Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- projects:raspberrypi:install [2013/12/29 16:57] – angelegt benh
+++ projects:raspberrypi:install [2016/10/22 17:46] (aktuell) – benh
@@ Zeile 1: / Zeile 1: @@
-====== Howto configure a basic debian server on a Raspberry Pi ======
+/op====== Howto configure a basic debian server on a Raspberry Pi ======
 ===== Requirements =====
   * Raspberry Pi & power supply
@@ Zeile 7: / Zeile 7: @@
 ===== Installation steps =====
   - boot up the Raspberry Pi
-  - login through ssh console //(user: pi / password: raspberry)// <code bash>ssh pi@10.17.0.3</code>
+  - login through ssh console //(user: pi / password: raspberry)// <code bash>ssh pi@10.{x}.{x}.{x}</code>
   - use raspi-config for some basic configurations
     - Expand Filesystem
@@ Zeile 17: / Zeile 17: @@
       - Memory Split - set to "16"
       - Update
-  - update firmware <code bash>rpi-update</code>
+  - update firmware <code bash>apt-get install rpi-update && rpi-update</code>
   - reboot the Raspberry Pi <code bash>reboot</code>
-  - login through ssh console <code bash>ssh pi@10.17.0.3</code>
+  - login through ssh console <code bash>ssh pi@10.{x}.{x}.{x}</code>
   - get root console <code bash>sudo su -</code>
+  - remove unnecessary packages <code bash>apt-get purge squeak-vm wolfram-engine</code>
+  - remove desktop environment <code bash>apt-get purge consolekit desktop-base* desktop-file-utils* gnome-icon-theme* gnome-themes-standard* hicolor-icon-theme* leafpad* lxde* lxde-core* midori* xserver-common* xserver-xorg* xserver-xorg-core* xserver-xorg-input-all* xserver-xorg-input-evdev* xserver-xorg-input-synaptics* xserver-xorg-video-fbdev* openbox obconf menu omxplayer</code>
+  - clean up package dependencies <code bash>apt-get autoremove</code>
   - update package repositories <code bash>apt-get update</code>
   - upgrade all packages to newest version <code bash>apt-get dist-upgrade</code>
-  - install additional packets <code bash> apt-get install vim-nox dnsmasq htop iftop nmap exim4-daemon-lightuptimed dnsutils wget curl ntpdate mc fail2ban logwatch apticron watchdog git locate</code>
+  - enable watchdog kernel module (history: bcm2708_wdog) <code bash>echo "bcm2835_wdt" | sudo tee -a /etc/modules && modprobe bcm2835_wdt</code>
-  -
+  - install additional packets <code bash> apt-get install vim-nox dnsmasq htop iftop nmap exim4-daemon-light uptimed dnsutils wget curl ntpdate mc fail2ban logwatch apticron watchdog git locate figlet lsb-release</code>
+  - add new user <code bash>adduser benh</code>
+  - change console to new user <code bash>su - benh</code>
+  - create ssh config directory <code bash>mkdir .ssh</code>
+  - add public ssh key to authorized_keys <code bash>vi .ssh/authorized_keys</code> <code>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5r9mj5lsBX55o2Cdv/57v5cH4GOJoZyIwC21tAvPEhzHM8AjD4M6HzlVazGS1pPcC/zm1uXUH6OUTmnphuyTDYmW1YS11PAeB5FmntSwgBQjgorJeEcGsK1Bw9qHCN9kddu2PS6By90+ihydCBMetCC4uAXCxtyClSGGjKT2QRpg+iXpYWSPIeAyEVEvtQPxfrgQz0+ZyXPJD1rcmT1Gs++Xume9w7hw3Aon07ZExJDVH/VF3Ro6P/91+WdvlIxBFgIBSVzr3OTLfM4OzKdnl2XpbKhZsjiRahpat3eNaB99tqfPxyH9Ai/W7lv1crBLBeY4ftu14n0ep6qLiVs//Q== benh@tux
+    </code>
+  - restrict access rights of authorized_keys <code bash>chmod go-r .ssh/authorized_keys</code>
+  - set system default editor to vim-nox <code bash>update-alternatives --config editor</code>
+  - add new user to system group 'sudo' <code bash>usermod -a -G sudo benh</code>
+  - remove default user 'pi' from 'sudo' group <code bash>deluser pi sudo</code>
+  - disable sudo rights of pi <code bash>visudo</code> <code>#pi ALL=(ALL) NOPASSWD: ALL</code>
+  - enable history search with "page up"/"page down" <code bash>vi /etc/inputrc</code> <code># alternate mappings for "page up" and "page down" to search the history
+    "\e[5~": history-search-backward
+    "\e[6~": history-search-forward
+    </code>
+  - replace bashrc "[[projects:raspberrypi:bashrc|/etc/ssh/bashrc]]" <code bash>vi .bashrc</code>
+  - configure hosts file <code bash>vi /etc/hosts</code>
+    - comment the hostname->localhost line <code>#127.0.1.1       xyz.b9h.de</code>
+    - add a line with hostname->ip <code>10.{x}.0.200    xyz.b9h.de xyz.localnet xyz</code>
+  - add ssh login notification script "[[https://git.benhartmann.de/small-scripts/.git/blob/HEAD:/sshrc|/etc/ssh/sshrc]]" <code bash>vi /etc/ssh/sshrc</code>
+  - redirect root mails to operator <code bash>echo -e "root: operator\noperator: [email protected]" >> /etc/aliases && newaliases</code>
+  - configure exim4 <code bash>dpkg-reconfigure exim4-config
+vi /etc/exim4/passwd.client</code>
+  - send cron notifications by mail <code bash>vi /etc/crontab</code> <code>MAILTO=operator</code>
+  - add cronjob to scan for unwanted .sshrc files in home directories <code bash>vi /etc/crontab</code> <code bash>#scan for unwanted sshrc-files and delete them
+*/5 *   * * *   root    find /home -type f -name ".sshrc" -maxdepth 1 -print -exec rm {} \;
+    </code>
+  - send notification after system start <code bash>vi /etc/rc.local</code><code bash>#send mail notification
+echo -e "`hostname --fqdn`\n`date`\nsystem is running" | mail -s"`hostname --fqdn` - system is running" operator</code>
+  - set correct mailname <code bash>vi /etc/mailname</code><code>b9h.de #remove the hostname</code>
+  - set correct recipient for logwatch mails <code bash>vi /etc/cron.daily/00logwatch</code>
+  - hardening proc filesystem (hide foreign processes from normal users)<code bash>vi /etc/fstab</code><code>proc                    /proc                   proc    defaults,hidepid=2        0 0</code>
+  - configure motd "[[projects:raspberrypi:00-header|00-header]] [[projects:raspberrypi:10-sysinfo|10-sysinfo]]" <code bash>mkdir /etc/update-motd.d
+rm /etc/motd
+ln -s /var/run/motd /etc/motd
+vi /etc/update-motd.d/00-header
+vi /etc/update-motd.d/10-sysinfo
+echo -ne '#!/bin/sh\nuname -snrvm' > /etc/update-motd.d/10uname
+rm /etc/motd.tail && echo > /etc/motd.tail
+echo -ne '#!/bin/sh\n[ ! -f /etc/motd.tail ] && exit 0\ncat /etc/motd.tail' > /etc/update-motd.d/20tail
+chmod a+x /etc/update-motd.d/*</code>