several minutes.
  • Sometimes you need to check how much additional disk space you have available.
  • If too much space is occupied by the operating system and associated software it can compromise performance.

Changing the default password for user pi

  • It is always a good idea to change any default password setting.
  • The following instructions can also be used to set a new password for user pi just in case you forget it.
  • Open the Terminal
  • Enter the command sudo raspi-config

  • Select Option 1 System Options
  • Press the Tab key until <Select> is highlighted and press Enter.

  • Select S3 Password using the Tab key and press Enter.

  • You will be asked to enter a new password for the pi user.
  • Press OK.

  • You will be asked to enter in a new password. Then press the Enter key.
  • In Linux the password or the characters will not show.
  • You will be asked to retype the password.

  • A Password changed successfully will appear.
  • Press OK.

  • Back in the raspi-config main menu, press the Tab key to highlight <Finish>
  • Press Enter to return to the Terminal.


Protecting the Raspberry pi from malicious attacks on the internet using Fail2ban

  • Fail2ban is a tool used to detect brute-force attacks and block them.
  • If an attack is sustained for many months it is possible for an attacker to gain access to your computer system.
  • Fail2ban aims to protect your computer from repeat attacks.
  • It does this by blocking attackers from a re-occurring IP address if they fail to login more than a certain number of times. You can configure the number of tries before a ban is put in place and how long the ban will remain.
  • Open the Raspberry Pi Terminal.
  • To install Fail2ban enter the command sudo apt-get install fail2ban

  • Enter y (yes) to proceed with installation.
  • The installation only takes a few seconds to complete.
  • By default, fail2ban will ban attacker for 10 minutes after 5 failed attempts.

Install the firewall ufw

  • A firewall allows you to block all ports except the ones you need and also filter access by IP address.
  • We are going to install ufw (Uncomplicated FireWall), which is very straightforward to use and configure according to our needs.
  • A basic administration configuration page can be accessed using the Terminal.
  • To install ufw enter the command sudo apt-get install ufw

  • The installation takes a few seconds.

  • We can get help using ufw using the command sudo ufw help

Enable Uncomplicated firewall

  • When ufw is first installed all ports are blocked by default.
  • To make these ports available we need to open them up.
  • Ports are small channels used by different software on our computer.
  • The more ports are open, the more vulnerable your computer is to hackers.
  • Port examples
    • HTTP or web requests are on port 80
    • VNC (Virtual Network Computer) is on port 5900
    • Node-RED is on port 1880
  • Note: To make any change to ufw you need to be a super user
  • To enable the firewall enter the command sudo ufw enable
  • By default this will block all ports.


Opening Select ports

  • If we keep all ports closed then the Raspberry Pi will not be able to interact with the outside world.
  • The best approach is to only open a small number of ports.
  • To open up port 80 for HTML requests enter the command sudo ufw allow 80

[[]]

  • To open up port 5900 to use VNC' enter the command sudo ufw allow 5900

[[]]

  • To open up port 1880 for Node-RED enter the command sudo ufw allow 1880

[[]]

Retrieved from "http://www.waterwaysinwhittlesea.org/index.php?title=Security_improvements_on_the_Raspberry_Pi&oldid=257"