Categories
System Admin

Raspberry Pi: Hands On

Raspberry Pi a computer the size of a credit card
Raspberry Pi a computer the size of a credit card

Today I’ll share the very first configuration steps I usually take when I get my hands on a brand new raspberry pi.

I assume that:

  • Raspbian is freshly installed.
  • The raspberry pi is up and running.
  • You know its IP address.
  • You know how to connect to the pi over ssh.

Security 101: The Basics

Change The pi User Password

With a standard raspbian installation, you can log in as the user pi with the password raspberry. It’s raspbian’s default, everybody knows that ! So start by changing the pi account password:

$ [sudo] passwd [{username}]

The elements in brackets [] are optional. The curly braces {} mean you need to enter something appropriate (i.e. a username in this case). When used standalone, passwd changes the current user password. sudo and a username are only necessary to change someone else’s password.

Update The System

Next, your system is only secure if you keep it up to date:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade
$ sudo shutdown -r

When the system is back up, I suggest to clean up a bit:

$ sudo apt clean
$ sudo autoremove

Whether or not to use dist-upgrade is up to you. upgrade is conservative with regards to dependencies (thus safer). Some packages and programs may be kept back as their newer version relies on new dependencies. That’s where dist-upgrade comes into play.

apt clean deletes the files downloaded in /var/cache/apt/archives (useless once installed) thus frees up some space.

Did you notice that, even though you entered commands with sudo, the system didn’t ask for a password? That’s a specific (and dangerous though easier) behavior for the pi user we’ll change later on.

Create A New User

You may wonder: “what’s the point”?

The underlying idea is similar to the password issue I mentioned earlier. Everybody knows raspbian defines a pi user by default. Thus you’d better use another one. One only you know the username.

$ sudo adduser {username}
$ sudo usermod -a -G sudo {username}

When adding a new user the system asks for a password.

The 2nd line adds the new user to the sudoers group. Only the users in that group can issue commands preceded with sudo.

Now is the time for you to log out of the pi account and log in with your new account. Get used to it and part ways with pi.

Dealing With The pi User

Delete pi

This is for the bold, the daredevils:

$ sudo deluser [--remove-home] pi

I suppose this is self explanatory enough. The optional argument also deletes the pi user home directory (/home/pi) including everything it contains.

Hang on … what’s the problem, why is this for the bold?

The trick is some aspects of the raspbian distribution still rely on the pi account. Removing pi might have some side effects, but it’s not entirely clear which and where.

Long story short, deleting pi is up to you.

Make pi Ask For A Password With sudo

As we saw when upgrading the system, pi can issue sudo commands no question asked. If you don’t dare getting rid of the pi account, at least restrict its potential for harm.

We could do this a couple ways. The easiest option consists in deleting one file. This file overrides the default security strategy, by granting pi the extra power of sudoing without entering a password:

$ cd /etc/sudoers.d/
$ ls -l
$ sudo cat 010_pi-nopasswd
pi ALL=(ALL) NOPASSWD: ALL
$ sudo rm /etc/sudoers.d/010_pi-nopasswd

Then, if you want to go even one step further, it’s possible to stop pi from using sudo, period:

$ grep sudo /etc/group
$ sudo deluser pi sudo
$ grep sudo /etc/group

Use A Firewall

Raspbian is based on debian and yes GNU/Linux is generally safer than Windows or even MacOS operating systems. Still, you should protect your computer from undesired outside access:

$ sudo apt-get install ufw

The Uncomplicated FireWall (UFW) is super simple to use compared to setting up your iptables. It’s disabled by default which is fortunate as we must add at least one rule first.

Most of my pies are “headless”. They don’t have a keyboard or monitor. I only access them remotely on the command line through ssh. Thus I must make sure that ssh will still be authorized after enabling the firewall.

$ sudo ufw limit in 22/tcp

22 and tcp are respectively the standard port and protocol for ssh. Make sure you enter the correct port number for your installation.

Also I use limit in instead of allow in for additional security against brute force attacks. Then ssh keeps track of unsuccessful connection attempts and forbids offending IP addresses for a while after too many tries. This makes the job of automated password guessing tools much more difficult especially with a strong password.

