On a recent project I am involved in, there will be a Raspberry Pi (running Raspberry Pi OS), with a public IP address, accessible on the Internet and always on. This will be the front-end of a power converter, providing communications, diagnostics and control. The system must be low maintenance and operating with up-to-date software versions and must be very well protected. I have grouped the various tips below.
1) OS Settings
- The OS has a default user called "pi" (with a default password as well). This is well known so a lot of automated attacks try the "pi" username over SSH with various passwords. Disabling and removing this user (by creating first a different administrator account with sudo access) will limit the exposure to this attack.
- An even better approach is to remove authentication and use a public/private key, instead of a password. The two authentication methods can be active simultaneously, but it's even better if password authentication is fully disabled
- The Raspberry Pi has by default the SSH service disabled. However, SSH is essential for remote control of the Pi, so it is usually enabled by the user. A change in the default port (to use a port other than 22) will limit the exposure to automated attacks. This can be done via the sshd_config file.
- Similarly, ports for other services as well (e.g. FTP) can be changed to limit exposure.
2) Firewall
- The use of a firewall is essential, it acts as a first line of defence and can block multiple attacks. Iptables is the most commonly used firewall in UNIX systems and is very versatile.
- The default policy for all incoming connections should be "DROP". A "DROP" action rejects the incoming connection with no message back to the sender.
- With Iptables, a ping response can be blocked. This will reduce the visibility of the machine to the Internet, without someone knowing the address.
- Another capability that the firewall provides is the ability to limit the visibility of ports based on IP addresses. This can be limited to static IP addresses or group of addresses, for example corresponding to companies or countries
- Iptables also support to limit the connections to a specific port (with "connlimit"). This can be used to protect the server from DOS attacks
3) Docker
- Docker containers provide multiple benefits (e.g. flexibility, consistency, fast deployment).
- Another major benefit, in terms of security, is isolation. A container providing a single service has only its own (limited) filesystem visible
- The rest of the machine filesystem and services are not visible externally through a given port. A container must be linked to another container in order to provide a connection interface between the two
- Docker-compose to easily group all of the containers in a stack, to perform actions directly on all the containers.
4) Automatic updates
- The Raspberry Pi OS uses APT to update the installed packages. The easiest solution for automatic system updates is to create a cron script to do an automatic update and upgrade periodically.
- An even better approach is to use unattended-upgrades package. This uses a similar approach (periodic check for updates) but is much more customizable.
- For Docker containers, a similar approach can be done via docker-compose, to pull the up-to-date images and recreate the containers based on the updated images. This can be done again via a Cron script.
- The Diun container checks for the versions of alll the installed containers. It then notifies the administrator via multiple notification methods, if there is an update on a container.
5) Miscellaneous
- Another tool to protect against brute-force attacks is fail2ban. The combination of using ports different to the default ones, together with using SSH key authentication instead of password authentication, reduces significantly the exposure to a brute-force attack. The fail2ban tool continuously monitors the server logs and searches for continuous failed attempts. It then blocks the IP address via Iptables.
- Since the system will not be maintained and checked regularly, an alert system for system operations must be implemented. The easiest way is to use shell scripts that send for example e-mails on major system events (e.g. reboot, login via SSH).
- The Raspberry Pi includes a Hardware Watchdog. This can be used to reset the system in case of a kernel freeze.