How to Secure a Raspberry Pi on Your Network | ITProTV

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

keep finding all those Raspberry Pi based gadgets around the office and you're going oh is this secure stay tuned to find out how to secure them you're watching I happy pi day everyone and well we're gonna be talking about securing the Raspberry Pi but you know what I think we should set some context on before we get too too far down the road I don't want to steal your thunder but the reason we thought it was important to talk about this is well Tim came to me one day and was like hey Justin I've got this new gadget it is cool it's this little weather flight at like weather data for like airports right and it has green and blue and red this is the exact device and it goes it pulls data and it lights up and it tells you wind speed and it goes and it runs on a Raspberry Pi and I go uh-huh it's it on our network and I guess yeah it gets the information from the internet and I go wow what's the IP so I do a quick click scan of our network and I go oh here it is does it use default creds not the original raspberry pi default creds but default creds for the product it was open I could escalate privileges it and then I was like oh you got to update it and he was like watch what am i doing I was like yeah I don't know if Don's gonna be so happy about that but it's things like this this is a pretty cool project but then it opens us up to hey I now have access to a piece of software that maybe Don doesn't know about I don't know about just because it's cool yeah and you know with most networks running DHCP it's not uncommon for people to buy these simple you know maker type projects they bring them in they plug them in on the network and now you've got a machine that is terribly insecure and it's in your environment now you could go a little draconian and say that's it no unauthorized IOT devices I'm gonna put my foot down and that's it but I'll tell you I love raspberry pies and they are super convenient if I need to whip up a quick web server or run a little experiment I use WebP I resume PI's all the time you can make them more secure they are pretty weak in the area of security by default but that's because it's really a research device a testing device it's not designed for production use but tons and tons of people are using them now I've I've seen a little projector software that was used for mirroring a whiteboard that ran on Meraz pi this general aviation map that uses a rasp I clocks all sorts of things that yours I've seen them like people install them in cars for like graphical user interfaces a variety of sensors and stuff definitely want to trust your driving safety to it so while it is not very secure by default there are a handful of steps we can take to actually secure them so in this episode what we're gonna do is we're gonna talk a little bit about some of the basic configuration settings that we need to change in a rasp I will talk about updates and how we can manage those a little more appropriately we will talk a bit about configuring a firewall to limit the traffic is able to get to it as well as securing SSH that we can only do trusted management remotely and we'll talk about a few other security things like using trusted certificates for web services all on the rasp I it's pretty easy to do if you just remember these handful of steps now Danya yeah you said some things around mic ooh this is gonna be nice it's gonna be a nice how-to but before we get too far into those more advanced topics we probably need to take a look at those basic steps so what are those basic steps we need to take absolutely when you install a new rasp I write the the recommended operating system for it is raspbian and you can get that from the Raspberry Pi project as you flash it on an SD card and you boot the system up and they're recommended first step the first step most people are gonna do is to run the rasp I config script so let me bring that up so I'm connected to my R as PI here and I'm just gonna do a sudo razz PI dash config and so when I run that I'm taken into the rasp as PI configuration this is a raspberry I can now say at a res Pi model 3 and our PI 3 model B and if I go in you'll see a few things like changing the password for the PI user the default username is PI the default password is raspberry everybody knows that every hacking tool on the planet has that as default cred loaded into it and it is going to try to use that to access your system and a minimum you need to change that password and so we can just do that right from here easy enough and so I'll go in and it's gonna ask me to punch it in I need my new password I punch him what I want that new password to be and so now that one's fixed another thing that we can do in here is to enable SSH I don't want to have to hook a keyboard and a mouse up to this every time I want to go and manage it or just a keyboard or whatever I want to be able to SSH into it and it's turned off by default because of security but we can turn it on in a way that keeps it secure so I'm gonna go down to interfacing options and under interfacing options I'll go to SSH and