DEV Community: Guy Friley

Hardening Linux on Raspberry Pi 5

Guy Friley — Sun, 12 Apr 2026 03:19:37 +0000

Introduction

In this tutorial we will go over how to harden a Linux system. In this tutorial I will be going over hardening Raspbian OS on a Raspberry Pi 5, but this tutorial should work across all distributions of Linux.

I will go over:

Enabling the SSH Server on Rasbian OS
Generating asymmetric encryption key pair:
- Public Key: Goes onto the Raspberry Pi 5 - think of the public key as the lock which locks down the Raspberry Pi or remote device.
- Private Key: Stays on the client device - think of the private key as the key to unlock the lock once a device has a lock put on it.
Copying the public key to the Raspberry Pi 5
Configuring the SSH configuration file on Raspbian OS
- Disable Password Authentication
- Disable X11
- Disable Root Login
- Change the maximum amount of tries to authenticate to the remote device

System Hardening is a good practice especially if we are going to be remoting into the devices, and we are going to be running services, or building projects with the devices. System Hardening is that act of what we will be doing in this tutorial of ensuring we reduce the attack surface of our system so it makes it more difficult for a bad actor to gain access into our system.

Step 1: Enabling SSH on the Raspberry Pi

Raspbian OS has the SSH Server disabled by default, so we will need to ensure that we enable this service. SSH stands for Secure Shell and is the application that we use within the terminal to initiate a remote session to a remote host.

The reason we are enabling SSH is so that we can login to the Raspberry Pi without needing to have it connected to a mouse, keyboard and monitor. The Raspberry Pi may not necessarily be a remote host as in it is in some space which is inaccessible to you, but the benefits would include that you can use the system while you are in one part of your house, and the Raspberry Pi is in another.

Note that without port forwarding you will not be able to login to the Raspberry Pi if you are trying to access the device outside of the Local Area Network (LAN). Instead of taking the time to assign the device a static IP address and enabling port forwarding you can use a service like Tailscale to ensure that you can access your device outside of the LAN.

I find Tailscale to be more secure, and easier to set up on my devices which I am using as part of my home lab than to configure port forwarding. Tailscale is a virtual private network (VPN) mesh which you can configure on your devices, and this will allow you to access your devices which are not on the same LAN and it will be more secure to boot.

Enough lecture, let's get to enabling SSH:

Heads Up: Ensure for this portion, you have a keyboard, mouse, and monitor connected to the Raspberry Pi.

Open terminal (CTRL + CMD (WIN) + T) -or- clicking on the terminal icon.
Type in sudo raspi-config into the terminal. This will open up the Raspberry Pi Software Configuration Tool. We will select Interface Options.
Select SSH from the menu.
- The tool will prompt you to confirm whether you want to enable SSH Server, select Yes.
This should enable the SSH Server

To confirm that SSH is enabled, you can type in the following command into the terminal:

systemctl status ssh

Enabling SSH Through the Terminal (without Raspberry Pi Configuration Tool)

Run the command sudo systemctl enable ssh
Restart SSH for good measure, sudo systemctl restart ssh
Verify SSH is running, sudo systemctl status ssh

Either method gets us to the same place. RaspbianOS just has a cool tool to do it for you.

Run whoami in the terminal to get your username, and run hostname to get the name of the device. You can run hostname -i to get the IP Address of the host.

IP Address: This is your Internet Protocol Address and it gets assigned to a host (computer) via DHCP (Dynamic Host Configuration Protocol) which assigns IP Addresses to computers (called hosts) automatically for some length of time, where the length of time is called a lease.

In a local area network IP Addresses are private, and use Network Address Translation when reaching the Gateway (Router) to reach out to the Internet. So when a host is on a home local area network, it is utilizing private IP Addresses.

This is the reason why you cannot reach a host outside of the local area network is because the IP Addresses assigned are private, and need to reach the gateway in order to reach out to the Internet using Network Address Translation, where it will assume the public IP Address provided to the router given by the ISP (Internet Service Provider). You can ensure that a host is publicly accessible like I stated previously by using Port Forwarding but this is risky, and it's better to just use Tailscale which sits on top of your devices, and you can use the VPN to create a 'local network' for all of the devices which will be a part of the home lab.

Verify SSH Works

Before removing the keyboard, mouse and monitor (or old TV you're using as a makeshift monitor), check to ensure that you can actually access the Raspberry Pi remotely:

On the client device (the device you will be using to SSH into the Raspberry Pi) type in ssh <username>@<hostname> or ssh <username>@<ip-address>
If you are able to login, then we can disconnect the peripherals.

When connecting to a host using SSH one thing to keep in mind is that because a device will be using DHCP unless you have configured it with an IP Address from the network which is outside the range of use for the DHCP service, the IP Address is likely to change, but if you reference a host by its Domain Name or hostname you should be good to go. A Domain Name is a label given to an IP Address to make it easier to reference a host, or a website by the domain name instead of trying to remember its IP Address.

