0

I want to use the Raspberry Pi 3 (B) as a web server and need SSH/VNC access. I will use VNC only over SSH, forwarding only port 22. Should I be worried about SSH? I removed user pi and created a new one with sudo privileges.

Is there a root account that also has a known password? Should I change it or is it disabled by default? I only allow access from my own account and have forbidden root. I hope this is enough.

Also, I installed fail2ban and left it with default settings. Will that protect SSH and an Apache web server?

1 Answers1

1

IMHO a server is a server, no matter on what hardware it runs, so yes, don't be lazy and apply the best practices. Even in a private network, I do it as a practice.

So you should worry about SSH and

  • do not allow SSH login for root (PermitRootLogin no) (you probably meant that when you said "I only allow access from my own account")
  • use a private key instead of username / password
  • don't forget to apt-get update and apt-get upgrade to get the latest fixes
  • perhaps move SSH to another port if you want less noise in the logs

Root does not have a password on Raspbian. You do all actions through sudo, so that should be fine.

Fail2ban should be ok with the default settings for SSH. There are predefined jails for Apache which you should activate in a /etc/fail2ban/jail.local file.

Thomas Weller
  • 2,385
  • 3
  • 25
  • 51
  • Is using a password instead of private keys very insecure? My password is quite long, unique, and complex and fail2ban bans after 6th attempt for a couple of minutes. Is there any harm in setting PermitRootLogin no and then also do AllowUsers for my specific user? –  Sep 17 '16 at 00:20
  • Such a good password is ok I'd say. Some SSH attack scripts will just stop if they find out that guessing username and password is not possible. Of course you need to allow at least one user if you can't access the Pi locally – Thomas Weller Sep 17 '16 at 09:56