Recounting Recent: Hardening the Raspberry Pi

Adding an ‘ssh’ file to a fresh flash on Raspbian enables Secure Socket Shell on its first boot. This ‘headless’ control over the network doesn’t need a mouse, keyboard or monitor and lets us use a light weight operating system.

The defaults on Raspbian are username: pi and password: raspberry, it’s a good idea to change these.

To SSH into our pi we need to know the IP address. Logging into your router and checking the devices list is an easy way to do so. It can often be reached by browsing to page:

If you haven’t changed your routers login credentials I strongly suggest that you do so. The defaults can be found located on your router or online.

The IP address of the pi can also be determined using nmap to scan the subnet set to -T4 for greatest speed:

nmap -sV -T4

Once we know our pi’s IP address we can connect to it via ssh. On windows we may need to install a client to do this, PuTTY.exe is the most commonly used. On Mac or Linux devices SSH clients are installed by default and should run out the box from command line with:

ssh [email protected]

Of course substituting whatever our pi’s IP address actually is. We will then be prompted for a password which is ‘raspberry’ by default. We can then use the command ‘passwd’ to change the password for our default user pi.

I prefer to set my own password for the root account and then relock root as well as disallowing remote root login unless I need it for something. To do so:

sudo passwd root

By default the pi account has passwordless sudo, we can change this by editing the file /etc/sudoers.d/010_pi-nopasswd to be ‘pi ALL=(ALL) PASSWD: ALL’

sudo nano /etc/sudoers.d/010_pi-nopasswd


cntl + x, y, enter

Since we’re running the pi headlessly we can use the command ‘sudo raspi-config’ to change the host name, change the memory split to the gpu to 16, verify/change our locality, enable predictable network names and a bunch more.

It’s a good idea to create a new user and lock user pi although changing to ssh key based authentication is secure regardless. Just to note deleting user pi rather than locking it can cause some issues. If creating a new user it will need to be added to groups:

sudo adduser new-user-name-here

sudo usermod -aG groups-here-seperated-by-commas,sudo,adm new-user-name-here

Then logout of pi into the new user, lock pi, lock root.

sudo passwd -l pi

sudo passwd -l root

For ssh key authentication we need to generate keys if we haven’t before. We can do so on our machine(not ssh’d into the pi) with the following command (for a 4096 bit key):

ssh-keygen -t rsa -b 4096

Then we can add them to the pi with:

ssh-copy-id -i ~/.ssh/ [email protected]

Disabling password based access to the raspberry prevents anyone without the key from being able to connect. To do so edit /etc/ssh/sshd_config and make sure the password authentication line reads PasswordAuthentication no.

sudo nano /etc/ssh/sshd_config

We can then reboot the pi to make sure all our changes take effect with ‘sudo reboot’