Step 2: Generating Encryption Keys

In this section we will generate asymmetric encryption keys from our client device (the device we will use to login remotely to the Raspberry Pi).

Open the terminal.
Enter in ssh-keygen -t ed25519 -C "<username>@<client-machine/hostname>:
- ssh-keygen: We are telling our machine to create a pair of keys.
  - A private key which we keep on the client machine
  - A public key which we will share to the remote host (Raspberry Pi 5)
- -t ed25519: We are telling the command what kind of encryption to use.
- -C "<username>@<hostname>": This is the label we are going to provide the key.
  - jsmith@macbook-pro for example is what the label would look like.
  - We want to ensure we create a meaningful label.
The program will prompt you for a passphrase and this is essentially the password you will now use to login remotely to this Raspberry Pi when using encryption.
- The reason we create the passphrase is to ensure we make the private key really secure. This way, even if the private key is compromised (stolen), if they don't know the passphrase, they won't be able to login.
Verify the keys were created: ls -la ~/.ssh. You should see:
- id_ed25519 which is the private key
- id_ed25519.pub which is the public key
- Note: This is if you left the default label, or did not specify a label.

If you specified a label for the keys, then they will follow the pattern which you used in the -C portion of the command above. You can and should ensure you label these keys in a way that makes sense to you. The -C is a comment about the key. To name the key, you would use the -f command.

You should also rename the actual key id_ed25519 to something like id_ed25519_homelab or some other naming convention which makes sense to you so you don't accidentally overwrite your keys. You can do this by using the command mv id_ed25519 id_ed25519_<label>.

Now that the key pair was generated, we have the lock (public key) which we will copy over to the Raspberry Pi, and we have the key (private key) which we will use to unlock the lock when we login to the remote client. Instead of using Password Authentication we will now be authenticating with our keys instead.

Step 3: Copying the Public Key to the Raspberry Pi

In this section, we will be copying our public key over to the Raspberry Pi so that we can login with our key instead of password authentication, and continue along with hardening our system. We want to ensure we get the public key copied over to the remote client before we continue to harden the system or we may lock ourselves out of our machine.

Open up terminal if it's not up already.
Enter in ssh-copy-id username@server-hostname or ssh-copy-id username@host-ip
- You are copying this to whatever username and hostname you created for your Raspberry Pi 5, or remote client (if you are doing this on another device).
Verify Key-based Authentication Works - ssh username@hostname
- It will ask for your passphrase - this means that key-based authentication works.
- It should log you into the remote client.

We tested key-based authentication first before disabling password authentication to ensure we are able to login this way. This prevents us from being locked out of our system.

Step 4: Configuring the SSH Configuration File

Now that we have SSH and Key-Based Authentication enabled we can go ahead and configure the SSH Configuration file.

These are the settings we need to configure:

PermitRootlogin: We want to ensure we prevent direct SSH Login as root.
- Value: no
- Root can do anything, so we want to ensure we disable this and use sudo when we need to do something.
- Disabling Root Login reduces an attack surface.
PasswordAuthentication: We want to ensure we use keys only.
- Value: no
- Since we have keys, we don't need to SSH in with our password.
- Disabling Password Authentication reduces an attack surface.
X11Forwarding: We don't need to see the GUI for applications, since we will be using the command-line. You can leave this enabled if you need GUI access to the machine.
- Value: no
- Reduces an attack surface.
MaxAuthTries: We want to limit this from 6 to 3.
- Value: 3
- This is minor security hygiene but we don't want to give an attacker a lot of tries.
- Reduces an attack surface.

For all of the above settings, you want to ensure you remove the comment in front of them (#) so they will be recognized.

Open the terminal.
Go to /etc/ssh
Use nano to open sshd_config: sudo nano sshd_config
Find the above settings, and set the values to the specified value.
Use crtl-o and then ctrl-x in nano to close the file.

Before closing out of the session here, open a new terminal window, and try to login now. We want to just test once more before we close of out the session to ensure that we can still login before losing access entirely.

If you are able to login, then we have successfully hardened out system.

Protecting Your Key

If your private key is lost (laptop dies, drive wiped) and password auth is disabled, you're locked out over the network. On a homelab machine, you can recover by plugging in a keyboard and monitor and logging in locally to either re-enable password auth or add a new public key.

Precautions against lockout:

Back up your private key to an encrypted USB drive or a password manager that supports file attachments
Generate keys from multiple devices and add all public keys to authorized_keys — it supports multiple entries
Physical access is your safety net — this is a major advantage of a homelab over a cloud VPS

Other Hardening Steps

Another hardening step to take would be to set up your iptables using ufw (uncomplicated firewall) to ensure we are only allowing the ports we need open to stay open.

