There are several possible causes for this, including:
- You have a keylogger on the system that you use to configure the miner. Every time you change the password, it's captured by the keylogger and sent to the attacker.
- The OS on the RPi has a security vulnerability that can be exploited.

You should first figure out how the attacker is gaining access. If it's through a keylogger on your system, then just slapping a firewall in front of the miner isn't going to do anything.