New PI appliance setup best practices?

[gt3mike]

I have a brand new AD2PI appliance running on my network and communicating between my Vista panel and Indigo. All seems well, but I'm painfully aware of the fact that I haven't done any configuration on the PI itself, and that means I have default passwords and services enabled, etc.

Does anyone have any best practices and/or any resources to recommend? For example, changing the default "pi" password is an obvious candidate, but I don't know whether that might negatively impact anything unique to AD2PI appliance operation.

All advice is welcome. I'm reasonably familiar with Linux but this is the first PI I've worked with.

Thanks,
Mike

[trialnerror]

I've seen an install for dummies type post here not too far down in the general forum, though I didn't follow it. I've had AD2PI up for about a month and haven't touched a un*x command line in 25 years. That said, I installed the pi downloadable factory image, changed the pi password, installed iptables-persistent and some rules, and did a sudo apt-get update, sudo apt-get upgade, and updated the alarmdecoder webapp from within it and, knock wood, it is still running. Just make a backup image of your implementation and any goofs are easily reversed.

[gt3mike]

I have the prebuilt Pi appliance from AD that includes a Pi with a premounted AD2 board. So all of the required setup was performed for me. What I'm unclear on is what additional changes I should make to secure it, and what I might break if I do so (e.g. changing the pi password, etc.).

[sandman]

It is mentioned here that you should change the default credentials asap.

Here is the official Pi documentation indicating some security points. I have no clue which of these might break this solution.

[gt3mike]

Thanks. Pi password changed. Any other security best practices that won't break my preconfigured AD2PI Appliance?

[kevin]

Install fail2ban and a firewall, make sure your software is up to date, change default passwords, enjoy

If you want, you can lock it down to key-based only authentication.

[Gordon]

I dont know anything about the other parts of your system but here my RasPi and AD2Pi are not exposed to the Internet (WAN), but only the local network (LAN). To access it off site I use a VPN using the VPN server on my router. It adds an extra step but works for me. In order to compromise the RasPi you would need to first gain access to my LAN. The VPN server or hacking my WiFi from no more than 100 feet away are the only ways in and not trivial to accomplish.

IMHO, If you expose any server, esp web servers, to the Internet, then it takes a lot of work to maintain security.