Raspberry Pi
Introduction
Raspberry Pi's are cool little computers and I have a few I use in my adventures. I don't have an original though. :-(
I also have a Banana Pi BPI-R1, which was my home router, then a media server, then, well I'm not really using it now.
Please read the "First Steps" section below. It has lots of good info for first time linux/RPi users. Also, I have this script that I use after those "First Steps".
Anyways, enough rambling about cool little computing devices.
Table of Contents
First Steps Philosophy
Philosophy
As of April 4th, 2022, the folks at Raspberry Pi finally removed the default user & password. This is awesome! Security should not be an afterthought. I still think learning about security along the process is a very effective use of the process. ;-) Others may disagree, and that's okay. There are still some concepts and reasoning as well as steps that I think should be performed. So read on to make your own informed decision.
The environment in which you use your Raspberry Pi matters. The first question to ask is do you trust that there won't be any bad actors getting to your Raspberry Pi? It can be as simple a question as how much you trust your siblings/schoolmates (you will probably be on the same network)? If you can't or aren't sure how to answer that question, ask someone (parent/teacher/Google).
And honestly, it isn't hard to stay safe(er); please read on.
After Raspberry Pi OS
This is for the Raspberry Pi OS & Raspberry Pi OS Lite (both 64-bit) as of 10/22/2023. There are two ways to approach creating the bootable media to have more secure system. One is to create a user/password when making the boot media. The other is setting the user/password at the first boot. Both are okay, because the RPi is not vulnerable to remote attacks at that first boot.
One quick note/reminder; if you have other Linux machines (including Raspberry Pis) think about UIDs. I've found it helpful to keep them the same across systems.
DO NOT plug the Raspberry Pi into the network yet; just the monitor/keyboard/mouse.
During the first boot process, set the username and password.
When done, log in (if RPi OS Lite) or log in and open the terminal.
In the terminal, and sudo rm /etc/sudoers.d/010_pi-nopasswd. The file has one line, which is some variation of: <username> ALL=(ALL) NOPASSWORD: ALL. It may be different if you did setup options in the Raspberry Pi Imager. With this file, you do not have to type in your password for sudo commands. I think this is less secure, think about those annoying siblings/classmates who might want to do something when you walk away for a bit.
Now connect the Raspberry Pi to the network & update! Sometimes software updates screw things up, especially if you are using development versions. But in general, it is best to update because it fixes bugs, and any bug can cause/help security issues.
In terminal: sudo apt --fix-broken install && sudo apt-get update && sudo apt-get -y dist-upgrade.
Next, type in the terminal sudo raspi-config. Don't mess with firmware, the latest distributions include necessary firmware in kernel updates. Familiarize yourself with options & make sure you finish localization to be your country (don't forget wifi is in the System Options).
I strongly suggest you also turn off Auto-Login. Same reason why the pi and/or the new user should not have sudo rights without a password.
I suggest you do not enable SSH until after a reboot (which happens next). This may be a pain, but do you trust your siblings? :-P
Next screen: Reboot!
Reasoning
An easy way to introduce yourself to the idea of security is to think about "fences". This might not be a common view. I'll explain my thoughts. There will always be errors, whether bugs, misconfigurations, whatever. The general analogy of fences is that an attacker does not have just one fence to jump over to get to what should be protected.
I do this professionally, making as many fences as feasible to maintain. It goes along with the idea that there is not just one "silver bullet" in security.
Let's look at the fences I like when working on RPis:
Removing pi user: Attackers do not know what user to use. Thank you, Raspberry Pi Foundation for making this change!
Not allowing passwordless sudo: Attackers can't trick you into running scripts that automatically get root privileges.
Update frequently: Attackers know the holes in your fences before you do and it is harder for you to keep track. Trust the developers upstream!
There are more things, but those are the most accessible for most readers at this point. And as deep as I want to write at this point. In the end, you have to decide what are acceptable risks. This is what good Linux administration is about. :-)
General Maintenance
I should say more, but for now, I've created this bash script to help updates in the future.