Generated: April 4, 2026
System: Batocera.linux v42
IP Address: <DEVICE_IP>
Network: <LOCAL_SUBNET> (Private LAN)
- SSH (Port 22): Remote terminal access - DEFAULT PASSWORD:
<DEFAULT_PASS> - Samba (Ports 139/445): File sharing - DEFAULT PASSWORD:
<DEFAULT_PASS> - NFS (Port 2049): Network file system
- RPC (Port 111): Remote procedure calls
- Local IP: <DEVICE_IP>
- Gateway/Router: <GATEWAY_IP>
- Connection: Wi-Fi (wlan0)
- Internet Access: Yes (via router)
⚠️ Default password still active (<DEFAULT_USER>/<DEFAULT_PASS>)- ✅ Behind router firewall (not directly exposed to internet)
⚠️ Anyone on local network can access with default credentials
Command:
passwdInstructions:
- Open terminal (F4 key or SSH into machine)
- Type:
passwd - Enter new password (won't show on screen)
- Confirm new password
- You'll see: "Password changed successfully"
This secures:
- SSH access
- Samba file sharing
- Root terminal access
Check your router (<GATEWAY_IP>):
- Log into router admin panel (usually http://<GATEWAY_IP>)
- Look for "Port Forwarding" or "Virtual Server" settings
- Verify NO rules forward to <DEVICE_IP>
- Common ports to check: 22, 139, 445, 2049, 80, 8080
Why: Port forwarding would expose your Batocera to the internet.
From another computer (not on your network):
- Find your public IP: https://whatismyipaddress.com/
- Test ports: https://www.yougetsignal.com/tools/open-ports/
- Check these ports: 22, 139, 445, 2049
- All should show "CLOSED"
If any show OPEN: Remove port forwarding rules from your router immediately.
Check running services:
batocera-services listDisable SSH (if you don't need remote access):
batocera-services disable sshdDisable Samba (if you only use USB for file transfer):
batocera-services disable smbdRe-enable if needed:
batocera-services enable sshd
batocera-services enable smbdInstead of password, use SSH keys:
On your other computer (Linux/Mac):
ssh-keygen -t ed25519
ssh-copy-id root@<DEVICE_IP>On your other computer (Windows):
- Use PuTTYgen to generate key pair
- Copy public key to Batocera:
/userdata/system/ssh/authorized_keys
Then disable password authentication:
# Edit SSH config
nano /etc/ssh/sshd_config
# Add: PasswordAuthentication no
# Restart SSH
batocera-services restart sshdSee who's connected:
# Active SSH sessions
who
# Active Samba connections
smbstatus
# All network connections
netstat -tnCheck for updates:
batocera-upgrade --checkInstall updates:
batocera-upgradeEnable automatic update checks:
- In EmulationStation: Start → System Settings → Updates → Enable
Install iptables rules (advanced):
# Allow only local network access
iptables -A INPUT -s <LOCAL_SUBNET> -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
# Save rules
iptables-save > /userdata/system/iptables.rulesNote: Batocera resets on reboot. Use custom scripts to persist.
If you need remote access, use VPN instead of exposing ports:
- Set up VPN server on your router (WireGuard, OpenVPN)
- Connect to home network via VPN
- Access Batocera at <DEVICE_IP> through VPN tunnel
- No ports exposed to internet
- Change default password immediately
- Use strong passwords (12+ characters, mixed case, numbers, symbols)
- Keep Batocera updated
- Only enable services you actually use
- Use VPN for remote access
- Regularly check router settings
- Backup important data to external storage
- Use default password (
<DEFAULT_PASS>) - Enable port forwarding to Batocera
- Connect directly to public Wi-Fi without VPN
- Share your password
- Disable router firewall
- Run untrusted scripts as root
- Expose SSH to internet without key authentication
Run these commands to check your security:
# 1. Check listening ports
netstat -tuln | grep LISTEN
# 2. Check running services
batocera-services list
# 3. Check active connections
netstat -tn | grep ESTABLISHED
# 4. Check SSH login attempts
grep "Failed password" /var/log/messages 2>/dev/null
# 5. Check system users
cat /etc/passwd
# 6. Verify password is changed
grep "^root:" /etc/shadow | cut -d: -f2
# Should NOT be empty or show default hashIf you suspect unauthorized access:
-
Immediately change password:
passwd
-
Check for suspicious activity:
# Recent logins last # Current users who # Running processes ps aux | grep -v "\[" | head -20
-
Disconnect from network:
ifconfig wlan0 down
-
Review logs:
dmesg | tail -50 journalctl -n 100 -
Reboot to clean state:
reboot
After completing security steps, verify:
- Root password changed from default
- Can still access Batocera via SSH/Samba with new password
- No port forwarding rules on router pointing to <DEVICE_IP>
- External port scan shows all ports closed
- Only necessary services are running
- System is up to date
- Backup of important data exists
Weekly:
- Check for system updates
Monthly:
- Review router port forwarding settings
- Check active network connections
- Review SSH logs for failed attempts
Quarterly:
- Change password
- Audit enabled services
- Test external port exposure
Batocera Security Documentation:
- https://wiki.batocera.org/security
- https://wiki.batocera.org/ssh
- https://wiki.batocera.org/vpn_client
Community Support:
- Discord: https://discord.gg/batocera
- Forum: https://forum.batocera.org/
- GitHub Issues: https://github.com/batocera-linux/batocera.linux/issues
Minimum Required Actions:
- Change root password:
passwd - Verify no port forwarding on router
- Test external exposure (all ports should be closed)
Time Required: 10-15 minutes
Difficulty: Easy
Impact: Protects your system from unauthorized access
IMPORTANT: Your Batocera is currently accessible to anyone on your local network (<LOCAL_SUBNET_RANGE>) using the default password. Change it now to secure your system.
Report End
Next Action: Run passwd command to change root password
Status: Awaiting security implementation