The more we know the harder it is to defeat us!

If your Raspberry Pi is connected to the outside world it is vulnerable. In one of previous post I have described how to make web server out of the Raspberry Pi. There you can find how to make it visible using DDNS.

There are few simple steps which you should follow to secure up your tiny server.

First of all check the logs!

You can see the logs which are associated with remote logins into your server. You can find them inside /var/log/auth.log. To see last 50 lines of the end of this file type:

tail -f /var/log/auth.log -n 50

You will probably see multiple lines of this manner:

Jan 16 17:30:15 raspberrypi sshd[20149]: Failed password for root from xxx.xxx.xxx.xxx port 56823 ssh2
Jan 16 17:30:15 raspberrypi sshd[20153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx.some.remote.host.com user=root

This means that someone from IP address xxx.xxx.xxx.xxx was trying to remotely log into your RPi. With time you will see more and more attempts of this kind.

Basics of securing a server

As pointed out before there were some remote attempts to log into root account. As you now account with root privileges can do virtually anything with the system. There is a radical way of preventing this from happening. You can change ssh demon settings. Edit the /etc/ssh/sshd_config file. And find inside it a line which starts with

PermitRootLogin

After that change the parameter from yes to no. Doing so you will disable root to login remotely to the server.

Advanced methods of securing a server

You can always consider using some sophisticated piece of software to do the job for you. There are multiple projects which allows you to apply some security rules to your system. Two of them are described below denyhost and fail2ban.

denyhost

denyhost is a script which runs periodically in your system and scans the log files as the one described before. Doing so it is able to analyse the Internet traffic and more particularly which remote host is trying to get the access to the system. After a few unsuccessful attempts it adds IP address of the possible attacker to a special file.

The denyhost is configurable and it has some options by altering which you can make it work the way you like it.

fail2ban

fail2ban is definitely my favourite. It allows you to secure multiple services including ssh, apache etc. Also the way it works is a bit different. It is a set of python scripts. It allows you to deny connections from remote host by writing their IPs to a file but also to configure iptables.

You can configure it by editing /etc/fail2ban/jail.conf file. The configuration is pretty straightforward. Firstly, find the line with

[ssh]

to configure ssh behaviour. Below this line you can modify some parameters such as:

  • maxretry, maximum number of reties,
  • bantime, ban time for remote IP.

To start the fail2ban demon simply invoke this command:

sudo fail2ban-client start

If you change settings of ssh behaviour you can reload the associated settings with

sudo fail2ban-client reload ssh

Currently banned remote hosts

To display the list of currently banned host type

sudo iptables --list

This will display something similar to:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  www.remote.host.com     anywhere
RETURN     all  --  anywhere             anywhere

By analysing the above listing you can see that www.remote.host.com host is banned.

Log file

Also you can tail /var/log/fail2ban.log file. This file contains all the actions which fail2ban has taken.

To sum up, once you set up fail2ban you don’t have to worry. Just time from time check system logs 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate

If you like my blog please consider a small donation.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 227 other subscribers