Raspberry Pi: Hands On

Raspberry Pi a computer the size of a credit card
A computer the size of a credit card

In this post, I’d like to share the very first configuration steps I usually take when I get my hands on a brand new raspberry pi.

I assume that:

  • Raspbian has been freshly installed.
  • The raspberry pi is up and running.
  • You know its IP address.
  • You know how to connect to the pi over ssh.

1. Security 101: The Basics

1.1 Change The pi User Password

With a standard raspbian installation, you can log in as the user pi with the password raspberry. It’s raspbian’s default, everybody knows that ! So start by changing the pi account password:

$ [sudo] passwd [{username}]

The elements in brackets [] are optional. The curly braces {} mean you need to enter something appropriate (i.e. a username in this case). When used standalone, passwd changes the current user password. sudo and a username are only necessary to change someone else’s password.

1.2 Update The System

Next, your system is only secure as long as you keep it up to date:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade
$ sudo apt clean

Whether or not to use dist-upgrade is up to you. upgrade is conservative with regards to dependencies (thus safer). Some packages and programs may be kept back as their newer version relies on new dependencies. That’s where dist-upgrade comes into play.

The last command deletes the files downloaded in /var/cache/apt/archives (useless once installed) thus freeing up some space.

Did you notice that, even though you entered commands with sudo, the system didn’t ask for a password? That’s a specific (and dangerous though easier) behavior for the pi user we may correct later on.

1.3 Create A New User

You may wonder: “what’s the point”?

The underlying idea is quite similar to the password issue I mentioned earlier. Everybody knows raspbian defines a pi user by default. Thus you’d better use another one. One only you know the username.

$ sudo adduser {username}
$ sudo usermod -a -G sudo {username}

When adding a new user the system asks for a password.

The 2nd line adds the newly defined user to the sudoers group. Only the users in that group can issue commands preceded with sudo.

Now is the time for you to log out of the pi account and log in with your new account. Get used to it and part ways with pi.

1.4 Dealing With The pi User

1.4.1 Delete pi

This is for the bold, the daredevils:

$ sudo deluser [--remove-home] pi

I suppose this is self explanatory enough. The optional argument also deletes the pi user home folder (/home/pi) including everything it contains.

Hang on … what’s the problem, why is this for the bold?

The trick is some aspects of the raspbian distribution still rely on the pi account. Removing pi might have some side effects, but it’s not entirely clear which and where.

Long story short, deleting pi is up to you.

1.4.2 Make pi Ask For A Password With sudo

As we saw when upgrading the system, pi can submit sudo commands no question asked. If you don’t dare getting rid of the pi account, this is at least something you must change.

We could do this a couple ways. The easiest option consists in deleting one file, that overrides the default security strategy, by granting pi the extra power of sudoing without entering a password:

$ cd /etc/sudoers.d/
$ ls -l
$ sudo rm /etc/sudoers.d/010_pi-nopasswd

1.5 Use A Firewall

Raspbian is based on debian and yes GNU/Linux is generally safer than Windows or even MacOS operating systems. Still, you should protect your computer from unwanted outside access:

$ sudo apt-get install ufw

The Uncomplicated FireWall (UFW) is super simple to use compared to setting up your iptables. It’s disabled by default which is fortunate as we must add at least one rule first.

Most of my pies are “headless”. They don’t have a keyboard or monitor. I only access them remotely on the command line through ssh. Thus I must make sure that ssh will still be authorized after enabling the firewall.

$ sudo ufw limit in 22/tcp

22 and tcp are respectively the standard port and protocol for ssh. Make sure you enter the correct port number for your installation.

Also I use limit in instead of allow in for additional security against brute force attacks. Then ssh keeps track of unsuccessful connection attempts and forbids offending IP addresses for a while after too many tries. This makes the job of automated password guessing tools much more difficult especially with a strong password.

