,

Securing and Hardening Your Raspberry Pi

Author name

April 11, 2024

For Vinyl Streaming

Now that your Multiroom Playback & Airplay 2 vinyl streaming setup is fully operational, securing your Raspberry Pi against potential threats is critical. In this post, I’ll guide you through essential security steps to protect your setup while enjoying seamless audio streaming.

Why Security Matters

Exposing services like audio streaming over your home network, or even remotely, requires robust security to:

  • Prevent unauthorized access.
  • Safeguard your data.
  • Ensure reliable, uninterrupted streaming.

Step-by-Step Security Guide

Step 1: Secure SSH Access

Replace password authentication with SSH keys for better security:

Generate SSH Keys (on your personal computer):

ssh-keygen -t ed25519 -C "your_email@example.com"

Copy Public Key to Raspberry Pi:

ssh-copy-id username@raspberrypi.local

Disable Password Authentication:

Edit SSH configuration on Raspberry Pi:

sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH:

sudo systemctl restart ssh

Step 2: Configure a Firewall with UFW

Use the uncomplicated firewall (UFW) to restrict incoming connections:

sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw allow 8000/tcp  # Icecast
sudo ufw allow 3689/tcp  # OwnTone
sudo ufw allow 5353/udp  # mDNS/AirPlay
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw enable

Check firewall status:

sudo ufw status verbose

Step 3: Regular System Updates

Ensure your Raspberry Pi stays secure by regularly applying updates:

sudo apt update
sudo apt full-upgrade -y
sudo reboot

Consider setting automatic updates for security patches.

Step 4: Set Up Fail2Ban

Fail2Ban automatically blocks repeated unauthorized access attempts.

Install Fail2Ban:

sudo apt install fail2ban

Enable the service:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Fail2Ban now actively protects your SSH and web services.

Step 5: Configure Dynamic DNS for Remote Access

If you access your streaming setup remotely, use Dynamic DNS for secure connections:

Install ddclient:

sudo apt install ddclient

Edit configuration:

sudo nano /etc/ddclient.conf

Configure with your Dynamic DNS provider credentials:

protocol=dyndns2
use=web
server=members.dyndns.org
login=your_login
password='your_password'
yourdomain.com

Restart the service:

sudo systemctl restart ddclient
sudo systemctl enable ddclient

Step 6: Harden Your Web Server (NGINX)

Secure NGINX with these best practices:

  • Enable HTTPS with Let’s Encrypt (next blog post).
  • Set strong HTTP headers and remove server version details.

Edit NGINX configuration:

sudo nano /etc/nginx/nginx.conf

Add:

server_tokens off;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";

Reload NGINX:

sudo nginx -t
sudo systemctl reload nginx

What’s Next?

With your Raspberry Pi now secure, the next step is configuring HTTPS access using NGINX and Let’s Encrypt, ensuring encrypted and secure remote streaming and control.

Next post: April 25, 2024, Setting Up HTTPS and Web Access with NGINX & Let’s Encrypt.

Multiroom Playback & AirPlay 2

Setting Up HTTPS and Web Access

2 thoughts on “Securing and Hardening Your Raspberry Pi”

  1. Pingback: Setting Up HTTPS and Web Access with NGINX & Let's Encrypt- Cas Hoefman
  2. Pingback: Multiroom Playback & AirPlay 2 Integration via OwnTone - Cas Hoefman

Leave a Comment