12

The Setup:

I have a Raspberry Pi as the master node which is connected to the internet through a broadband connection, the raspberry pi connects several sensors and other microcontrollers. The Pi is continuously connected to a server at a Cloud Hosting Provider.

The Questions are:

  • How do I stop unauthorized users from accessing my raspberry Pi?
  • How do I prevent a DDoS attack on the Pi?
  • How and should I go about using DDNS (Dynamic DNS) for accessing my Pi?
Shakti Phartiyal
  • 713
  • 1
  • 6
  • 15

3 Answers3

10

The question 'Securing small home automation setup' provides a useful reference for general security tips, but there are also some specific steps you should follow to keep your Raspberry Pi secure.

Steve Robillard's answer to a question on Raspberry Pi Stack Exchange outlines some of the specific issues with using a Pi that you can address, such as changing default passwords, using iptables, etc. He also helpfully links to the Securing Debian Manual, which, although very large, is incredibly comprehensive, and covers most major concerns.

Since you'll likely be connecting to the Pi through SSH, consider key-based authentication instead of using a password—a SSH certificate is virtually impossible to guess, even by a determined attacker, unlike a potentially weak password. As noted in the linked article, also take a look at Fail2ban, which will IP block any users who show malicious signs (e.g. incorrect password guesses).

Regarding your DDoS concerns: if someone decides to launch a DDoS attack against your Pi, you stand very little chance. Some attacks can reach up to 665 Gbps, which would be impossible for your Pi to defend against. But, I would pose this question: why would an attacker want to DDoS your Pi? Denying you service would probably not provide much benefit to an attacker, and a lot of IoT devices are instead being hacked to participate in DDoS attacks.

Nevertheless, if you were very paranoid, you could perhaps whitelist devices that your Pi was expected to connect to, and simply drop any other packets with iptables. It's up to you to decide if it's worth the trouble.

Regarding DDNS, I find HowToGeek's guide quite clear—essentially, you need to check your router for a DDNS setting, and configure that. NoIP have screenshots for most major router models. You'd probably have better luck asking this separately (and you may already find an answer on Super User).

Aurora0001
  • 18,520
  • 13
  • 55
  • 169
5

Along with Aurora0001's answer if you want protection from dDoS you should opt in for services like Cloudflare. It protects you from dDoS attacks by pointing your DNS records to their servers and securing your Domain / server. DDoS Prevention: Protecting The Origin

IoT Lover
  • 101
  • 2
5

Okay. Given the comments so far, here's how I'd approach it:

  1. Set up DDNS through any competent provider.
  2. Set up OpenVPN on your PI, and route UDP port 1194 (or whatever port you set it up on) from the router to the PI. All external connections to your PI will have to have a properly configured OpenVPN client (you could even use a phone!)
  3. As a secondary measure, secure inbound access on the PI using IPTables. It's a pain in the butt to do by hand, so install Webmin (Debian) to configure it. From here, do a Google search on ways to harden your IPTables configuration against DDOS.

You might prefer some other VPN, but I've used OpenVPN for about 10 years now for its incredible flexibility.

Xavier J
  • 151
  • 3