Skip to content

Top 5 Essential Security Settings for Raspberry Pi

Secure your Raspberry Pi in minutes! By default, many network-connected devices are vulnerable to attacks. Here are the top 5 essential security settings every beginner must configure immediately to protect their projects and data.

Introduction

Whenever you connect a Raspberry Pi to the internet or a local network, it becomes a target for automated bots scanning for vulnerabilities. If your device uses default configurations, it can be compromised within minutes.

Fortunately, you don't need to be a cybersecurity expert to protect your system. By implementing these five simple steps, you will eliminate 99% of common security risks.

1. Create a New Admin User and Change Default Passwords

Using default user accounts or weak passwords is the easiest way for attackers to gain access. Since newer Raspberry Pi OS versions prompt you to create a user during setup, you should ensure that user has a strong, unique password.

If you are using an older OS version or want to add a fresh, secure admin account, follow these steps:

Create a new user:

1
2
3
4
5
# Create a new user (replace 'newadmin' with your choice)
sudo adduser newadmin

# Give the new user sudo (administrator) privileges
sudo usermod -aG sudo newadmin

Set a strong password:

Log in as the new user and change your password using passwd. Make sure it is at least 12 characters long, containing mixed cases, numbers, and symbols. 

1
passwd

2. Install and Configure UFW (Uncomplicated Firewall)

A firewall controls the incoming and outgoing traffic on your Raspberry Pi. By default, Raspberry Pi OS doesn't have an active firewall. Installing UFW (Uncomplicated Firewall) is the easiest way to block unauthorized connection attempts.

Step-by-Step Firewall Setup:

  1. Install UFW: 
    1
    sudo apt update && sudo apt install ufw -y
  2. Set Default Rules (Block all incoming, allow all outgoing): 
    1
2
    sudo ufw default deny incoming
sudo ufw default allow outgoing
  3. Allow SSH Connections (Crucial: Do not skip this, or you will lock yourself out!): 
    1
    sudo ufw allow ssh
  4. Enable the Firewall: 
    1
    sudo ufw enable
  5. Verify the Status: 
    1
    sudo ufw status verbose

3. Secure SSH Access (Disable Passwords)

SSH (Secure Shell) allows you to control your Raspberry Pi remotely. However, bots constantly target SSH ports using automated "brute-force" password guessing attacks.

The best defense is to disable password logins entirely and use SSH Keys instead.

Set Up SSH Key Authentication:

  1. Generate SSH Key Pair on your local computer (not the Pi): 
    1
    ssh-keygen -t ed25519 -b 4096 -f ~/.ssh/pi_key
  2. Copy the Public Key to your Raspberry Pi: 
    1
    ssh-copy-id -i ~/.ssh/pi_key.pub username@your-pi-ip
  3. Test the Connection (ensure you can log in without typing a password): 
    1
    ssh -i ~/.ssh/pi_key username@your-pi-ip
  4. Disable Password Authentication on the Pi: Open the SSH configuration file: 
    1
    sudo nano /etc/ssh/sshd_config
    Find the following lines and change them to no: 
    1
2
3
    PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
    Save the file (Ctrl+X, then Y, then Enter) and restart the SSH service: 
    1
    sudo systemctl restart ssh

4. Enable Automatic Security Updates

Outdated software is a security hazard. Hackers actively exploit known vulnerabilities in system packages. Setting up automatic updates ensures your Raspberry Pi gets the latest security patches without manual intervention.

How to Configure Automatic Updates:

  1. Install Unattended Upgrades: 
    1
    sudo apt install unattended-upgrades -y
  2. Enable the Service: 
    1
    sudo dpkg-reconfigure -plow unattended-upgrades
    Select Yes when prompted to automatically download and install stable updates.

5. Use Reliable Hardware and Physical Security Keys

Security is not just about software; physical security and data integrity are equally important. Using unreliable components can cause system crashes, corrupt your OS, or leave your SSH keys vulnerable to extraction.

Here are the recommended hardware upgrades to keep your Raspberry Pi secure and running smoothly:

Upgrade to a High-End MicroSD Card or SSD

Cheap MicroSD cards degrade quickly and fail under the pressure of continuous system log writes. A corrupted filesystem can break your firewall rules or disable security services without you knowing. We highly recommend: - High-End Endurance MicroSD Cards (e.g., Samsung PRO Endurance): Designed for continuous read/write cycles, which is critical for system logs. - External SSDs (e.g., SanDisk Extreme): Booting your Pi from an SSD is 10x faster and much more resilient against filesystem corruption.

Use a Hardware Security Key for SSH (YubiKey)

If you want professional-grade security, you should store your SSH private keys on a hardware security key like a YubiKey. This ensures your cryptographic keys cannot be copied or stolen even if your client computer is compromised by malware. - YubiKey 5 NFC / 5C NFC: The gold standard for hardware-based two-factor authentication (2FA) and passwordless SSH logins.

Conclusion & Next Steps

By configuring these five steps, you've transformed your Raspberry Pi from an open target into a highly secure device!

If you want to take your security even further—including AppArmor settings, intrusion detection, advanced iptables rules, and kernel hardening—check out our advanced guide:

🔗 Raspberry Pi Security Hardening Complete Guide