Embedded Linux Password Security

TL;DR

Embedded Linux devices often ship with default passwords or weak security configurations. This guide provides practical steps to manage passwords effectively, including changing defaults, using strong hashing algorithms, implementing password policies, and securing storage.

1. Change Default Passwords Immediately

The first and most crucial step is to change all default passwords. Manufacturers often use common credentials for initial access. These are well-known targets for attackers.

• Identify Defaults: Check the device documentation, manufacturer’s website, or online resources for default usernames and passwords.
• Access the Device: Use SSH, a serial console, or any other available method to log in.
• Change Passwords: Use commands like passwd (for user accounts) and potentially device-specific tools to update credentials.

sudo passwd root

2. Implement Strong Password Policies

Enforce rules for password complexity and expiration.

• Minimum Length: Require passwords of at least 12 characters (longer is better).
• Complexity Requirements: Mandate a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Password History: Prevent users from reusing previous passwords.
• Regular Expiration: Force password changes every 90-180 days (adjust based on risk).

You can configure these policies using PAM (Pluggable Authentication Modules). Edit files in /etc/pam.d/, such as common-password.

sudo nano /etc/pam.d/common-password

3. Use Strong Password Hashing

Never store passwords in plain text! Use a robust hashing algorithm with salting.

• Avoid MD5 and SHA1: These algorithms are considered weak and vulnerable to cracking.
• Recommended Algorithms: bcrypt, Argon2, or scrypt are excellent choices. bcrypt is widely available and well-tested.
• Salting: Always use a unique salt for each password. This prevents rainbow table attacks. Modern PAM configurations typically handle salting automatically when using strong algorithms.

Verify your system uses a secure hashing algorithm by examining the shadow file (/etc/shadow). The hash should be long and complex.

4. Secure Password Storage

Protect the files containing password hashes from unauthorized access.

• File Permissions: Ensure that /etc/shadow is only readable by root (permissions 600).
• Filesystem Encryption: Consider encrypting the entire filesystem to protect sensitive data, including password hashes.

sudo chmod 600 /etc/shadow

5. Limit Login Attempts

Reduce the risk of brute-force attacks by limiting the number of failed login attempts.

• Fail2ban: Use a tool like Fail2ban to automatically block IP addresses after multiple unsuccessful login attempts.

sudo apt install fail2ban  # Example for Debian/Ubuntu

6. Consider SSH Key Authentication

Disable password-based SSH authentication and use SSH keys instead.

• Generate Keys: Create a key pair on your client machine (ssh-keygen).
• Copy Public Key: Copy the public key to the device’s ~/.ssh/authorized_keys file.
• Disable Password Authentication: Edit /etc/ssh/sshd_config and set PasswordAuthentication no. Restart the SSH service (sudo systemctl restart sshd).

7. Regularly Audit Logs

Monitor logs for suspicious activity, such as failed login attempts or unauthorized access.

• Log Files: Check /var/log/auth.log (or similar) for authentication-related events.
• Automated Monitoring: Use log analysis tools to automate the detection of security incidents.