UPDATE - Seems it was worth while to go through this security as since opening the Raspberry Pi 3 to the internet many attempts from China and America have been made to gain access.
Firstly I am no security expert, these methods here are just what I would personally consider using. Not sharing your IP address everywhere is a good place to start.
Just be aware the methods we are going to go through in this post will not make the Raspberry Pi 3 hacker proof, we have already given permissions that lowered our security when setting up our web server.
Why anybody would want to hack an Aquaponics monitoring system? I am not quite sure.
I would recommend to research the subject of security a bit more than just what is below, or just get good at making backups.
Here are the security improvements we will consider.
Part 1
- Changing SSH port - This will only change the port your SSH is open on, port scanning can be done with ease, just from a web browser and will show which ports are open on any IP address. This may stop bots that scan the internet attempting connections to standard ports with default passwords getting lucky by changing this.
- SSH Keys, password log in off - This uses a file as a key to unlock the Raspberry Pi 3 allowing us to switch off password based logins. Using this goes some way to disallowing attempted brute force or dictionary attacks on your system. More effort is required than just remembering a password, as each device we want to connect to the Raspberry will require the correct private key file transferring over.
Part 2
- Firewall (in this case UFW for ease of use) - A Firewall is basically essential to close all ports that are not being used and stop any outside traffic attempting to connect that is unwanted. While I will look at UFW (Uncomplicated firewall), if you think you need something a bit more advanced check out iptables.
- Fail2ban - Nice and simple this, I like it. Basically fail2ban will ban an IP address for a set amount of time, after a set amount of failed attempts. Potentially reduce the amount of attempts a bot or hacker would have to break in to your system. Though it is not difficult to spoof an IP address and you could lock yourself out of your own system remotely if you make mistakes using this.
Changing SSH Port
Nice and simple one this, log in to the Raspberry Pi 3 and type in the terminal
sudo nano /etc/ssh/sshd_config
This will open the file sshd_config in nano, using the arrow keys move down to the line where it says Port 22 and change the port number to the number we want use, do not use any port number that is already is use.
Once we have changed the port number to what we desire, we will need to restart SSH by typing in the terminal
sudo service ssh restart
That is it. Now if we SSH in using our preferred SSH client, we will need to use the new port number just set up as the old port 22 will not work. Reversal of this is just a case of changing the Port back to 22 and restarting SSH.
SSH Keys
To do this we are going to have to generate some keys using a small program PuTTY Key Generator or Puttygen for short, you can download it from here, look for the file name PuTTYgen or puttygen.exe.
Once downloaded, open it up and you will be presented with something similar to the screenshot below.
Click on the Generate button.
We have to move our mouse around in the grey empty space to generate some randomness, just keep doing it until the bar fills up.
When the bar is full we will be given our keys to save. Copy all the Public Key text to the clipboard and then save the private key by clicking the save private key button. Save the Private key to the desktop or alike for easy finding later.
Next we need to get the public key file in to the correct place on the Raspberry Pi 3, it is still in our clipboard.
SSH in to your Raspberry Pi 3, and in the terminal type
mkdir -p ~/.ssh
Next type in to the terminal
cd ~/.ssh
In the terminal type
sudo nano ~/.ssh/authorized_keys
Paste the Key we copied, in to this file and the press Ctrl+x, follow by y and enter to exit.
Our key is saved, lets make it usable, in the terminal type
sudo chmod 644 ~/.ssh/authorized_keys
Followed by
sudo chown pi:pi ~/.ssh/authorized_keys
And then
sudo chmod 700 ~/.ssh
A restart of SSH is now needed, type in
sudo service ssh restart
Now open another instance of PuTTY on your Windows machine. Enter the details for the Raspberry Pi 3 session but, one difference here is we will need the private key if we want to use our new SSH key when we connect.
With our session settings set, click on the + next to SSH bottom left in the Category panel and then click on Auth, also highlighted red below is where we browse to our private key and select it.
Private Key selected? Session settings set? Click open and we will be presented with the by now, familiar screen below.
Enter the user id to log in, in this case 'pi' and press enter, notice the difference? No need to enter a password (unless you set one on the key).
With the key set up, there is no need for password logins any more, your not going to lose the key right?! I personally prefer to just use passwords. But lets look out how to turn password log ins off.
Turn Password Login and Root Login Off
In the terminal type
sudo nano /etc/ssh/sshd_config
We need to amend the text below on to the end of the file that opens up in nano.
UsePAM no
PermitRootLogin no
AllowUsers pi
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
You may have noticed that the text above also disables the ability to log in directly as the root user. We need to restart SSH again
sudo service ssh restart
Now if an attempt to log in to the Raspberry Pi 3 is made without a key, the error message below will show and if we use the wrong key we will be denied access. If you are going to use this then its a good idea to back up your private key. To connect from an other device will also require the correct key now.
To reverse all of that SSH Key stuff above is just a case of deleting everything we have added, particularly the key in the authorized_keys file and the amendment we made to the sshd_config file.
To use the key with an android device first open the private key in puttygen then save it as a Openssh .pem file (Conversions>Export OpenSSH), upload it to your device and add it to the indentity used to connect to the Raspberry Pi 3 using JuiceSSH
To use the key to connect with WinSCP you will need to select it in the advanced settings when creating a connection.
To use the key with an android device first open the private key in puttygen then save it as a Openssh .pem file (Conversions>Export OpenSSH), upload it to your device and add it to the indentity used to connect to the Raspberry Pi 3 using JuiceSSH
To use the key to connect with WinSCP you will need to select it in the advanced settings when creating a connection.
That is the end of part 1 in part 2 we will cover UFW (Uncomplicated firewall) and the popular fail2ban.
Thanks for reading, did that work for you? Any question comments or ideas? Leave it below!
Show support for aquaponicpi and like the Facebook page!
Click on the icon below to be taken to aquaponicpi on Facebook!
No comments:
Post a Comment