Securing SSH and Disabling IPv6 on Raspbian Jessie Lite

There are many things you can do to secure both your SSH sessions and your Pi’s in general.  Because of our already established security parameters I am going to walk through what I think are the minimum security measures you should take.

  • Only allow certificate based SSH logon (via putty, puttygen, and pagent)
  • Disable the IPv6 protocol

Certificate Based Logon to SSH

We will be configuring certificate based logon using putty, puttygen, and pageant.  This enables two factor authentication (something you have (the certificate itself), and something you know (the passphrase to the certificate)).

  • Generate a key pair to use for authentication
    • Run PUTTYGEN.EXE
      • Make sure the key type is SSH-2 RSA (this is the most secure of the options)
      • Click Generate
      • Move your mouse in the key field (the utility will use the math associated with your mouse movements to generate a “random” key). Keep moving until the utility tells you to stop.
      • Enter a Key Passphrase and Confirm it in the utility
      • Save the public key locally.
      • Save the public key locally.
      • Close the utility.
  • Install the public key onto the Pi
    mkdir .ssh
    Chmod 700 .ssh
    nano ~/.ssh/authorized_keys
    • Paste the text from the public key generated above into this file
    • Save the file and exit nano
    • changes the permissions on the file so group access is not allowed
      chmod 600 ~/.ssh/authorized_keys
  • Logout of the server
  • Configure SSH to only allow certificate based logons

    sudo nano /etc/ssh/sshd_config
    PasswordAuthentication no 

    • save and exit nano ([ctrl+X],Y,[enter],[enter])
  • Configure putty to use your private key
    • Load the session saved for this server
    • Navigate to Connection>SSH>Auth
    • Click browse and locate your private key
    • save your session
  • Configure ssh agent (optional)
    • Create a shortcut in your windows startup group that points to pageant (one of the utilities that was in putty.zip)
    • As a parameter (within the shortcut) add the location of your private key
      • “C:\utilities\Putty\pageant.exe” “C:\Users\localusername\Documents\pikey.ppk” (for example)
    • run pagent using this shortcut
  • Logon using your newly saved session

Once the Keys are generated (first bullet above) these keys can be reused on multiple servers if desired.  In this case you would start with “Install the public key onto the Pi”.

Disable IPv6

Disabling IPv6 minimizes attack surfaces (it is as if you were uninstalling a second network adapter).

  • Edit Ipconfiguration file
    • add a line to sysctl.conf to disable IPv6

      sudo nano /etc/sysctl.conf
      net.ipv6.conf.all.disable_ipv6=1

    • save sysctl.conf file ([ctrl+X],Y,[enter],[enter])

    • commit changes to the system

      sudo sysctl -p

2 thoughts on “Securing SSH and Disabling IPv6 on Raspbian Jessie Lite

  1. Thanks….I have an additional requirement.. Is it possible to create new ftp user and give access only to a usb drive mounted? Also should be logging using a ftp username and password not using ssh cert.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s