inside of SSH you can tell it to enable the SSH server so that you will be able to connect automatically on the system and it warns you default and weak passwords are a security risk so that's gonna be left up to you okay so when that's done those are the main things I need to configure here there are a few other things like localization options you'll want to make sure you get it set for your proper keyboard I run into this one all the time because it defaults to a UK keyboard and when I type in a password with special characters the like the @ symbol is the double quote symbol on a UK keyboard so it's messed up if I switch it to a u.s. keyboard now all of a sudden the password works properly so you know you'll want to set those kind of things and get them in place all right after that now I've got my basic stuff kind of set there are a few more things I want to do I know that PI account is always there and the hackers know it's there too so I don't want to use the PI account I'm gonna create a new account for myself so I'm going to say sudo add user and I'll create an account from me deposit right so I'm gonna create one it's gonna ask me for a new password I'll punch in what I want that password to be and once I've got that now it's gonna ask for additional information if I want to type in my full name and other things I can specify whatever I'm gonna leave most of these blank and then I'll just say yes to get that user created so now I've got a nice little user account now I do want to be an administrator so I'm gonna follow this up by saying sudo G passwd - hey I'm gonna add D pizzette to the ADM group that's gonna make me an administrator and then I'm gonna add myself to the pseudo group so that I'll be able to use the super user do command which I've been using already to make sure that I'm able to execute admin commands now when that's done I'm now an administrator my user account is administrative so I should be able to do pretty much whatever I want on the system and even get rid of the pipe if I want I could delete the PI account or I could just lock it out if I'm not gonna use it anymore but before I do either of those things I need to test to make sure I can actually get in with my account so I'm gonna open up another shell here and I'm just gonna SSH into that system as myself so I'm gonna connect into what that IP is and punch in my password and there we go make sure I can get in and I'm gonna make sure that I can use the sudo command just to verify that it is working before I go and mess with the PI account right you don't want to mess the PI account if you uh if you don't have alternative credentials then back in my original window I'm gonna exit out of that one I don't need that PI user anymore so I just need to kind of get out of that one and back as deep as that I can disable the PI account I'm gonna do that by issuing sudo pass WD - L PI I'm gonna lock the user account I prefer to lock the user account then delete it because there are some software packages written for PI that depend on that PI user existing they shouldn't write it it's poor programming practices but people still do it so that's why I like to keep the user account around and so by doing that I've now locked the PI account and nobody can log in as that one now Don I was actually getting ready to ask you I was like well why are we locking this out but I've run into that where it's almost used as a service account if you're building new software please don't do that yeah don't do that you need a new service account just for that application that's running but removing that can cause a whole bunch of whoopsie-daisy on sir yeah and if you poke around in the services you might find some that are set to run as PI they shouldn't right but they could and you might find some scripts or whatever for software that depend on the account that's why it's it's usually a little better just lock it and leave it there all right so now that I've got my user accounts kind of situated I might want to tweak how sudo works I don't like having to enter in a password every time it is a nice safety measure but I've already had to log in I manage this remotely so I may want to turn that off so I'm gonna do a vise ooh do and I'm gonna edit the slash etc' slash sudoers file and Arya nuts two doors I need to edit oh no actually that is right hang out let me just do sooo do by itself and Oh permission denied because I need to sue do the vice to do command there we go and this is controlling how that sue do file works and I want to add an extra entry in here so I'm just gonna go to the end of line I'm gonna say D pizzette and I'm gonna say that I'm allowed to run from any workstation so I'll say from all workstations I'm allowed to run all commands and then I'm gonna tell it that I don't need a password for all those commands so no PA SS w : al l no password all by setting that I still have to login with the username and password but once I'm logged in I'll be able to use sudou without having to provide the password every time so that's a kind of a handy thing to do so I'll get that set and so now when I do a pseudo Who am I well it's probably cash from before