The default pi user and password are widely known so it is critical that you change the password the first time you log in. Once that is done however, any Raspberry Pi exposed to a network connection is vulnerable to a brute force attack. Basically that means that anyone can continuously try to log in as the pi user while trying to guess the password. Most of these attempts will use dictionaries of common passwords and with enough time will probably be able to hack into your Pi.
The first step to protecting yourself from these attacks is to change the default user to another name and then to disable or delete the pi user entirely. Unless you make the new user easy to guess, it will be extremely difficult for a hacker to guess a user id and password. In addition to this, you can install the fail2ban utility, which will allow you to ban logins for a user account after a number of failed attempts. That way, even if a hacker knows the user id, it will be a lot harder to brute force a login by guessing passwords.
Change the default user
First determine what groups the pi user has:
Add a new user with identical settings:
pi@MuhPi:~$ groups pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi
Assign a password:
pi@MuhPi:~$ sudo useradd MuhUser -s /bin/bash -m -G pi,adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio
Add the new user to the list of users who can use sudo without a password:
pi@MuhPi:~$ sudo passwd MuhUser Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
pi@MuhPi:~ $ cd /etc/sudoers.d/ pi@MuhPi:/etc/sudoers.d$ sudo vi 010_pi-nopasswd pi ALL=(ALL) NOPASSWD: ALL <-- duplicate the line with pi (yy then p) and change the user name MuhUser ALL=(ALL) NOPASSWD: ALL
Save your work with
Test that the new login works:
pi@MuhPi:~$ ssh MuhUser@localhost MuhUser@localhost's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Test that sudo works without a password:
MuhUser@MuhPi:~$ sudo ls <-- Should return a list of files and not an error.
Reboot the pi then login as the new user and verify that you can do everything that you need to do.
MuhUser@MuhPi:~$ sudo reboot
Disable login as pi user by expiring the password:
pi@MuhPi:~$ sudo passwd -l pi passwd: password expiry information changed.
Note that the man page for passwd says this:
This option is used to lock the password of specified account and it is available to root only. The locking is performed by rendering the encrypted password into an invalid string (by prefixing the encrypted string with an !). Note that the account is not fully locked - the user can still log in by other means of authentication such as the ssh public key authentication. Use chage -E 0 user command instead for full account locking.
I have not yet tested this but it may be a better solution.
Test that you are not able to log in as the pi user:
pi@MuhPi:~$ ssh localhost The authenticity of host localhost (::1) can't be established. ECDSA key fingerprint is 4d:fe:db:83:d6:86:22:96:82:67:70:8b:70:09:e3:94. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added localhost (ECDSA) to the list of known hosts. pi@localhost's password: Permission denied, please try again. pi@localhost's password: Permission denied, please try again. pi@localhost's password:
At this point you should verify that you can do everything with the new user that you were able to do with the pi user. Once you are satisfied, you can delete the pi user with:
MuhUser@MuhPi:~$ sudo userdel pi
MuhUser@MuhPi:~$ sudo apt-get install fail2ban Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: python-gamin mailx The following NEW packages will be installed: fail2ban 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 165 kB of archives. After this operation, 577 kB of additional disk space will be used. Get:1 http://mirrordirector.raspbian.org/raspbian/ jessie/main fail2ban all 0.8.13-1 [165 kB] Fetched 165 kB in 0s (227 kB/s) Selecting previously unselected package fail2ban. (Reading database ... 112370 files and directories currently installed.) Preparing to unpack .../fail2ban_0.8.13-1_all.deb ... Unpacking fail2ban (0.8.13-1) ... Processing triggers for man-db (18.104.22.168-5) ... Processing triggers for systemd (215-17+deb8u6) ... Setting up fail2ban (0.8.13-1) ... Processing triggers for systemd (215-17+deb8u6) ...`
MuhUser@MuhPi:~$ sudo vi /etc/fail2ban/jail.local
Change the ssh section to look like this:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log bantime = 900 banaction = iptables-allports findtime = 900 maxretry = 3
With these settings, if a user fails login 3 times from the same host then they will be banned from attempting to login again for 15 minutes (900 seconds). Notice that this means that a distributed attack involving multiple hosts could still try to login using brute force but it would be much more difficult. You can configure SSH keys to help with this issue.
Restart the service so the new settings take effect:
MuhUser@MuhPi:~$ sudo service fail2ban restart
Failed login attempts are written to the log at /var/log/fail2ban.log.