I won't go through iptables or ufw in this tutorial because I have not enabled them yet myself on my Raspberry Pi's due to the fact that I am using Tailscale and I have created a Tailnet although this will be one of my next steps, as well as using Fail2Ban which I have not setup fully just yet.

Additional Resources

Understanding Local and Remote Hosts Using SSH + SCP + Python HTTP Server

Guy Friley — Wed, 01 Apr 2026 19:51:29 +0000

Overview

Today I've been learning more about Linux, and more specifically the Linux Command Line. I have been learning Linux through a combination of reading The Linux Command Line: A Complete Introduction by William Shotts and using online resources such as KodeKloud and TryHackMe.

I want to share today what I have learned about Secure Shell, Secure Copy, and HTTP Server using Python.

The Task

Login to a remote host using SSH.
Transfer a file using SCP
Host a file in a directory being used as a Web Server using Python's HTTP module.

Login to a Remote Host

At some point while using Linux, and managing a system(s), there will be a need to remote into another machine using the command line. In order to achieve this, we will need to use Secure Shell (ssh).

Before being able to login to a remote host, we need to ensure we have credentials for that remote machine. If we do not, we won't be able to login.

We also need to know the ip address of the remote host.

ssh <remote_host_username>@<ip-address> - This will then prompt us for our password.

Once we have those items, we can login, and it's a simple process. We can do all of the things (as long as we have permissions with the credentials we logged in as) that we can do on our local host.

Transfer a fil using scp

Secure Copy or scp is a way to transfer files/directories from our local host to our remote host and vice versa. It is secure because scp uses the ssh protocol to transfer the files/directory by ensuring that we use authentication, and encryption to send and receive the files.

To send from local host to remote:
scp <file_to_transfer> <username>@<remote_host_ip>:<path>

To receive from remote host to local:

scp <username>@<remote_host_ip>:<path> <path_to_put_file_on_local_host>

Web Server with Python HTTP Server

We can serve files from a host by using the HTTP module from Python.

Select a directory we want to serve files from: cd <path_to_webserver_directory>
Run python3 -m http.server and this will start running our service. Once we do this, it will run in that terminal, so we will need to run a different terminal.
We can then use wget to retrieve files from the remote host. http will run on port 8000, so we need to remember to add the port to the end of our ip address so the command knows what port the http service is running on.

wget <http://ip-address:8000/my_file> and this will retrieve the file and put it in your working directory.

This is just a simple post to update what I have been learning today.

Creating a Guessing Game with Python

Guy Friley — Sun, 22 Mar 2026 17:19:30 +0000

Hello World!

I decided that I would try putting my learning journey out there by creating a Github Repository and focusing on building and iterating over a Guessing Game developed with Python.

The reason for doing this is to reinforce my Python learning journey, and to starting building things (however small) instead of getting stuck in Tutorial Hell.

One thing I couldn't grasp, is how to capture errors, such as ValueError. Today, I did some reading, and decided to implement it into my simple game using Try-Except and ValueError as e. I did this so I could output the error in a print() statement.

Generate Random Number for Number to Guess:

# Generates a number from 1 - 10 inclusive
my_number = random.randint(1, 10)
This generates a number from 1 to 10 with 1 and 10 being inclusive.

Set Number of Guesses User has to guess the number:

# Set variable num_guesses to 3
num_guesses = 3
Currently, this is hard-coded to 3 guesses, but later I will try and make this a user-editable variable.

Definition for Guessing the Number and Handling Errors:

# I put the guess number functionality inside of a function so we can reuse it.
def guess_input():
    try:
        guess_number = int(input("Guess my Number (1 - 10): "))
        # We are checking to see if the number input by the user is within range. If it is not, we are providing them with the error message below.
        # I think there is an official way to do this, but for oour purposes, this is good enough.

        if (guess_number > 10) or (guess_number < 1):
            print(
                "Invalid Input: Provided number is out of range. Please enter a number from 1 - 10"
            )

    # Except is catching all input which is not an Integer. Even a float.
    # This is happening because we wrapped the input with int() to ensure that our input is an Integer.
    # If it is anything other than an Integer, we are catching it with `ValueError`
    except ValueError as e:
        print(f"Ivalid Input: {e}. Please enter a number.")

    return guess_number

I tested this out using characters other than an Integer such as a Float, 'A', '!', etc to ensure it works. I also just pressed enter to see how it handles not being given any sort of character.

I also wanted to ensure that a user can only enter in a value from 1 to 10.

The While Loop for the Game

while num_guesses > 0:
    user_guess = guess_input()
    if user_guess == my_number:
        print(f"You guessed my number! It was {my_number}.")
        break
    else:
        num_guesses -= 1  # This needs to go BEFORE the PRINT statement I do believe.
        print(
            f"That guess, {user_guess} is not my number.\nRemaining Guesses:{num_guesses}\nTry again!"
        )