but even if the cash had expired I wouldn't be prompted now I've got my user account situated I'm logged in as my own account and I'm ready to move on to the rest of scaring the system all right speaking of moving on as securing the rest of the system one of the things that I told Tim you need to do this immediately you need to go ahead and run updates because that raspbian image is at a certain snapshot you may not have the most up-to-date packages so I'm guessing that's where we're going next right absolutely yeah it's not OpenBSD right they're not focused on security first they are focused on just making a flexible maker device so we need to apply updates now you can do updates manually right I can come in and say sudo apt update and then I'll do a dash Y and pass that with a double ampersand into sudo apt upgrade - why so I want to do an update to get all the way this packages and then upgrade to actually install them so if I run that that's gonna churn through and do my updates right so that's cool right but that's just one time so I'll know that I'm up to date now but what about next week what about the week after especially if this is a map hanging on the wall what am I gonna log into that to apply updates I'm gonna forget about it right I'm just not gonna think about it so what we need to do is set ourselves up for automatic updates now on a critical device you don't normally do automatic updates because you want to make sure you test them and it's not going to break your software but a rasp I shouldn't be a critical device so it's pretty safe to turn on automatic updates here because even if it breaks what's running on that system it's not the end of the world if this map breaks we can still get the flight weather data some other way okay so I'm gonna interrupt this update let me just control see out of that and then I'm gonna go in and I will actually apply automatic updates to do it instead so I'm gonna install a little package I'll say sudo apt install unattended - upgrades and this is a de bian package is available that will use cron jobs to periodically once a day by default go in and apply updates for me so I can just set this to run automatically and as it does it I know my system is up to date I know that every day it's checking and applying those updates it's a kind of a neat system now if I were running actual to bian or actual lubuntu I'd be done you just install the package and it runs every day and that's it but on a Raspberry Pi it as a different system identifier so just installing it is not enough I have to go one step further okay I need to edit a file so I'm gonna use sudo edit and I'm gonna edit / etc' slash apt slash apt Kampf dot d / 50 and looks like you've got a - it should be a dot after app com yeah Ricky thank you sir 50 unattended - upgrades that file right there that's the the job that basically it's going to be looking at to determine how often it does the updates and what kind of updates it grabs and when I edit that file what you'll see in here is a big list of the types of things it's going to look for and as I scroll down right here these two lines are currently what's going to be applied as far as updates notice it's looking for updates for Debian and updates forward to be in security all right it's not looking for Raspberry Pi the strings for that I've got them in the background here notice that just distro name raspbian raspbian is different than dovey in so it's a bit of a problem so I'm gonna copy and paste these and you can find this information right on the Raspberry Pi website or I'll try and make it available through another means maybe in the like comments or something but I'm just gonna copy those and then back here in this file just take the the very next line and paste that in and you know I've got my space syntax wrong which would drive somebody like Justin crazy yeah I was gonna really say please go say that you fix that all right so I'll fix that so now we've got our OCD side taken care of you can actually comment out the Debian ones or leave them and it doesn't hurt so I'll just leave them and set that so when I save that file now my system is set to automatically apply these upgrades and cron will take care of that right it'll run every day it'll look it'll find those updates and get them applied so now I'm not to worry about it I haven't done updates now but if I just wait by this time tomorrow it'll be upgraded and then the next day and the next day all taken care of now Don I've actually tried to create my own cron job to do this this is way easier so definitely go that route but you know early on we enabled the SSH service but there are times where I found depending on what I've installed there's other services running we don't want services just hanging out in the background right so you're right we turn those off absolutely so when you go to download raspbian there's actually three different versions of it there's a workstation version there's a server that's got a ton of stuff and then there's a minimal install I always use the minimal install because then I just add the pieces that I need so it's pretty streamlined but if you grab the desktop install