{"id":24200400,"url":"https://github.com/lefht/securepi","last_synced_at":"2026-03-10T14:32:05.742Z","repository":{"id":210630603,"uuid":"727078086","full_name":"lefht/securepi","owner":"lefht","description":"A simple security setup tool for your Raspberry Pi. It automates essential features like UFW, Fail2Ban, unattended-upgrades, SSH hardening, and supports Ansible for more advanced setup. You can easily adjust it to fit your needs.","archived":false,"fork":false,"pushed_at":"2025-05-10T03:03:44.000Z","size":23,"stargazers_count":2,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-10T04:18:19.003Z","etag":null,"topics":["ansible","bash","docker","makefile","raspberry-pi"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lefht.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-12-04T06:15:06.000Z","updated_at":"2025-05-10T03:03:47.000Z","dependencies_parsed_at":"2023-12-04T07:24:44.051Z","dependency_job_id":"78271181-9f39-4696-a62d-6f9b765b91d4","html_url":"https://github.com/lefht/securepi","commit_stats":null,"previous_names":["arraakis/cybersec","0xleyth/cybersec","lefht/cybersec","lefht/securepi"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/lefht/securepi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lefht%2Fsecurepi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lefht%2Fsecurepi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lefht%2Fsecurepi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lefht%2Fsecurepi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lefht","download_url":"https://codeload.github.com/lefht/securepi/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lefht%2Fsecurepi/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30337207,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T12:41:07.687Z","status":"ssl_error","status_checked_at":"2026-03-10T12:41:06.728Z","response_time":106,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","bash","docker","makefile","raspberry-pi"],"created_at":"2025-01-13T20:50:19.634Z","updated_at":"2026-03-10T14:32:05.717Z","avatar_url":"https://github.com/lefht.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Security Configuration Script\n\nThis script is designed to perform various security configurations on a Linux-based system, specifically for enabling and configuring **UFW (Uncomplicated Firewall)**, **Fail2Ban**, **Unattended Upgrades**, and **SSH**. It ensures that your system is securely configured with minimal manual intervention.\n\n## Prerequisites\n\n- The script should be run as root, as it modifies system configurations.\n- The system must have the following packages available:\n  - `ufw` (Uncomplicated Firewall)\n  - `fail2ban`\n  - `unattended-upgrades`\n\n## Features\n\n- **Resets and configures UFW** with default rules for SSH, HTTP, and HTTPS.\n- **Installs and configures Fail2Ban** to protect SSH from brute-force attacks.\n- **Installs and configures unattended-upgrades** to ensure the system receives automatic security updates.\n- **Configures SSH** to allow only the current user.\n- **Updates and cleans the system** by performing an upgrade and ensuring all packages are up-to-date.\n\n## Script Breakdown\n\n### 1. `reset_and_configure_ufw`\nThis function resets UFW to avoid conflicts and configures it to allow traffic on SSH, HTTP, and HTTPS ports.\n\n#### Example:\n```bash\nufw allow ssh\nufw allow http\nufw allow https\nufw logging on\n```\n\n### 2. `install_and_configure_fail2ban`\nInstalls Fail2Ban and configures it to protect SSH. It also checks for the existence of the `/var/log/auth.log` file and creates it if missing.\n\n#### Example:\n```bash\napt-get install -y fail2ban\n```\n\n### 3. `install_and_configure_unattended_upgrades`\nInstalls and configures the **unattended-upgrades** package for automatic security updates. It ensures that the Raspbian and Raspberry Pi Foundation repositories are included in the upgrade sources.\n\n#### Example:\n```bash\napt-get install -y unattended-upgrades\ndpkg-reconfigure --priority=low unattended-upgrades\n```\n\n### 4. `configure_sshd`\nConfigures SSH to allow only the current user for secure remote access. It checks if the current user is already added to the `AllowUsers` directive in `/etc/ssh/sshd_config`.\n\n#### Example:\n```bash\nAllowUsers your_username\n```\n\n### 5. `update_and_clean`\nUpdates the system and upgrades all installed packages to their latest versions.\n\n#### Example:\n```bash\napt-get update \u0026\u0026 apt-get upgrade -y\n```\n\n### Main Function\nThe `main` function ties all the above functions together and ensures the entire security configuration process is automated and executed in the correct order.\n\n```bash\nreset_and_configure_ufw\ninstall_and_configure_fail2ban\ninstall_and_configure_unattended_upgrades\nconfigure_sshd\nupdate_and_clean\n```\n\n## How to Use\n\n### Option 1: Run the Script Directly\n\n1. Save the script to a file, for example, `security_config.sh`.\n2. Give it executable permissions:\n   ```bash\n   chmod +x securepi.sh\n   ```\n3. Run the script as root:\n   ```bash\n   sudo ./securepi.sh\n   ```\n4. It is also possible to run the script without needing to download:\n   ```bash\n   curl https://raw.githubusercontent.com/lefht/securepi/refs/heads/main/securepi.sh | ssh pi_usr@hostip 'sudo bash -s'\n   ```\n\n### Option 2: Use Ansible\n\nIf you prefer to use Ansible for configuration management, follow these steps:\n\n1. Ensure that Docker is installed and configured on your system.\n2. Clone the repository or ensure the `inventory` and `playbooks` directories are accessible.\n4. Add your hosts and credentials and run the following command.\n\n   ```bash\n   make run\n   ```\n\n\n\n## Important Notes\n\n- **Root privileges**: Ensure the script is executed as root for proper configuration changes.\n- **Logging**: The script logs progress to the console for easy troubleshooting.\n- **SSH Configuration**: This script configures SSH to only allow the current user. Ensure your user is correctly identified.\n\n## Conclusion\n\nThis script simplifies the process of securing a Raspberry Pi by automating common security configurations. By running it, you ensure your system is protected with a:\n- firewall\n- fail2ban\n- automatic security updates\n- secure SSH configuration.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flefht%2Fsecurepi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flefht%2Fsecurepi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flefht%2Fsecurepi/lists"}