If you fail to configure the firewall properly, you may lock yourself out of your raspberry pi for good (at least remotely in ssh). Thus take your time and think twice before proceeding with the next command:

$ sudo ufw enable
$ sudo ufw status verbose

Other Configurations

DNS Resolution

It happens I’m a crazy nerd. I run my own private DNS at home so I can name the various equipments connected to my local network.

Basically I need my private DNS to be queried first for names known only locally before delegating the domain name resolution to my ISP or a public DNS.

In order to do just that edit the /etc/resolvconf.conf file:

$ sudo vi /etc/resolvconf.conf

and replace the line:

#name_servers=127.0.0.1

with:

name_servers={your private DNS IP address}

Then restart so the new DNS configuration is taken into account:

$ sudo shutdown -r
$ cat /etc/resolv.conf

Be mindful as /etc/resolvconf.conf and /etc/resolv.conf are unfortunately very similar names for 2 different configuration files !

Time Synchronization

Time synchronization relies on the NTP protocol (Network Time Protocol). Obviously it keeps the pi clock right on time. This is necessary if, for instance, your pi uses or proposes some sort of time based 2 factor authentication mechanism.

If you search the web, you’ll find most people install the ntp and ntpdate packages. However this isn’t necessary, unless you want your pi to act as a NTP server.

If you just need a NTP client for your pi to set its clock properly, there is a simpler way that doesn’t require any additional package installation.

$ sudo vi /etc/systemd/timesyncd.conf

Then change the line:

#NTP=

for:

NTP={space separated list of NTP server IP addresses}

Now let’s check everything is correctly setup:

$ timedatectl

If the line NTP synchronized: indicates no try:

$ sudo timedatectl set-ntp true
$ sudo systemctl status systemd-timesyncd.service

log2ram

The trick with raspberry pies is they are often running 24/7. They don’t have a hard disk. A micro SD is the HDD. Constantly writing to a SD card reduces its lifespan. And, there is one thing that is written to the card at all times: it’s the logs.

log2ram is a program shadowing /var/log in memory so that log updates are written to memory instead of disk. Log files are synchronized back to disk only once a day.

I’m usually very cautious with installing programs of unknown origin, but in this case it’s a short shell program, that’s mostly self explanatory.

Long story short, I’ve read the whole thing, it’s nice and safe.

$ cd /opt
$ apt list git
$ sudo apt-get install git
$ sudo git clone https://github.com/azlux/log2ram.git
$ cd log2ram
$ sudo chmod 744 install.sh
$ sudo ./install.sh

raspi-config

Last but not least I run the famous raspi-config program.

$ sudo raspi-config
raspi-config user interface
raspi-config user interface

The sections I’m usually going through are:

  • Network Options > N1 hostname: to replace the default raspberrypi hostname with something more meaningful in relation with the raspberry pi usage.
  • Boot Options > B1 Desktop / CLI > B1 Console: to confirm I want to launch the command line interface on startup (instead of a Graphical User Interface).
  • Localisation Options > I1 Change Locale: there I usually select at least en_GB.UTF8 (the raspberry pi is made in UK after all) as well as en_US.UTF8.
  • Localisation Options > I2 Change Timezone: this one should be rather obvious.
  • Advanced Options > A3 Memory Split: if I target to use the raspberry pi only in “headless” mode (typically as a server) and not as a desktop running a GUI, I set the value to the minimum (i.e. 16) to avoid wasting memory on a GPU I won’t need.
  • Advanced Options > A1 Expand Filesystem: to use the SD card to its full extent.

After all this, I’m just a couple commands away from finishing my standard “new raspberry pi routine”:

$ cd
$ sudo apt clean
$ sudo shutdown -r
$ cat /dev/null > .bash_history && history -c && exit

Final Words

I hope you enjoyed reading this post. And I definitely hope you’ve learned something or at least found it useful. I’d be very interested in constructive feedback. Have I missed anything, have you spotted any errors?

Do you have recipes on your own you’d be willing to share ? Anything in particular you perform systematically with each new raspberry pi?

In later posts I shall dwell some more on the security side of things and discuss ssh access in details.

Additional sources of information: Securing your raspberry pi

[print-me]

Leave a Reply

Your email address will not be published. Required fields are marked *