Raspberry Pi: The Little Device That Helped Secure My Life

Image credit: raspberrypi.org

Disclaimer

This is my first blog post on Medium. I’ve found some excellent security bloggers on this platform and I do not claim to be a expert in this subject. The purpose of this blog is to potentially educate others on security and privacy practices, but it is also a field that I’m junior in and am still learning myself.

This blog also assumes that you know your way around a *nix operating system. If you don’t, I would recommend that you check out a resource such as this. Please feel free to comment/critique any of my work. Now that that’s out of the way…

What is This Magical Dessert?

By now, most people in the tech industry have likely either used or at least heard of the Raspberry Pi. It’s a device of many uses, some of which being learning robotics, teaching children to code, and powering IoT devices. When I received one of these as a gift last holiday season, I wasn’t quite sure what I was going to do with it. Little did I know it would soon become one of my favorite devices in the home!

This little device, powered by Linux, can really do just about anything and only costs $35. It can be a general purpose computer, power a personal web server, act as a streaming media center for your home, and much more. Being a recent InfoSec graduate, I decided to use it to study cryptography. Namely, I turned it into a personal VPN server.

This setup wasn’t easy, but it certainly did teach me quite a bit about Linux crypto and working more with the command line. I used an open-source software called OpenVPN which is an SSL-based VPN solution. SSL is the same technology that is used to secure web sites like Medium. The certificates agree upon cryptographic parameters based on client and server preferences. Once an agreement is made, all traffic between the two peers is encrypted, integrity-checked, and authenticated.

After the VPN server was set up, I decided to play around more with Linux crypto and learn how to really lock down access to my machine. When you’re a paranoid security-minded individual, it’s insanely fun to lock down and then try to break your own implementations in any way possible.

If anyone wants more details on the specifics of setting up the VPN server, feel free to respond to this post. I will consider posting an additional tutorial regarding the more granular details in the future.

Lock It Up and Throw Away the Key

Remote access to a server is important to any aspiring engineer. It ensures you can access the server from anywhere to troubleshoot issues that arise. SSH (secure shell) is a remote access program available for Linux that is pretty simple to set up and gives you a secure connection to your server that Internet Service Providers and any other Men-in-the-Middle can’t sniff useful/personal data from.

SSH offers a feature that generates key parameters for each client that needs to connect to the server. OpenSSH uses RSA certificates, which are one of the most cryptograhpically-secure algorithms we utilize today. RSA is used to generate a public/private key pair. The private key can only be known by the client, while the public key can be known by anyone. As long as the private key is kept secure, no unauthorized user can authenticate themselves on the server.

Generating public/private RSA key pair. The “-b 4096” switch forces the program to create a 4096-bit key. By default, the program creates a 2048-bit key which currently is still considered quite secure. I’m just paranoid ;)
Visual representation courtesy of keycdn.com

An RSA key is generated using a mathematical algorithm. In turn, the algorithm spits out a bunch of random bits and separates them into two keys. The public key gets installed on the server, while the private key gets hidden in a secure directory on the client of your choosing.

Secure SSH directory on my MacBook

After generating the keys, I highly recommend that you also encrypt your private key. This will increase the overall security of your key by adding a passphrase before its use, also encrypting it with a strong algorithm. This means that even if a malicious entity was able to gain access to the key, they would still have to brute force their way through the encryption. See the syntax using OpenSSL encryption below.

After inputting this command, you will be prompted to enter a passphrase to encrypt the private key

As a final security measure, ensure that your .ssh directory is only readable by you. You can accomplish this by running the following chmod command. I recommend reading the man page for chmod if you’re unfamiliar, because it’s an invaluable tool for access control on POSIX systems.

This command recursively ensures your .ssh folder is only read/write/executable by you

Best practice is that you generate a new public/private key pair for each separate client device, but this is entirely up to you. After generating the keys, it’s time to securely copy your public key(s) to the correct directory on the server (/home/user/.ssh/authorized_keys).

This is the fun part! SFTP is a command line utility that allows you to securely transfer files using the SSH protocol. This will allow you to transfer your files between the client and server without worrying about a Man-in-the-Middle listening in on your conversation. Initiate the session with the following commands:

These commands will upload the file to your server. I don’t really care if you know my generic username@DNS here. If you don’t have a DNS entry for your server, just use the IP address

After this, just log into your server using SSH and move the public key to the correct directory. Afterwords, disable plaintext passwords and you’re pretty damn secure:

Enter your user password
Append your public SSH key to the directory
Remove the public key from your home directory
Use your favorite file editor to open up the SSHd config file. Make fun of me if you will, but I like nano :)
Change this option to no
Restart the SSH daemon. Try logging in again without passing your private key. It won’t work!

Conclusion

I hope that this basic tutorial was helpful for locking down your Linux server! This obviously does not only apply to Raspberry Pi; this was just my personal experience. If anyone reading this has any further tips/tricks, please feel free to comment below. I plan to make additonal tutoritals in the future.

Show your support

Clapping shows how much you appreciated Jimmy Clem’s story.