How to Lock Down Your Raspberry Pi

A Raspberry Pi is incredibly affordable and useful for a lot of applications, including Internet-facing servers and IOT devices. Unfortunately, the default security settings for the Raspberry Pi are really not up to the job of keeping it secure. A wifi password can be hacked, so you should harden the OS before setting up a Raspberry Pi in your house with a camera and giving everyone a free web show. :) It is within your power to lock down your Pi using open-source best practices. Most commercial consumer devices do not offer that ability. Are you sure that your Alexa is properly locked down? There's no way to tell. You just have to trust that they got it right.

Luckily, the Raspberry Pi's operating system (Raspbian) is a variant of Debian Linux and we have a lot of options to make it more secure.


Prerequisites

I assume that you have already installed Raspbian and configured the ability to log in via SSH. I also assume that you are comfortable with using the command line. If you aren't then give it a shot here. I've tried to make this beginner-friendly and it isn't hard once you get the hang of it.


Part One ensures that your Raspberry Pi always has the latest security updates.
The next two parts cover a couple of different approaches to login security for a Raspberry Pi that is connected to the internet. The first is more convenient and the second is more secure.
Part Two shows you how to create a different user than the well-known pi user. It also covers the installation and configuration of the fail2ban utility, which locks an account after a few failed attempts, making it harder to guess a password.
Part Three replaces the standard password with SSH public/private keys, which are more secure but require you to have the key in addition to the password, which is not as convenient.

So which of these should you use? It doesn’t hurt to do both. Sometimes changing to another user is a lot of work (for example if you have already installed software as the pi user) but fail2ban helps with SSH key logins too, as well as other services, like Apache.