Raspberry PI SSH first contact

• the RPI is up and running, you the LEDs from the RPI and the USB-SSD
• in regular cases, the hostname from the RPI is "raspberry"
• you can control the hostname or get the right ipv4 adress from your router
• open SSH Client or use this command line/link to connect the RPI
• in case of error, use the ipv4 adress as the hostname

YourPathToPutty\PUTTY.EXE -ssh pi@raspberry -P 22 -pw raspberry
YourPathToPutty\PUTTY.EXE -ssh pi@ipv4adress -P 22 -pw raspberry

PI harden up

• change the password for user root and user "pi", remember the command sudo
• it's recommanded to use 24 signs that contains
  A-Za-z0-9!"#$%&'()*+,-./:;<=>?@[]^_`{|}~

sudo passwd root
sudo passwd pi

• update the pi OS within two commands in ones, this can be take a time...

sudo apt-get update && sudo apt-get -y upgrade

• it's recommanded to set a fixed ipv4 adress and disable ipv6
  (edit the /etc/dhcpcd.conf)

sudo nano /etc/dhcpcd.conf

• go to the # block and edit the following lines, remember #static ip6_address
  (for example the router ip is 192.168.1.1 the pi ip will be 192.168.1.100)

# Example static IP configuration:
interface eth0
static ip_address=192.168.1.100/24
#static ip6_address=abcd:1234:......
static routers=192.168.1.1
static domain_name_servers=192.168.1.1

• save and exit the file within the following keystokes:
  str+o ENTER (save the file), str+x (close nano)
• reboot the PI

sudo reboot

• change the ssh config, edit /etc/ssh/sshd_config
  (it's recommanded to set a hiport like 1231 in this case or your choice but less than 65535)

sudo nano /etc/ssh/sshd_config

• go to the line that begin with Port.. and change 22 to your choice
  further some settings to run ssh more safely

Port 1231
Protocol 2
PermitEmptyPasswords no
PermitRootLogin no
# Compression is optional
Compression yes

• save and exit the file within the following keystokes:
  str+o ENTER (save the file), str+x (close nano)
• reboot the PI

sudo reboot

• last step to harden the pi, install fail2ban to watch ssh access
  (reconnect the pi per ssh on 1231 or your port)

YourPathToPutty\PUTTY.EXE -ssh pi@raspberry -P 1231 -pw raspberry
YourPathToPutty\PUTTY.EXE -ssh pi@ipv4adress -P 1231 -pw raspberry

• install fail2ban, documentation:
  thomas-krenn.com SSH Login, fail2ban
  ionos.de SSH Login, fail2ban

sudo apt install fail2ban

• generate and edit a own config file

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

• add the following settings (thomas-krenn.com)

ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 3600
findtime  = 600
maxretry = 3

• reboot the RPI

sudo reboot