Securing your Pi
Your PI is a computer as any other, so it does deserve a decent security configuration. There are really no exceptions - whether you use a PI on your home network or exposed to the Internet, it is always a good idea to follow your security rules as with any other PC or device.
This recipe describes the basic security configuration of your Raspberry Pi (or any other Debian system) which should be done as soon as you install your base system. Seriously - first thing to do, even before expanding your system and adding other goodies.
We will cover basic security settings for access with username / password. You might want to take the next step later - disabling username / password access completely and using SSH keys instead. This is described elsewhere.
Learning how to secure your Pi is making you a guru in this on other Linux systems as well.
Changing the default password
to get here, follow the recipe of Installing Raspbian to SD card. That's basically all you need to start securing your Raspberry Pi. Once booted for the first time, follow this tutorial and Raspbian first configuration tutorial. Note that this guide applies to Raspbian, Raspbian Lite and Debian installations
As you know, your PI comes out of the box (if you install Raspbian) with the following credentials set:
username = pi password = raspberry
The first thing to do after flashing your Raspberry Pi is to change the default password. Now you will probably in later steps remove the pi user completely, but this step is still important. You can cange the password directly from the configuration utility, so why not use that? You have of course always the standard Linux command choice as well, by using the command passwd when logged in as pi (doesn't require sudo). However as said, we will use the configuration utility instead.
- launch the configuration utility immediately after you have logged in for the first time
- Select the option Change User Password and follow the instructions onscreen
Change the default Username
Having a decent password as described in the previous step is already a good thing. Obviously, the potential intruder will assume you have left the pi user on the device and has half of the problem of hacking into your device solved. So we should change to pi username to something else. This section describes how to do this.
NOTE: Deleting the pi account right now is dangerous, we will make sure we get all the correct permissions elsewhere before doing so. We will achieve this by creating a new superuser account, testing it and only then deleting pi. The
- create a new superuser account
sudo useradd -m <myNewSuperuserName> -G sudo
the -m option creates a home directory for the user, the -G sudo option then adds the user to the sudo group. Our pi user is already in that group.
- set the password for your new superuser
sudo passwd <myNewSuperuserName>
Your new account now should have the same permissions as pi.
validate the permissions of your new superuser account: First logout and login again or simply reboot
to further validate the permissions, try running the below (if successful, continue with next step)
- [Delete user Option 1] delete the pi user: use this option to simply delete the user but leave the home directory intact (/home/pi). If you want to delete the user together with the home directory, skip to Option 2 below
sudo deluser pi
- [Delete user Option 2] delete the pi user: use this option to delete the user together with the home directory (/home/pi)
sudo deluser -remove-home pi
you will recieve a warning: 'Warning: group 'pi' has no more members.' - this is quite OK. If you wish you can tweak the group settings as well. This is not covered in this section. If you have been working with the Raspberry Pi for some time using the default settings, you will notice a slight differece between entering passwords with your new superuser account instead of the pi account. This is caused by the settings for group pi and you can tweak this feature by running sudo visudo again.