If you fail to configure the firewall properly, you may lock yourself out of your raspberry pi for good (at least remotely in ssh). Thus take your time and think twice before proceeding with the next command:

$ sudo ufw enable
$ sudo ufw status verbose

2. Other Configurations

2.1 DNS Resolution

It happens I’m a crazy nerd. I run my own private DNS at home so I can name the various equipments connected to my local network.

Basically I need my private DNS to be queried first for names known only locally before delegating the name resolution to my ISP or a public DNS.

In order to do just that I need to edit the /etc/resolvconf.conf file:

$ sudo vi /etc/resolvconf.conf

and replace the line:

#name_servers=127.0.0.1

with:

name_servers={my private DNS IP address}

then update the system configuration:

$ sudo resolvconf -u
$ cat /etc/resolv.conf

Be mindful as /etc/resolvconf.conf and /etc/resolv.conf are unfortunately very similar names for 2 different configuration files !

2.2 Time Synchronisation

Time synchronization relies on the NTP protocol (Network Time Protocol). Obviously it keeps the pi clock right on time. This is necessary if, for instance, your pi uses or proposes some sort of time based 2 factor authentication mechanism.

If you search the web, you’ll find most people install the ntp and ntpdate packages. However this is useless, unless you want your pi to act as a NTP server.

If you just need a NTP client for your pi to set its clock properly there is a simple way that doesn’t require any additional package installation.

$ sudo vi /etc/systemd/timesyncd.conf

Then change the line:

#NTP=

for:

NTP={space separated list of NTP server IP addresses}

Now let’s check everything is correctly setup:

$ timedatectl

If the line NTP synchronized: indicates no enter:

$ sudo timedatectl set-ntp true
$ sudo systemctl status systemd-timesyncd.service

2.3 log2ram

The trick with raspberry pies is they are often running 24/7. They don’t have a hard disk. A micro SD is the HDD. Constantly writing to a SD card reduces its lifespan. And, there is one thing that is written to the card at all times: it’s the logs.

log2ram is a program shadowing /var/log in memory so that log updates are written to memory instead of disk. Log files are synchronized back to disk only once every hour.

I’m usually very cautious with installing unknown programs, but in this case it’s a short shell program, that’s mostly self explanatory.

Long story short, I’ve read the whole thing, it’s nice and safe.

$ cd /opt
$ apt list git
$ sudo apt-get install git
$ sudo git clone https://github.com/azlux/log2ram.git
$ cd log2ram
$ sudo chmod 744 install.sh
$ sudo ./install.sh

3. raspi-config

Last but not least I run the famous raspi-config program.

$ sudo raspi-config
raspi-config configuration tool

The sections I’m usually going through are:

  • Network Options > N1 hostname: to replace the default raspberrypi hostname with something more meaningful in relation with the raspberry pi usage.
  • Boot Options > B1 Desktop / CLI > B1 Console: to confirm I want to launch the command line interface on startup (instead of a Graphical User Interface).
  • Localisation Options > I1 Change Locale: there I usually select at least en_GB.UTF8 (the raspberry pi is made in UK after all) as well as en_US.UTF8.
  • Localisation Options > I2 Change Timezone: this one should be rather obvious.
  • Advanced Options > A3 Memory Split: if I target to use the raspberry pi only in “headless” mode (for instance as a server) and not as a desktop running a GUI, I set the value to the minimum (i.e. 16) to avoid wasting memory on a GPU I won’t need.
  • Advanced Options > A1 Expand Filesystem: to use the SD card to its full extent.

After all this, I’m just a couple commands away from my standard “new raspberry pi routine”:

$ sudo apt clean
$ sudo shutdown -r
$ exit

4. Final Words

I hope you enjoyed reading this post. And I definitely hope you’ve learned something or at least found it useful. I’d be very interested in constructive feedback. Have I missed anything, have you spotted any errors?

Also do you have recipes on your own you’d be willing to share with the community ? Anything in particular you perform systematically with each new raspberry pi?

In later posts I shall dwell some more on the security side of things and discuss ssh access in details.

Additional sources of information:

Leave a comment