Home Raspberry PI Raspberry Pi Security Checklist
Raspberry PI

Raspberry Pi Security Checklist

by shedboy71

This is a practical, opinionated security checklist for Raspberry Pi systems—especially headless, always-on, or internet-exposed devices. It focuses on realistic threats and low-maintenance defenses.

You do not need enterprise security.

You do need discipline and defaults that protect you when you forget.

Security Philosophy (Read This First)

Raspberry Pi security is about reducing attack surface, not achieving perfection.

Most compromises happen because of:

  • Default credentials
  • Exposed services
  • Unpatched systems
  • Blind trust in the local network

Your goal is to make your Pi:

  • Uninteresting to attackers
  • Hard to misuse accidentally
  • Recoverable if compromised

1. Accounts & Authentication (Highest Priority)

Change Default Passwords

passwd

Never leave defaults. Ever.

Create a Non-Default User

sudo adduser youruser
sudo usermod -aG sudo youruser

Then log in as that user and stop using pi for admin work.

Disable Root Login via SSH

Edit:

sudo nano /etc/ssh/sshd_config

Ensure:

PermitRootLogin no

Restart SSH:

sudo systemctl restart ssh

Use SSH Keys (Not Passwords)

On your client:

ssh-keygen
ssh-copy-id youruser@pi

Then disable password auth:

PasswordAuthentication no

2. SSH Hardening (Critical for Headless Pis)

Restrict SSH Users

In /etc/ssh/sshd_config:

AllowUsers youruser

Change SSH Port (Optional, Noise Reduction)

Port 2222

This does not replace real security—but reduces bot noise.

Enable Idle Disconnects

ClientAliveInterval 300
ClientAliveCountMax 2

Test Before Logging Out

Always keep one session open when editing SSH config.

3. System Updates & Patch Discipline

Enable Unattended Security Updates

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Verify:

systemctl status unattended-upgrades

Manual Update Habit (Weekly)

sudo apt update && sudo apt upgrade

Security patches are not optional.

4. Firewall (Simple, Effective)

Use UFW (Uncomplicated Firewall)

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH:

sudo ufw allow 2222/tcp   # or 22 if unchanged

Enable:

sudo ufw enable
sudo ufw status verbose

Only Open What You Need

If you didn’t explicitly allow it, it shouldn’t be reachable.

5. Services & Attack Surface Reduction

Disable Unused Services

List enabled services:

systemctl list-unit-files --type=service | grep enabled

Disable what you don’t need:

sudo systemctl disable bluetooth
sudo systemctl disable avahi-daemon

(Only if unused—know what you disable.)

Remove Unused Packages

sudo apt autoremove

Less software = fewer vulnerabilities.

6. File Permissions & Sudo Discipline

Use sudo Sparingly

  • Don’t run entire shells as root
  • Don’t chmod 777 “to make it work”

Protect Critical Files

ls -l /etc /usr/local/bin

Scripts should not be writable by everyone.

Avoid Running Services as Root

In systemd units:

User=youruser

Root should be the exception, not the default.

7. Network Exposure Awareness

Know What’s Listening

ss -tuln

If you don’t recognize it, investigate it.

Check External Exposure (From Another Machine)

nmap pi_ip_address

Nothing unexpected should be open.

8. Logging & Detection

Keep Logs Persistent

Ensure journald persists logs:

sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald

Review Logs Occasionally

journalctl -p err -b

Errors should never surprise you.

Watch for Authentication Abuse

journalctl -u ssh | grep Failed

9. Fail2ban (Optional but Strong)

Install and Enable

sudo apt install fail2ban
sudo systemctl enable --now fail2ban

This blocks brute-force attempts automatically.

Check status:

sudo fail2ban-client status

10. SD Card & Physical Security

Encrypt Sensitive Data (If Needed)

Use encrypted containers for credentials or keys.

Treat SD Cards as Disposable

Security includes data survivability:

  • Backups off-device
  • Git for scripts/configs

Physical Access = Full Access

If someone can remove the SD card, they own the system. Plan accordingly.

11. Backups as a Security Measure

Security failures include:

  • Ransomware
  • Accidental deletion
  • SD card failure

Backups are non-negotiable.

Minimum standard:

  • Configs + scripts in Git
  • Data rsynced off-device
  • Periodic SD card image

12. “Before Internet Exposure” Checklist

Before port-forwarding or cloud exposure:

  • SSH keys only
  • Firewall enabled
  • Unused services disabled
  • Logs persistent
  • Backups tested
  • Power supply stable

If any box is unchecked—do not expose it.

13. Security Anti-Patterns (Avoid These)

❌ Running everything as root ❌ Exposing SSH with passwords ❌ “It’s just on my LAN” thinking ❌ Ignoring logs ❌ No backups ❌ Disabling security to “fix” things

The Power User Security Mindset

Security is not paranoia. It is removing unnecessary trust.

A secure Raspberry Pi:

  • Does less
  • Exposes less
  • Logs more
  • Recovers quickly

Final Rule

If you can’t explain why a service is running, it shouldn’t be.

You may also like

Linux One-Liners for Automation

10 operating systems you can install on a...

Raspberry Pi and BMG160 angular rate sensor java...

Raspberry Pi and BMA250 acceleration sensor java example

Raspberry Pi and SHT31 humidity sensor java example

Raspberry Pi and MAG3110 Magnetometer java example

Raspberry Pi and BMP180 digital temperature sensor java...

Raspberry Pi and MLX90393 magnetic field sensor java...

Raspberry Pi and MCP9808 digital temperature sensor java...

Raspberry Pi and Si7021 sensor java example