for example it's got a GUI and all sorts of other components it likely has stuff you don't need and if you don't need something but it's running that makes you vulnerable wide it increases your attack surface so you should identify the stuff that you don't need and get it turned off so one way you can do that is by using the system CTL command if I do actually I need sudo for this you can just say system CTL dash dash type equals service if you run that that will give you a list of all of the services that are installed on your Raz PI and you can see their status of whether they're active or not you know it can be a big list and so sometimes I filter it a little more and say you know what just show me the ones that have a state of active so I'm gonna add dash dash state equals active if something's disabled I don't care it's it's disabled right so that'll filter it out a little bit but I can look down this list and try and find things that I may or may not need so for example the also state service is running also as a sound card driver well this is a little mini server for me it doesn't make sounds I don't need a sound card driver I could turn that off to help reduce that attack surface Bluetooth I'm not using bluetooth on mine so I can turn that off you'll find a lot of things in here that you may or may not actually be using they can make a big difference and for me Bluetooth is one of the big ones if I'm not using it I'll typically turn it off you can do that through the rasp Ike config command as well a few other things in here like our syslog I like our syslog because I can export my logs to another like a centralized server but if I'm not doing that it is just one extra process that's running so go through here take a look and when you find a service you don't need all you're gonna do is say sudo systemctl disabled and then the name of the service that you don't need I'm not using Wi-Fi so I'm going to disable the wpa underscore supplicant dot service and so when I disable that you'll see it removes the links for it system D stops it and now that's not gonna be loaded with my system anymore when I power on next time I'm not gonna have any wireless support and if I change my mind and I want it back again I can always just come back in and do the same thing but with enable and turn it back on so you can't really hurt yourself too bad it unless you I don't know lock yourself out of the machine and this is one of those things where disabled is a little bit different than stop because disabled is actually going to stop it but also remove it from turning on on a restart right true so I actually don't use stop anymore well if I'm doing something like this if I want it to be permanent what I'll usually say is like enable dash dash now and that says I want it to turn on when I boot up but I also wanted to turn on right now okay or disabled - - now I don't want it to turn on when I reboot and I want it to turn off right now so you can do that kind of knock it all out in one command yep okay all right so let's see we talked about system updates we talked about unused services and getting rid of those there is one service that I really like to have but don't by default in a Raspberry Pi and that's a firewall Justin you mentioned that when you heard about that map that was brought up you scan the network and found it right what did you find when you scan it's like it had a very particularly it was like METAR saga oh well that's probably if I knew anything right I knew about devices and I was looking for those that's an immediate hey I think I could go find a document or a manual that might have default cribs it's kind of like finding an Linksys or a Netgear router that have default creds boom I mean so I shouldn't just be able to hammer it with traffic like that the MAC address of the device gives it away as being a rasp I - they're pretty easy to spot on the network if you're looking for them so if we want to protect them a little further we should turn on a firewall a firewall will help to prevent people from accessing and give you a little control thing is though we don't want to go crazy with the firewall because it can really make it difficult to get you know custom open-source software running through it so I recommend using a simple firewall actually no matter what fire well you use most of them are just using the nf for the netfilter service in linux so they all kind of use the same technology under the hood it's just the interface that's different there's one called ufw or the uncomplicated firewall it's small it's easy to install and it's simple to use so if I want to restrict my system so right now I'm just running SSH and that's it I want to block everything else I don't want other people scanning me well you know if I did a net stat - a n and looked at everything that was on my system or maybe if I filtered it to listening I've got several things that are listening right now like my journaling system looks like system bus is doing his thing DHCP D is listening I've got several ports that are open that people could potentially connect to my rasp eye with so I'm gonna install ufw to take care of that I'll say