Skip to content

Instantly share code, notes, and snippets.

@GitHeld

GitHeld/Rapi-Secure.md

Forked from boseji/Rapi-Secure.md
Created January 31, 2023 23:01
Show Gist options
  • Save GitHeld/eb0bc93e8ab3c574486cb6b0f4d03773 to your computer and use it in GitHub Desktop.
Save GitHeld/eb0bc93e8ab3c574486cb6b0f4d03773 to your computer and use it in GitHub Desktop.
Download ZIP
Securing the Raspberry Pi
Raw
Rapi-Secure.md

Protect your Network

pi@raspberrypi:~ $ sudo nano /etc/sysctl.conf

Though its appreently written in the file the Lines are still commented out. Un-commenting these lines would help to enhance security.

Modify the following lines.

...
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept IC

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

...

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
...

Setup Firewall

Install Uncomplicated Fireall (UFW) easy option for Raspi users.

pi@raspberrypi:~ $ sudo apt -y install ufw

Once installed, You have to configure a tune the firewall to your own needs. However, deny any incoming connection by default as described below:

pi@raspberrypi:~ $ sudo ufw default deny incoming

You may for example allow ssh access only from your local network. The command below illustrate that. note that you have to change the xxx.yyy.zzz by your local network information.

pi@raspberrypi:~ $ sudo ufw allow from xxx.yyy.zzz.0/24 to any port 22 proto tcp

Enable All access from a particular IP - This is important while configuring the rules else one might get locked out if wrong rules are set. Typically the PC IP you are working on can be assigned this way. This will allow you to fix errors in the rules.

sudo ufw allow from xxx.yyy.zzz.0

Enable Logging

pi@raspberrypi:~ $ sudo ufw logging on

To check Public IP ports

Use the HideMy.Name service https://hidemy.name/en/ports/

They can tell about what ports are currently open on a particular IP.

This helps to determin if the network is externally vulnerable to any attacks.

Raspberry Pi Networking Cookbook Online

Free book about network administration on Raspberry Pi

Computer expert or enthusiast, this cookbook will help you use your Raspberry Pi to enhance your existing network. From sharing media across devices to deploying your own web portal, you’ll be amazed at what can be achieved. By Rick Golden

https://www.packtpub.com/mapt/book/hardware-and-creative/9781849694605

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment