Securing Home Server Based on Raspberry Pi against Dark Hacks

Introduction

In this article, I will show you how to defend against dark hacks, but what exactly you can do in this article ??

  • SSH connection
  • Connection using public / private key
  • Firewall settings
  • Dos attack, brute force attack countermeasures
  • Use free DNS
  • Accessing Raspberry Pi in your house from an external network, etc.

Let’s get started

Add new users to Raspberry Pi

In the default state, the pi user exists, and if it is left as it is, it may be invaded by the Raspberry server by targeting the pi user, so add another new user and delete the pi user. It also grants sudo privileges to the newly added user.

$ sudo adduser [username]
$ sudo usermod -G sudo [username]
$ sudo userdel -r pi

✏️ By adding -r to userdel, the home directory /home will also be deleted.

Enable SSH connection

$ sudo raspi-configOpen the setting screen with, select Interfacing Options-> P2 SSH, and you will be asked if you want to enable SSH. Select Yes. The changes will be applied after a reboot.

Public / private key generation

Now work on the client side (the machine you want to connect to the Raspberry Pi). Please refrain from key generation on the server side.

ssh-keygen -t rsa -f [file_name]
Generating public / private rsa key pair.
Enter file in which to save the key (/Users/[username]/.ssh/id_rsa):

Command explanation:

  • -f [file_name]If not, id_rsa (private key) and id_rsa.pub (public key) will be generated as default filenames.
  • ~/.sshPlease put the generated file under it.

However, there is no problem with enter as it is.

Next, you will be asked to enter the passphrase, so let’s enter it. It is possible to press enter without entering anything, but this time the purpose is to solidify the security, so enter it.

For the generated public key, set the permission to 600 for both the private key and the public key.

/.ssh Change the permissions of to 700 and the private/public key files to 600.

chmod 700 ~ /.ssh
chmod 600 id_rsa id_rsa.pub

The public key will be sent to the Raspberry Pi.

scp [File to send] [User name] @ [Host address of Raspberry Pi]: [Destination directory]

If the file to be sent is id_rsa.pub, user name hydro_boo, host 10.21.21.212, and destination directory ~ /.ssh/, it will be as follows.

scp id_rsa.pub hydro_boo@10.21.21.212:~/.ssh/

By the way, if you do not specify the destination, it will be sent to the home directory of the hydro_boo user.

Change SSH configuration file

The file to set here /etc/ssh/sshd_configis.

Set the port number to disable root login. Also, set up the connection using the private key / public key here.

Please refer to the following for the settings.

Port 40230
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/id_rsa.pub
PasswordAuthentication no

The settings will take effect by restarting the ssh server.

sudo systemctl restart ssh
Or
sudo /etc/init.d/ssh restart

You can restart with.

You can decide the port number as you like, but basically, decide the number from 0 to 65535.

Firewall settings

The firewall settings use a packet filter called iptables. iptables is a packet filter that is installed as standard in general Linux, but unfortunately it is not installed in Raspberry Pi. The setting is a little difficult and it is difficult to understand, but it is recommended to actively use it because it has high functionality comparable to commercial use.

First, install iptables. After installation, please reboot to load the new kernel module.

$ sudo apt-get install iptables iptables-persistent

This command will give you the current settings for iptables, but you shouldn’t have anything set up right after installation.

$ sudo iptables -L

Next, use this command to create a text file for writing filtering rules and so on.

$ sudo /sbin/iptables-save> /etc/iptables/rules

/etc/iptables/rulesWe'll add rules when we're ready.

Explanation additional rules:

  • The prefix of every rule -Aindicates the addition of a rule. By the way -D, it represents the deletion of the rule. Allow local loopback connections and allow addresses from 127.0.0.1 to 127.0.0.254 as localhost poolback.
-A INPUT -i lo -j ACCEPT
-A INPUT! -i lo -d 127.0.0.0/8 -j REJECT
  • Allows connections that are already allowed and connections that are new and allowed.
-A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
  • Allow all outbound traffic.
-A OUTPUT -j ACCEPT
  • Allow TCP connections to the new 50230 port.
-A INPUT -p tcp -m state --state NEW --dport 50230 -j ACCEPT
  • Set a response limit of up to 5 times per minute. This is an effective countermeasure for attacks that require a lot of access, such as DoS attacks and brute force attacks. It also records calls that are rejected by iptables. When keeping records, iptables denied: is the identifier. dmesgYou can see the log with the command.
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  • Use this command to apply the settings
sudo /usr/sbin/iptables-apply /etc/iptables/rules

Other security settings

We will impose certain restrictions on the use of resources and take measures against attacks such as Fork bombs.

# Limit the number of processes that a user can use alone to 1024
ulimit -u 1024
#Maximize CPU time to 30 seconds
ulimit -t 30

This reduces the risk of a large number of processes filling your computer.

Port forwarding settings

You should be able to set up port forwarding by opening the router settings screen. Register the port number added to /etc/ssh/sshd_config

Check if SSH connection can be made as set in the internal network

At this point, you should be able to ssh your Raspberry Pi over your internal network.

ssh -i .ssh / id_rsa -p 50230 hydro_boo@10.21.21.212

You should be able to make an SSH connection using your private / public key by hitting the command.

Register for free DNS

From here, it is for those who want to connect to Raspberry Pi from an external network.

This time we will use the DNS of ovh.com .Since OVH has DDNS installed, even non-fixed IP users can use it with confidence.

Registration is easy, in link below there is tutorial

Check if SSH connection can be made from the external network as set

ssh -i .ssh / id_rsa -p 50230 hydro_boo@[ddns_domain]

If you can connect with this, the construction of a secure home server is completed.

Conclusion

In addition, what has been done so far is just a countermeasure, it does not invalidate the enemy’s attack, and it can not be prevented from being attacked as long as it exists in the network. The important thing is to make the filter harder and less risky. The risk of setting passwords can be reduced by changing from simple strings such as qwerty and password to even slightly esoteric strings.

Security measures are a bit of a hassle, but when you think about when a problem occurs, it’s not a loss, but rather a benefit. We recommend that you take some measures.

That’s all for defense against dark hacks.

DevOps Consultant. I’m strongly focused on automation, security, and reliability.