sudo apt install ufw - why so I'm gonna install the uncomplicated firewall and once it's installed it's not actually working yet right that installs the tooling and then what I'm gonna do is configure a few basic rules and once I've got the rules in place then I'll turn it on be careful with this i'm ssh din right now if i can figure this wrong i could lock myself out so it's a good idea to be physically connected to the rasp pi when you configure it or be able to be physically connected yeah I have to admit I've locked myself out of the order of this is very important so pay attention yeah absolutely so I've installed it so now what I'm gonna do I'm not gonna turn it on yet right I'm gonna say sue do you fw allow and I'm gonna tell it what I want to allow I want to allow port 22 forward slash TCP SSH uses TCP port 22 so I'm gonna be allowing that now I could stop right there but I like to add a comment so I can remember what the stuff is so I can whoops oh darn it they're in Quotes I'll put SSH or spell it wrong I spelled an acronym SSH is what I'm gonna put in there and that way I can remember what this rule is you know as you add more and more ports maybe I've got a custom web server running on port 8080 so I might want to come in and say that I want 8080 slash T CP and for the comment I put like Don's experimental web server or whatever so I can just remember why I even made that comments are really handy okay whoops oh it's not gonna like my little single quote let me get rid of that there we go and so now I've got that rule in place and you can see your rules by doing a pseudo ufw status Oh actually since mine's not running it's probably not gonna do it yep so I'm gonna show me but I put the rules in place and I have allowed SSH in which is good right so if I turn this firewall on I should be pretty safe unless I messed up the rules so I'm gonna do a pseudo ufw enable and that's gonna turn it on okay and I'll say yes so I'm gonna let that it's warning me it might disrupt your connections the reality is if you already have an SSH connection open it's pretty rare that I'll interrupt you but if you disconnect when you reconnect that's when you'll end up with a problem so it looks like I'm okay I'm gonna do a pseudo ufw status and there's my rules I can see the port 22 and port 8080 for ipv4 and ipv6 are both on there's my comments looks good I'm gonna open up another window and I'm gonna try and SSH in just to make sure I can still get in this is really the the proof of whether or not I'm able to get in and it looks like I am because I got prompted for a password and I'm in okay so my firewall rule is good I didn't lock myself out that's nice and so now I'm into the firewall so ufw easy to turn on you can add whatever software you want to it and now when somebody scans your system they will only see the ports you want them to just a quick reminder yet any services maybe you set up a mail server whatever make sure to update your firewall rules or you'll be trying to figure out why things aren't working speaking of SSH I know that that sometimes needs to be locked down a little more just because it ends up being this attack surface that's maybe unnecessary or you're allowing like brute forcing and things against it we should probably address that right that's right jesting if somebody's scanning is still gonna find SSH they know it's a rasp I they're gonna try that pie usually it's our brute-forcing passwords to get in I wanna restrict that it even worse maybe I need that pie user to still be active because some service depends on it so I couldn't lock it earlier well I don't want to allow pie to ask the sage in I just want to allow me deep is that I went along in and that's it so we can come in and restrict that too so let me show you how that's done what we're going to do is we're going to modify our SSH configuration so I'm going to use the sudo edit command and I'm gonna edit / et c / ssh slash sshd underscore config and in that file you'll see a lot of information here about SSH and its configuration you'll see like the port number some people that can change the port number so that it's harder to find SSH but that's it's really just security through obscurity I don't normally worry about that one but you will find an authentication section and here's where you can say like I don't want to do password authentication I just want to do certificate authentication and things of that nature certificate authentication is really not that hard to set up but it is a little bit of overkill for a maker project typically but one thing I'll do is I'll come in and I'll add an entry that says allow users and then I'll specify what users are allowed to ssh in in this case I'm gonna say deep pizzette if I had more than one user like I want to allow Justin I would just say comma Justin and continue to add that list by just putting me I'll be able to SSH in the PI user can't any other user can't I'm now the only one who's allowed to use SSH so I'll go ahead and save that file and that doesn't take effect until I restart SSH so that'll be a piece but before I do that there's another thing I can configure I'm still allowed to use SSH so what if somebody knows my account you all watching know I'm using D pizzette so you can try and brute-force my account so it would be a good idea to set up some brute force detection I'm gonna install a service called fail to ban I'll say sudo apt install fail to ban failed the number to ban and I'll do a - wise so that's going to install and what failed to ban does is it watches the log files on your system and if it sees somebody continually failing to log in it can add a firewall rule to block their IP address so if somebody gets it wrong five times in 60 seconds or something like that they get blocked at the IP level and now they're not able to access your system at all it's a great way to protect things and it's super easy to do once it's installed you need to edit its configuration so I'm gonna do sudo edit / etc' slash fail to ban forward slash jail dot local all right jail dot local is where you put your configuration don't modify the other configuration files because they get erased whenever you do an update that stinks to lose your config so here we define exactly what we want to do and so I'm gonna start off with my default values so I'll just type default in square brackets I'm gonna say band time equals one hour if somebody gets banned I want to hold them out for an entire hour that that will usually stop in root force and then I'll say ban action equals ufw this line is really important because the default action in failed to ban is to use firewall CMD and the regular firewall service to stop it but on a rasp I we don't have that so we need to use ufw for it then I can tell it the service I want to protect I'm gonna protect sshd and with sshd I'm just gonna say enabled equals true and that's it failed to Banias ssh aware you can use this with HTTP SMTP you know your various mail protocols you can you can protect each of those FTP SFTP all the above it can do brute force detection on any one of them so once that's in place I can get out of that configuration and now we can just do the sudo systemctl restart or actually I need to do a an able - - now fail - BAM and so we're gonna get that one turned on and then once that one's on I can do a sudo systemctl restart sshd and restart that one now notice I restarted SSH and I'm still connected that goes back to something I mentioned earlier which is a lot of these changes don't affect existing SSH connections so before I mess around anymore I'm gonna open up a second window and I'm gonna make sure that I can still SSH into the rasp I and I can see that I can I'm in there right now I'm gonna try and brute-force it so I'm gonna try and SSH in this time but this time I'm gonna type a wrong pass and so that's gonna fail eventually I'll try it again and that's gonna fail and if I get it wrong enough times I'm gonna trigger the brute force warnings and it's gonna create a firewall rule to lock me out now that's gonna actually lock me out of the razz pie for an hour which is going to really kind of designate the end of this show but right there so I just got the password wrong a fifth time and that triggered the the XS and so now a firewall rule has been put in I've been blocked out so I know that's working I can't communicate and back here this session is dead as well firewall rules are way more effective at shutting this stuff down than modifying SSH but at this point SSH is pretty secure all right Don it looks like our raspberry pi is we've really started lock it down to harden it up a little bit especially if it's just lying around the office we should probably take care of this man now this is not the end-all be-all but this is the majority use case right done absolutely so some of the things we talked about here we we created a separate user account for us and disabled the PI user we modified SSH to only allow us to use it we installed a firewall to protect us and we configured automatic updates and between all of those things that is going to protect you from the bulk of attacks that are out there that target IOT devices like these now you can still totally blow your security game out of the water and ruin everything by installing crappy software so be aware of that right you know the device is only as secure as the software we put on it but the steps that we just took are gonna secure the least the Linux distro a part of it about as well as we're gonna get well done it's been a great pi day and hopefully you go out and find some raspberry PI's to lock down secure and celebrate 314 and make sure you subscribe right you need to do that we'll see you next time but definitely stay tuned we've got more IT Pro TV coming at you thank you for watching I see you

Info

Channel: ITProTV

Views: 34,583

Rating: 4.8535872 out of 5

Keywords: secure raspberry pi, raspberry pi security, raspberry pi network security, raspberry pi secure web server, raspberry pi secure, raspberry pi secure boot, raspberry pi network monitor, raspberry pi projects, raspberry pi security system, raspberry pi server, raspberry pi security system kit, raspberry pi security system project

Id: ukHcTCdOKrc

Channel Id: undefined

Length: 28min 36sec (1716 seconds)

Published: Wed Mar 11 2020