joe curlee

Harden your Raspberry Pi March 27, 2026

In a previous guide I wrote about setting up an NTP server on a Raspberry Pi and using that to sync your clocks. Here are some tips on hardening that server.

Secure SSH

If you are currently using a password to SSH into your Pi, you are vulnerable to brute-force attacks.

  • Use SSH Keys: Generate a key on your workstation (ssh-keygen -t ed25519) and push it to the Pi (ssh-copy-id user@pi-ip).

  • Disable Password Login: Edit /etc/ssh/sshd_config on the Pi: 

    PasswordAuthentication no
PubkeyAuthentication yes

  • Restart SSH: sudo systemctl restart ssh

Configure UFW (Uncomplicated Firewall)

A firewall ensures that your server only responds to the exact traffic you want it to. First, install UFW and set the default policies to "Paranoid Mode" (block all incoming, allow all outgoing).

sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing

The "Don't Lock Yourself Out" Rule (SSH)

Warning: Before you enable the firewall, you must allow SSH traffic, or you will immediately be locked out of your Pi.

It is also critical to understand that UFW processes rules from top to bottom. If you set a blanket rate-limit on SSH before allowing your local network, your own workstation might trigger the limit and get banned. Always force your local network to the very top of the list using the insert 1 command.

(Note: Replace 192.168.1.0/24 with your actual local subnet).

# 1. Create a "VIP Lane" for your local network at the very top of the list
sudo ufw insert 1 allow from 192.168.1.0/24 to any port 22 proto tcp

# 2. Add a rate limit for any IP outside of your local network
sudo ufw limit ssh

Open the NTP Port

Since this Pi is acting as your local time server, you need to allow UDP traffic on port 123 so your workstations can fetch the time.

sudo ufw allow 123/udp

Enable the Firewall

Once your SSH and NTP rules are staged, it is safe to turn the firewall on.

sudo ufw enable

Check your work by running sudo ufw status numbered to ensure your local SSH allow rule is sitting safely at [ 1 ].

Optional: Running Pi-hole alongside your Time Server?

If your Raspberry Pi is doing double-duty as a network-wide ad blocker (Pi-hole), you will need to open a few additional ports for those services to function before enabling UFW:

Service Port/Protocol Purpose Command
DNS 53/udp & 53/tcp Allows devices to resolve queries sudo ufw allow 53
Web UI 80/tcp Access the Pi-hole dashboard sudo ufw allow 80/tcp
DHCP 67:68/udp Only if the Pi handles router DHCP sudo ufw allow 67:68/udp

Install Fail2Ban

fail2ban monitors logs and automatically bans IPs that show malicious behavior (like too many failed SSH attempts).

sudo apt install fail2ban -y

Enable Unattended Upgrades

You don't want your "security server" to be vulnerable because you forgot to run apt upgrade.

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Disable Physical Hardware Leaks

If your Pi is plugged in via Ethernet, you should disable the Wi-Fi and Bluetooth radios at the firmware level to reduce the attack surface.

  1. Open the boot config: sudo vim /boot/firmware/config.txt (or /boot/config.txt on older versions).

  2. Add these lines at the bottom: 

    dtoverlay=disable-bt
dtoverlay=disable-wifi

  3. Reboot: sudo reboot

Protect the SD Card (Uptime Security)

SD cards are the "achilles heel" of Raspberry Pis; they fail if written to too often. If the SD card dies, your network's DNS and Time die with it.

  • Log2Ram: This tool writes logs to a RAM disk instead of the SD card, only syncing them occasionally. It drastically extends the life of your card.
curl -L [https://github.com/azlux/log2ram/archive/master.tar.gz](https://github.com/azlux/log2ram/archive/master.tar.gz) | tar zx
cd log2ram-master
chmod +x install.sh
sudo ./install.sh

Latest posts

View more posts