Tools

Tools: Hardening Linux on Raspberry Pi 5 (2026)

2026-04-12 0 views admin
Tools: Hardening Linux on Raspberry Pi 5 (2026)

Introduction

Step 1: Enabling SSH on the Raspberry Pi

Enabling SSH Through the Terminal (without Raspberry Pi Configuration Tool)

Verify SSH Works

Step 2: Generating Encryption Keys

Step 3: Copying the Public Key to the Raspberry Pi

Step 4: Configuring the SSH Configuration File

Protecting Your Key

Other Hardening Steps In this tutorial we will go over how to harden a Linux system. In this tutorial I will be going over hardening Raspbian OS on a Raspberry Pi 5, but this tutorial should work across all distributions of Linux. System Hardening is a good practice especially if we are going to be remoting into the devices, and we are going to be running services, or building projects with the devices. System Hardening is that act of what we will be doing in this tutorial of ensuring we reduce the attack surface of our system so it makes it more difficult for a bad actor to gain access into our system. Raspbian OS has the SSH Server disabled by default, so we will need to ensure that we enable this service. SSH stands for Secure Shell and is the application that we use within the terminal to initiate a remote session to a remote host. The reason we are enabling SSH is so that we can login to the Raspberry Pi without needing to have it connected to a mouse, keyboard and monitor. The Raspberry Pi may not necessarily be a remote host as in it is in some space which is inaccessible to you, but the benefits would include that you can use the system while you are in one part of your house, and the Raspberry Pi is in another. Note that without port forwarding you will not be able to login to the Raspberry Pi if you are trying to access the device outside of the Local Area Network (LAN). Instead of taking the time to assign the device a static IP address and enabling port forwarding you can use a service like Tailscale to ensure that you can access your device outside of the LAN. I find Tailscale to be more secure, and easier to set up on my devices which I am using as part of my home lab than to configure port forwarding. Tailscale is a virtual private network (VPN) mesh which you can configure on your devices, and this will allow you to access your devices which are not on the same LAN and it will be more secure to boot. Enough lecture, let's get to enabling SSH: To confirm that SSH is enabled, you can type in the following command into the terminal: Either method gets us to the same place. RaspbianOS just has a cool tool to do it for you. Run whoami in the terminal to get your username, and run hostname to get the name of the device. You can run hostname -i to get the IP Address of the host. IP Address: This is your Internet Protocol Address and it gets assigned to a host (computer) via DHCP (Dynamic Host Configuration Protocol) which assigns IP Addresses to computers (called hosts) automatically for some length of time, where the length of time is called a lease. In a local area network IP Addresses are private, and use Network Address Translation when reaching the Gateway (Router) to reach out to the Internet. So when a host is on a home local area network, it is utilizing private IP Addresses. This is the reason why you cannot reach a host outside of the local area network is because the IP Addresses assigned are private, and need to reach the gateway in order to reach out to the Internet using Network Address Translation, where it will assume the public IP Address provided to the router given by the ISP (Internet Service Provider). You can ensure that a host is publicly accessible like I stated previously by using Port Forwarding but this is risky, and it's better to just use Tailscale which sits on top of your devices, and you can use the VPN to create a 'local network' for all of the devices which will be a part of the home lab. Before removing the keyboard, mouse and monitor (or old TV you're using as a makeshift monitor), check to ensure that you can actually access the Raspberry Pi remotely: When connecting to a host using SSH one thing to keep in mind is that because a device will be using DHCP unless you have configured it with an IP Address from the network which is outside the range of use for the DHCP service, the IP Address is likely to change, but if you reference a host by its Domain Name or hostname you should be good to go. A Domain Name is a label given to an IP Address to make it easier to reference a host, or a website by the domain name instead of trying to remember its IP Address. In this section we will generate asymmetric encryption keys from our client device (the device we will use to login remotely to the Raspberry Pi). If you specified a label for the keys, then they will follow the pattern which you used in the -C portion of the command above. You can and should ensure you label these keys in a way that makes sense to you. The -C is a comment about the key. To name the key, you would use the -f command. You should also rename the actual key id_ed25519 to something like id_ed25519_homelab or some other naming convention which makes sense to you so you don't accidentally overwrite your keys. You can do this by using the command mv id_ed25519 id_ed25519_<label>. Now that the key pair was generated, we have the lock (public key) which we will copy over to the Raspberry Pi, and we have the key (private key) which we will use to unlock the lock when we login to the remote client. Instead of using Password Authentication we will now be authenticating with our keys instead. In this section, we will be copying our public key over to the Raspberry Pi so that we can login with our key instead of password authentication, and continue along with hardening our system. We want to ensure we get the public key copied over to the remote client before we continue to harden the system or we may lock ourselves out of our machine. We tested