Raspberry Pi: Change the default user and make it harder to brute force a login

The default pi user and password are widely known so it is critical that you change the password the first time you log in. Once that is done however, any Raspberry Pi exposed to a network connection is vulnerable to a brute force attack. Basically that means that anyone can continuously try to log in as the pi user while trying to guess the password. Most of these attempts will use dictionaries of common passwords and with enough time will probably be able to hack into your Pi.

The first step to protecting yourself from these attacks is to change the default user to another name and then to disable or delete the pi user entirely. Unless you make the new user easy to guess, it will be extremely difficult for a hacker to guess a user id and password. In addition to this, you can install the fail2ban utility, which will allow you to ban logins for a user account after a number of failed attempts. That way, even if a hacker knows the user id, it will be a lot harder to brute force a login by guessing passwords.


Change the default user

First determine what groups the pi user has:


pi@MuhPi:~$ groups
pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi
Add a new user with identical settings:

pi@MuhPi:~$ sudo useradd MuhUser -s /bin/bash -m -G pi,adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio
Assign a password:

pi@MuhPi:~$ sudo passwd MuhUser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Add the new user to the list of users who can use sudo without a password:

pi@MuhPi:~ $ cd /etc/sudoers.d/

pi@MuhPi:/etc/sudoers.d$ sudo vi 010_pi-nopasswd

pi ALL=(ALL) NOPASSWD: ALL <-- duplicate the line with pi (yy then p) and change the user name
MuhUser ALL=(ALL) NOPASSWD: ALL    

Save your work with :wq!

Test that the new login works:


pi@MuhPi:~$ ssh MuhUser@localhost
MuhUser@localhost's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Test that sudo works without a password:


MuhUser@MuhPi:~$ sudo ls  <-- Should return a list of files and not an error.

Reboot the pi then login as the new user and verify that you can do everything that you need to do.


MuhUser@MuhPi:~$ sudo reboot

Disable login as pi user by expiring the password:


pi@MuhPi:~$ sudo passwd -l pi
passwd: password expiry information changed.

Note that the man page for passwd says this:

This option is used to lock the password of specified account and it is available to root only. The locking is performed by rendering the encrypted password into an invalid string (by prefixing the encrypted string with an !). Note that the account is not fully locked - the user can still log in by other means of authentication such as the ssh public key authentication. Use chage -E 0 user command instead for full account locking.

I have not yet tested this but it may be a better solution.

Test that you are not able to log in as the pi user:


pi@MuhPi:~$ ssh localhost
The authenticity of host localhost (::1) can't be established.
ECDSA key fingerprint is 4d:fe:db:83:d6:86:22:96:82:67:70:8b:70:09:e3:94.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added localhost (ECDSA) to the list of known hosts.
pi@localhost's password:
Permission denied, please try again.
pi@localhost's password:
Permission denied, please try again.
pi@localhost's password:

At this point you should verify that you can do everything with the new user that you were able to do with the pi user. Once you are satisfied, you can delete the pi user with:


MuhUser@MuhPi:~$ sudo userdel pi

Install Fail2ban


MuhUser@MuhPi:~$ sudo apt-get install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  python-gamin mailx
The following NEW packages will be installed:
  fail2ban
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 165 kB of archives.
After this operation, 577 kB of additional disk space will be used.
Get:1 http://mirrordirector.raspbian.org/raspbian/ jessie/main fail2ban all 0.8.13-1 [165 kB]
Fetched 165 kB in 0s (227 kB/s)
Selecting previously unselected package fail2ban.
(Reading database ... 112370 files and directories currently installed.)
Preparing to unpack .../fail2ban_0.8.13-1_all.deb ...
Unpacking fail2ban (0.8.13-1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u6) ...
Setting up fail2ban (0.8.13-1) ...
Processing triggers for systemd (215-17+deb8u6) ...`

Configure Fail2ban


MuhUser@MuhPi:~$ sudo vi /etc/fail2ban/jail.local

Change the ssh section to look like this:


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

With these settings, if a user fails login 3 times from the same host then they will be banned from attempting to login again for 15 minutes (900 seconds). Notice that this means that a distributed attack involving multiple hosts could still try to login using brute force but it would be much more difficult. You can configure SSH keys to help with this issue.

Restart the service so the new settings take effect:


MuhUser@MuhPi:~$ sudo service fail2ban restart

Failed login attempts are written to the log at /var/log/fail2ban.log.