layout | title | nav_order |
---|---|---|
default |
Security |
21 |
{: .no_toc }
We make sure that your RaspiBolt is secure and reliable.
{: .no_toc .text-delta }
- TOC {:toc}
The Pi will be visible from the internet and therefore needs to be secured against attacks. A firewall controls what traffic is permitted and closes possible security holes. Only SSH and the Electrum server are reachable from the outside. Bitcoin Core and LND are using Tor and don't need incoming ports.
The following steps need admin privileges and must be executed with the user "admin".
$ sudo apt install ufw
$ sudo su
$ ufw default deny incoming
$ ufw default allow outgoing
$ ufw allow 22 comment 'allow SSH'
$ ufw allow 50002 comment 'allow Electrum SSL'
$ ufw enable
$ systemctl enable ufw
$ ufw status
> Status: active
>
> To Action From
> -- ------ ----
> 22 ALLOW Anywhere # allow SSH
> 50002 ALLOW Anywhere # allow Electrum SSL
> ...
$ exit
🔍 more: UFW Essentials{:target="_blank"}
💡 If you find yourself locked out by mistake, you can connect keyboard and screen to your Pi to log in locally and fix these settings (especially for the SSH port 22).
The SSH login to the Pi must be especially protected. Additional steps should be taken to prevent an attacker to just try out all possible passwords.
The first measure is to install “fail2ban”, a service that cuts off any system with five failed login attempts for ten minutes. This makes a brute-force attack unfeasible, as it would simply take too long.
{:target="_blank"} Me locking myself out by entering wrong passwords
$ sudo apt install fail2ban
The initial configuration should be fine as it is enabled for SSH by default.
<script id="asciicast-013bxZ8R7LktqzhP6O27LrorA" src="https://asciinema.org/a/013bxZ8R7LktqzhP6O27LrorA.js" async></script>🔍 more: customize fail2ban configuration{:target="_blank"}
One of the best options to secure the SSH login is to completely disable the password login and require a SSH key certificate. Only someone with physical possession of the private key can login.
Follow this guide Configure “No Password SSH Keys Authentication” with PuTTY on Linux Servers{:target="_blank"}
-
In the Terminal on your regular computer, check if there are already existing private / public keys:
$ ls -la ~/.ssh/*.pub
-
If files are listed, your public key should be named something like
id_dsa.pub
,id_ecdsa.pub
,id_ed25519.pub
orid_rsa.pub
. If one of these files exists, skip the next bullet point. -
If none of those files exist, or you get a
No such file or directory
, create a new key pair:$ ssh-keygen -t rsa -b 4096
When you're prompted to "Enter a file in which to save the key," press Enter to use the default file location. Optionally, for maximum security, use
password [A]
to protect your key. -
The public key now needs to be copied to the Pi. From your regular computer, create the
.ssh
directory on the Raspberry Pi, copy your public key and set the correct file permissions.- use your proper hostname instead of
raspibolt.local
, or use the IP address - use the correct filename of your public key instead of
id_rsa.pub
$ ssh [email protected] 'mkdir -p ~/.ssh' $ cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat >> ~/.ssh/authorized_keys && chmod -R 700 ~/.ssh/'
- use your proper hostname instead of
-
Log in to the Raspberry Pi with SSH as "admin" with your SSH key. You shouldn't be prompted for admin's password anymore.
-
Edit ssh configuration by setting "ChallengeResponseAuthentication" and "PasswordAuthentication" to "no" (uncomment the line by removing # if necessary). Save and exit.
$ sudo nano /etc/ssh/sshd_config
-
Restart the SSH daemon, then exit and log in again.
$ sudo systemctl restart sshd $ exit
You can no longer log in with "pi" or "bitcoin", only "admin" has the necessary SSH keys.
🚨 Backup your SSH keys! You will need to attach a screen and keyboard to your Pi if you lose it.
In case your RaspiBolt is swamped with internet requests (honest or malicious due to a DDoS attack), you will quickly encounter the can't accept connection: too many open files
error.
This is due to a limit on open files (representing individual tcp connections) that is set too low.
Edit the following three files, add the additional line(s) right before the end comment, save and exit.
$ sudo nano /etc/security/limits.conf
* soft nofile 128000
* hard nofile 128000
root soft nofile 128000
root hard nofile 128000
$ sudo nano /etc/pam.d/common-session
session required pam_limits.so
$ sudo nano /etc/pam.d/common-session-noninteractive
session required pam_limits.so
Next: Privacy >>