key-based authentication first before disabling password authentication to ensure we are able to login this way. This prevents us from being locked out of our system. Now that we have SSH and Key-Based Authentication enabled we can go ahead and configure the SSH Configuration file. These are the settings we need to configure: For all of the above settings, you want to ensure you remove the comment in front of them (#) so they will be recognized. Before closing out of the session here, open a new terminal window, and try to login now. We want to just test once more before we close of out the session to ensure that we can still login before losing access entirely. If you are able to login, then we have successfully hardened out system. If your private key is lost (laptop dies, drive wiped) and password auth is disabled, you're locked out over the network. On a homelab machine, you can recover by plugging in a keyboard and monitor and logging in locally to either re-enable password auth or add a new public key. Precautions against lockout: Another hardening step to take would be to set up your iptables using ufw (uncomplicated firewall) to ensure we are only allowing the ports we need open to stay open. I won't go through iptables or ufw in this tutorial because I have not enabled them yet myself on my Raspberry Pi's due to the fact that I am using Tailscale and I have created a Tailnet although this will be one of my next steps, as well as using Fail2Ban which I have not setup fully just yet. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 500;">systemctl -weight: 500;">status ssh -weight: 500;">systemctl -weight: 500;">status ssh -weight: 500;">systemctl -weight: 500;">status ssh - Enabling the SSH Server on Rasbian OS - Generating asymmetric encryption key pair: Public Key: Goes onto the Raspberry Pi 5 - think of the public key as the lock which locks down the Raspberry Pi or remote device. Private Key: Stays on the client device - think of the private key as the key to unlock the lock once a device has a lock put on it. - Public Key: Goes onto the Raspberry Pi 5 - think of the public key as the lock which locks down the Raspberry Pi or remote device. - Private Key: Stays on the client device - think of the private key as the key to unlock the lock once a device has a lock put on it. - Copying the public key to the Raspberry Pi 5 - Configuring the SSH configuration file on Raspbian OS Disable Password Authentication Disable X11 Disable Root Login Change the maximum amount of tries to authenticate to the remote device - Disable Password Authentication - Disable X11 - Disable Root Login - Change the maximum amount of tries to authenticate to the remote device - Public Key: Goes onto the Raspberry Pi 5 - think of the public key as the lock which locks down the Raspberry Pi or remote device. - Private Key: Stays on the client device - think of the private key as the key to unlock the lock once a device has a lock put on it. - Disable Password Authentication - Disable X11 - Disable Root Login - Change the maximum amount of tries to authenticate to the remote device - Open terminal (CTRL + CMD (WIN) + T) -or- clicking on the terminal icon. - Type in -weight: 600;">sudo raspi-config into the terminal. This will open up the Raspberry Pi Software Configuration Tool. We will select Interface Options. - Select SSH from the menu. The tool will prompt you to confirm whether you want to -weight: 500;">enable SSH Server, select Yes. - The tool will prompt you to confirm whether you want to -weight: 500;">enable SSH Server, select Yes. - This should -weight: 500;">enable the SSH Server - The tool will prompt you to confirm whether you want to -weight: 500;">enable SSH Server, select Yes. - Run the command -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable ssh - Restart SSH for good measure, -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart ssh - Verify SSH is running, -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">status ssh - On the client device (the device you will be using to SSH into the Raspberry Pi) type in ssh <username>@<hostname> or ssh <username>@<ip-address> - If you are able to login, then we can disconnect the peripherals. - Open the terminal. - Enter in ssh-keygen -t ed25519 -C "<username>@<client-machine/hostname>: ssh-keygen: We are telling our machine to create a pair of keys. A private key which we keep on the client machine A public key which we will share to the remote host (Raspberry Pi 5) -t ed25519: We are telling the command what kind of encryption to use. -C "<username>@<hostname>": This is the label we are going to provide the key. jsmith@macbook-pro for example is what the label would look like. We want to ensure we create a meaningful label. - ssh-keygen: We are telling our machine to create a pair of keys. A private key which we keep on the client machine A public key which we will share to the remote host (Raspberry Pi 5) - A private key which we keep on the client machine - A public key which we will share to the remote host (Raspberry Pi 5) - -t ed25519: We are telling the command what kind of encryption to use. - -C "<username>@<hostname>": This is the label we are going to provide the key. jsmith@macbook-pro for example is what the label would look like. We want to ensure we create a meaningful label. - jsmith@macbook-pro for example is what the label would look like. - We want to ensure we create a meaningful label. - The program will prompt you for a passphrase and this is essentially the password you will now use to login remotely to this Raspberry Pi when using encryption. The reason we create the passphrase is to ensure we make the private key really secure. This way, even if the private key is compromised (stolen), if they don't know the passphrase, they won't be able to login. - The reason we create the passphrase is to ensure we make the private key really secure. This way, even if the private key is compromised (stolen), if they don't know the passphrase, they won't be able to login. - Verify the keys were created: ls -la ~/.ssh. You should see: id_ed25519 which is the private key id_ed25519.pub which is the public key Note: This is if you left the default label, or did not specify a label. - id_ed25519 which is the private key - id_ed25519.pub which is the public key - Note: This is if you left the default label, or did not specify a label. - ssh-keygen: We are telling our machine to create a pair of keys. A private key which we keep on the client machine A public key which we will share to the remote host (Raspberry Pi 5) - A private key which we keep on the client machine - A public key which we will share to the remote host (Raspberry Pi 5) - -t ed25519: We are telling the command what kind of encryption to use. - -C "<username>@<hostname>": This is the label we are going to provide the key. jsmith@macbook-pro for example is what the label would look like. We want to ensure we create a meaningful label. - jsmith@macbook-pro for example is what the label would look like. - We want to ensure we create a meaningful label. - A private key which we keep on the client machine - A public key which we will share to the remote host (Raspberry Pi 5) - jsmith@macbook-pro for example is what the label would look like. - We want to ensure we create a meaningful label. - The reason we create the passphrase is to ensure we make the private key really secure. This way, even if the private key is compromised (stolen), if they don't know the passphrase, they won't be able to login. - id_ed25519 which is the private key - id_ed25519.pub which is the public key - Note: This is if you left the default label, or did not specify a label. - Open up terminal if it's not up already. - Enter in ssh-copy-id username@server-hostname or ssh-copy-id username@host-ip You are copying this to whatever username and hostname you created for your Raspberry Pi 5, or remote client (if you are doing this on another device). - You are copying this to whatever username and hostname you created for your Raspberry Pi 5, or remote client (if you are doing this on another device). - Verify Key-based Authentication Works - ssh username@hostname It will ask for your passphrase - this means that key-based authentication works. It should log you into the remote client. - It will ask for your passphrase - this means that key-based authentication works. - It should log you into the remote client. - You are copying this to whatever username and hostname you created for your Raspberry Pi 5, or remote client (if you are doing this on another device). - It will ask for your passphrase - this means that key-based authentication works. - It should log you into the remote client. - PermitRootlogin: We want to ensure we prevent direct SSH Login as root. Value: no Root can do anything, so we want to ensure we -weight: 500;">disable this and use -weight: 600;">sudo when we need to do something. Disabling Root Login reduces an attack surface. - Root can do anything, so we want to ensure we -weight: 500;">disable this and use -weight: 600;">sudo when we need to do something. - Disabling Root Login reduces an attack surface. - PasswordAuthentication: We want to ensure we use keys only. Value: no Since we have keys, we don't need to SSH in with our password. Disabling Password Authentication reduces an attack surface. - Since we have keys, we don't need to SSH in with our password. - Disabling Password Authentication reduces an attack surface. - X11Forwarding: We don't need to see the GUI for applications, since we will be using the command-line. You can leave this enabled if you need GUI access to the machine. Value: no Reduces an attack surface. - Reduces an attack surface. - MaxAuthTries: We want to limit this from 6 to 3. Value: 3 This is minor security hygiene but we don't want to give an attacker a lot of tries. Reduces an attack surface. - This is minor security hygiene but we don't want to give an attacker a lot of tries. - Reduces an attack surface. - Root can do anything, so we want to ensure we -weight: 500;">disable this and use -weight: 600;">sudo when we need to do something. - Disabling Root Login reduces an attack surface. - Since we have keys, we don't need to SSH in with our password. - Disabling Password Authentication reduces an attack surface. - Reduces an attack surface. - This is minor security hygiene but we don't want to give an attacker a lot of tries. - Reduces an attack surface. - Open the terminal. - Go to /etc/ssh - Use nano to open sshd_config: -weight: 600;">sudo nano sshd_config - Find the above settings, and set the values to the specified value. - Use crtl-o and then ctrl-x in nano to close the file. - Back up your private key to an encrypted USB drive or a password manager that supports file attachments - Generate keys from multiple devices and add all public keys to authorized_keys — it supports multiple entries - Physical access is your safety net — this is a major advantage of a homelab over a cloud VPS - OpenSSH Manual — sshd_config - Mozilla SSH Guidelines

🏷️ Tags

toolsutilitiessecurity toolshardeninglinuxraspberryintroductionenabling

More from Tools

Tools: Rails Security Essentials — CSRF, SQL Injection, XSS, and Secure Headers (2026)

Tools: Rails Security Essentials — CSRF, SQL Injection, XSS, and Secure Headers (2026)

2026-04-12 0
Tools: Improving on DevOps with Kubernetes, Helm, and GitOps (2026)

Tools: Improving on DevOps with Kubernetes, Helm, and GitOps (2026)

2026-04-12 0
Tools: Build an AI Incident Copilot CLI in Python - Guide

Tools: Build an AI Incident Copilot CLI in Python - Guide

2026-04-12 0
Tools: How I Replaced Acquia (€134/month) with a €10 Hetzner VPS — and Beat It on Every Feature - Full Analysis

Tools: How I Replaced Acquia (€134/month) with a €10 Hetzner VPS — and Beat It on Every Feature - Full Analysis

2026-04-12 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views