Because the Internet of Things (IoT) has excelled in recent months as a risk not only for users’ own IT, but also as a botnet, Raspbian developers have now responded and given their operating system an update verpasst, German IT news site heise reports. This Debian-based Linux distribution is a popular base upon which to run a Raspberry Pi.
Steps to secure the Pi
In practice the developers have deactivated the SSH port and service which were previously activated as standard. According to the accompanying blog post, the developers had previously assumed that users would deactivate this port and service themselves when using a public network. To make matters worse, when first set up Raspbian pre-configures a default user account and password. This combination with the likewise pre-configured sudo could not have made it very difficult at all for attackers.
Users can activate SSH as usual via raspi-config. If anyone who wants to enable SSH, all they need to do is to put a file called ssh in the /boot/ directory. The contents of the file don’t matter: it can contain any text users like, or even nothing at all. It simply acts as a marker. When the Pi boots, it looks for this file; if it finds it, it enables SSH and then deletes the file. SSH can still be turned on or off from the Raspberry Pi Configuration application or raspi-config. However, as regards the problem of the pre-configured user account, the developers are providing a warning after the Pi has booted… if SSH is running.