Uncategorized

Secure your Raspberry PI: First step Renaming ‘pi’ user.

vu2aie

Half of the hackers work is already done when he knows the user neame of te target. This flaw is present in most of the entry level routers, and cannot be changed. Raspberry OS (Raspbian) ships with the default user PI, this user name has to be changed if we want to secure out Pi over the network.

Why should I be bothered?

I had put my ‘PI’ on the DMZ behind the router to make it as a gateway to access my home assistant from the web. Over a week there were more than a thousand failed login attempt in my log, most common attempted user after ‘root’ & ‘admin’ was ‘pi’

This was sufficient to motivate me to change the default username ‘pi’.

What is the big deal? create a new user and delete the default user!

That’s correct! Essentially I am doing that but without deleting or creating a user. Remember, with each user there are certain permissions (sudo) and groups that the user is member of. Creating a new user and adding multiple groups is going to take a long time and then it may cause issue in some of the default scripts (booting to the user pi) and needs many scripts to be revisited.

The easy way!

Changing the default user is much simpler with the following steps

  • enable ‘root’ user
  • enable ‘root’ user login through SSH
  • login as ‘root’
  • change the user ‘pi’ to ‘new_user’
  • change the user $HOME directory
  • disable ‘root’ SSH login and user ‘root’
  • reboot, if you like

Steps to change the username

First enable the root user:

In most of the Debian derived OS the root user is disabled by default. To enable it we need to set the root password using

sudo passwd root

The system will ask for the new password and confirm the new password.

Nothing will be printed on the screen while typing the password.

Enable root login through SSH

‘root’ login can be enabled by editing the sshd config file, I use nano as the editor.

sudo nano /etc/ssh/sshd_config

In the file find ”PermitRootLogin no’ and replace it with ‘‘PermitRootLogin yes’

Reboot or restart sshd using

‘sudo systemctl restart ssh’

login as root with the password created above and rename the user ‘pi’ to ‘new_user_name’, using the command (replace new_user with the desired user name)

usermod -l new_user_name pi

Once the user is renamed we need to change the user’s home directory name to reflect the new login name. This can be done using the following command

usermod -m -d /home/new_user_name new_user_name

check the /home directory for the new user name and permission using

ls -l /home

Finally, we need to modify the group of the new user using the command

groupmod –new-name new_user_name pi

The user pi has the sudo permission which needs to be transferred to new_user, easiest way is to rename the original sudoer file using

sudo mv /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/new_user_name

now edit the file using

nano /etc/sudoers.d/new_user_name

Replace the username pi by new_user_name in

pi ALL=(ALL) NOPASSWD: ALL to

new_user_name ALL=(ALL) NOPASSWD: ALL

logout as root and login as the new_user using the password used for user ‘pi’

disable root login through SSH by re-editing the sshd config as above and replacing PermitRootLogin no’ in the sshd_config

Disable the root user by locking the account again by issuing

sudo passwd -l root

Reboot or restart ssh and we are done.

Leave a Reply

Your email address will not be published. Required fields are marked *