If your Raspberry Pi is connected to the outside world it is vulnerable. In one of previous post I have described how to make web server out of the Raspberry Pi. There you can find how to make it visible using DDNS.
There are few simple steps which you should follow to secure up your tiny server.
First of all check the logs!
You can see the logs which are associated with remote logins into your server. You can find them inside /var/log/auth.log. To see last 50 lines of the end of this file type:
tail -f /var/log/auth.log -n 50
You will probably see multiple lines of this manner:
Jan 16 17:30:15 raspberrypi sshd[20149]: Failed password for root from xxx.xxx.xxx.xxx port 56823 ssh2
Jan 16 17:30:15 raspberrypi sshd[20153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx.some.remote.host.com user=root
This means that someone from IP address xxx.xxx.xxx.xxx was trying to remotely log into your RPi. With time you will see more and more attempts of this kind.
Basics of securing a server
As pointed out before there were some remote attempts to log into root account. As you now account with root privileges can do virtually anything with the system. There is a radical way of preventing this from happening. You can change ssh demon settings. Edit the /etc/ssh/sshd_config file. And find inside it a line which starts with
PermitRootLogin
After that change the parameter from yes to no. Doing so you will disable root to login remotely to the server.
Advanced methods of securing a server
You can always consider using some sophisticated piece of software to do the job for you. There are multiple projects which allows you to apply some security rules to your system. Two of them are described below denyhost and fail2ban.
denyhost
denyhost is a script which runs periodically in your system and scans the log files as the one described before. Doing so it is able to analyse the Internet traffic and more particularly which remote host is trying to get the access to the system. After a few unsuccessful attempts it adds IP address of the possible attacker to a special file.
The denyhost is configurable and it has some options by altering which you can make it work the way you like it.
fail2ban
fail2ban is definitely my favourite. It allows you to secure multiple services including ssh, apache etc. Also the way it works is a bit different. It is a set of python scripts. It allows you to deny connections from remote host by writing their IPs to a file but also to configure iptables.
You can configure it by editing /etc/fail2ban/jail.conf file. The configuration is pretty straightforward. Firstly, find the line with
[ssh]
to configure ssh behaviour. Below this line you can modify some parameters such as:
- maxretry, maximum number of reties,
- bantime, ban time for remote IP.
To start the fail2ban demon simply invoke this command:
sudo fail2ban-client start
If you change settings of ssh behaviour you can reload the associated settings with
sudo fail2ban-client reload ssh
Currently banned remote hosts
To display the list of currently banned host type
sudo iptables --list
This will display something similar to:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- www.remote.host.com anywhere
RETURN all -- anywhere anywhere
By analysing the above listing you can see that www.remote.host.com host is banned.
Log file
Also you can tail /var/log/fail2ban.log file. This file contains all the actions which fail2ban has taken.
To sum up, once you set up fail2ban you don’t have to worry. Just time from time check system logs 😉