Link

Security

We make sure that your RaspiBolt is secure and reliable.


Table of contents

  1. Enabling the Uncomplicated Firewall
  2. fail2ban
  3. Login with SSH keys
    1. Generate keys on Windows
    2. Generate keys on Mac / Linux
    3. Disable password login
  4. Increase your open files limit

Enabling the Uncomplicated Firewall

The Pi will be visible from the internet and therefore needs to be secured against attacks. A firewall controls what traffic is permitted and closes possible security holes. Only SSH and the Electrum server are reachable from the outside. Bitcoin Core and LND are using Tor and don’t need incoming ports.

The following steps need admin privileges and must be executed with the user “admin”.

$ sudo apt install ufw
$ sudo su
$ ufw default deny incoming
$ ufw default allow outgoing
$ ufw allow 22    comment 'allow SSH'
$ ufw allow 50002 comment 'allow Electrum SSL'
$ ufw enable
$ systemctl enable ufw
$ ufw status
> Status: active
>
> To                         Action      From
> --                         ------      ----
> 22                         ALLOW       Anywhere                   # allow SSH
> 50002                      ALLOW       Anywhere                   # allow Electrum SSL
> ...
$ exit

🔍 more: UFW Essentials

💡 If you find yourself locked out by mistake, you can connect keyboard and screen to your Pi to log in locally and fix these settings (especially for the SSH port 22).


fail2ban

The SSH login to the Pi must be especially protected. Additional steps should be taken to prevent an attacker to just try out all possible passwords.

The first measure is to install “fail2ban”, a service that cuts off any system with five failed login attempts for ten minutes. This makes a brute-force attack unfeasible, as it would simply take too long.

fail2ban Me locking myself out by entering wrong passwords

$ sudo apt install fail2ban

The initial configuration should be fine as it is enabled for SSH by default.

🔍 more: customize fail2ban configuration


Login with SSH keys

One of the best options to secure the SSH login is to completely disable the password login and require a SSH key certificate. Only someone with physical possession of the private key can login.

Generate keys on Windows

Follow this guide Configure “No Password SSH Keys Authentication” with PuTTY on Linux Servers

  • You should have generated three new files. Keep them safe!

    SSH keys files

Generate keys on Mac / Linux

  • In the Terminal on your regular computer, check if there are already existing private / public keys:

    $ ls -la ~/.ssh/*.pub
    
  • If files are listed, your public key should be named something like id_dsa.pub, id_ecdsa.pub, id_ed25519.pub or id_rsa.pub. If one of these files exists, skip the next bullet point.

  • If none of those files exist, or you get a No such file or directory, create a new key pair:

    $ ssh-keygen -t rsa -b 4096
    

    When you’re prompted to “Enter a file in which to save the key,” press Enter to use the default file location. Optionally, for maximum security, use password [A] to protect your key.

  • The public key now needs to be copied to the Pi. From your regular computer, create the .ssh directory on the Raspberry Pi, copy your public key and set the correct file permissions.

    • use your proper hostname instead of raspibolt.local, or use the IP address
    • use the correct filename of your public key instead of id_rsa.pub
    $ ssh admin@raspibolt.local 'mkdir -p ~/.ssh'
    $ cat ~/.ssh/id_rsa.pub | ssh admin@raspibolt.local 'cat >> ~/.ssh/authorized_keys && chmod -R 700 ~/.ssh/'
    

Disable password login

  • Log in to the Raspberry Pi with SSH as “admin” with your SSH key. You shouldn’t be prompted for admin’s password anymore.

  • Edit ssh configuration by setting “ChallengeResponseAuthentication” and “PasswordAuthentication” to “no” (uncomment the line by removing # if necessary). Save and exit.

    $ sudo nano /etc/ssh/sshd_config
    
  • Restart the SSH daemon, then exit and log in again.

    $ sudo systemctl restart sshd
    $ exit
    

    You can no longer log in with “pi” or “bitcoin”, only “admin” has the necessary SSH keys.

🚨 Backup your SSH keys! You will need to attach a screen and keyboard to your Pi if you lose it.


Increase your open files limit

In case your RaspiBolt is swamped with internet requests (honest or malicious due to a DDoS attack), you will quickly encounter the can't accept connection: too many open files error. This is due to a limit on open files (representing individual tcp connections) that is set too low.

Edit the following three files, add the additional line(s) right before the end comment, save and exit.

$ sudo nano /etc/security/limits.conf
*    soft nofile 128000
*    hard nofile 128000
root soft nofile 128000
root hard nofile 128000
$ sudo nano /etc/pam.d/common-session
session required pam_limits.so
$ sudo nano /etc/pam.d/common-session-noninteractive
session required pam_limits.so

Next: Privacy »