Secures a Raspberry Pi ssh connection from most attacks using UFW, fail2ban and public key auth.
Usually this would be blocked by your router firewall. If not, the RPI could be hacked within minutes of connecting! To avoid this, at least change the default password of the pi using:
passwd
Additional steps would be to change the username as well, change the port of ssh etc.This is mainly important during setup. Once public key auth is setup (along with ufw rate limits and fail2ban to block repeat offenders) the pi shouldTM be secure.
On Windows, need putty, puttygen and pageant to manage certificates. All can be found here.
- Burn latest rasbian buster light onto SD card.
- Download and run the install script using
wget https://raw.githubusercontent.com/cadamswaite/SecurePi/master/install.sh
sudo bash install.sh
- When terminal outputs "SSH key generated. Please copy id_rsa to PC now" run in the command terminal (CMD)
scp pi@<PI IP ADDRESS>:~/.ssh/id_rsa C:\Users\<UserName>\Desktop\
- Import the key into PuttyGen
- Export the private key as a .ppk
- Open the .ppk with pageant
- Initiate a putty connection to the pi. This should not require a password.
- Press enter in the Pi terminal. This disables password entry, allowing for public key auth only.
- At this point, the Pi should be protected from most attacks.