/op====== Howto configure a basic debian server on a Raspberry Pi ======
===== Requirements =====
  * Raspberry Pi & power supply
  * LAN connection with DHCP & Internet access
  * SD-card with newest [[http://www.raspberrypi.org/downloads|Raspbian]]

===== Installation steps =====
  - boot up the Raspberry Pi
  - login through ssh console //(user: pi / password: raspberry)// <code bash>ssh pi@10.{x}.{x}.{x}</code>
  - use raspi-config for some basic configurations
    - Expand Filesystem
    - Internationalisation Options
      - Change locale to "en_GB.UTF-8 UTF-8"
      - Change Timezone to "Europe/Berlin"
    - Advanced Options
      - Hostname - set to "{xyz}.b9h.de"
      - Memory Split - set to "16"
      - Update
  - update firmware <code bash>apt-get install rpi-update && rpi-update</code>
  - reboot the Raspberry Pi <code bash>reboot</code>
  - login through ssh console <code bash>ssh pi@10.{x}.{x}.{x}</code>
  - get root console <code bash>sudo su -</code>
  - remove unnecessary packages <code bash>apt-get purge squeak-vm wolfram-engine</code>
  - remove desktop environment <code bash>apt-get purge consolekit desktop-base* desktop-file-utils* gnome-icon-theme* gnome-themes-standard* hicolor-icon-theme* leafpad* lxde* lxde-core* midori* xserver-common* xserver-xorg* xserver-xorg-core* xserver-xorg-input-all* xserver-xorg-input-evdev* xserver-xorg-input-synaptics* xserver-xorg-video-fbdev* openbox obconf menu omxplayer</code>
  - clean up package dependencies <code bash>apt-get autoremove</code>
  - update package repositories <code bash>apt-get update</code>
  - upgrade all packages to newest version <code bash>apt-get dist-upgrade</code>
  - enable watchdog kernel module (history: bcm2708_wdog) <code bash>echo "bcm2835_wdt" | sudo tee -a /etc/modules && modprobe bcm2835_wdt</code>
  - install additional packets <code bash> apt-get install vim-nox dnsmasq htop iftop nmap exim4-daemon-light uptimed dnsutils wget curl ntpdate mc fail2ban logwatch apticron watchdog git locate figlet lsb-release</code>
  - add new user <code bash>adduser benh</code>
  - change console to new user <code bash>su - benh</code>
  - create ssh config directory <code bash>mkdir .ssh</code>
  - add public ssh key to authorized_keys <code bash>vi .ssh/authorized_keys</code> <code>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5r9mj5lsBX55o2Cdv/57v5cH4GOJoZyIwC21tAvPEhzHM8AjD4M6HzlVazGS1pPcC/zm1uXUH6OUTmnphuyTDYmW1YS11PAeB5FmntSwgBQjgorJeEcGsK1Bw9qHCN9kddu2PS6By90+ihydCBMetCC4uAXCxtyClSGGjKT2QRpg+iXpYWSPIeAyEVEvtQPxfrgQz0+ZyXPJD1rcmT1Gs++Xume9w7hw3Aon07ZExJDVH/VF3Ro6P/91+WdvlIxBFgIBSVzr3OTLfM4OzKdnl2XpbKhZsjiRahpat3eNaB99tqfPxyH9Ai/W7lv1crBLBeY4ftu14n0ep6qLiVs//Q== benh@tux
    </code>
  - restrict access rights of authorized_keys <code bash>chmod go-r .ssh/authorized_keys</code>
  - set system default editor to vim-nox <code bash>update-alternatives --config editor</code>
  - add new user to system group 'sudo' <code bash>usermod -a -G sudo benh</code>
  - remove default user 'pi' from 'sudo' group <code bash>deluser pi sudo</code>
  - disable sudo rights of pi <code bash>visudo</code> <code>#pi ALL=(ALL) NOPASSWD: ALL</code>
  - enable history search with "page up"/"page down" <code bash>vi /etc/inputrc</code> <code># alternate mappings for "page up" and "page down" to search the history
    "\e[5~": history-search-backward
    "\e[6~": history-search-forward
    </code>
  - replace bashrc "[[projects:raspberrypi:bashrc|/etc/ssh/bashrc]]" <code bash>vi .bashrc</code> 
  - configure hosts file <code bash>vi /etc/hosts</code>
    - comment the hostname->localhost line <code>#127.0.1.1       xyz.b9h.de</code>
    - add a line with hostname->ip <code>10.{x}.0.200    xyz.b9h.de xyz.localnet xyz</code>
  - add ssh login notification script "[[https://git.benhartmann.de/small-scripts/.git/blob/HEAD:/sshrc|/etc/ssh/sshrc]]" <code bash>vi /etc/ssh/sshrc</code>
  - redirect root mails to operator <code bash>echo -e "root: operator\noperator: operator@b9h.de" >> /etc/aliases && newaliases</code>
  - configure exim4 <code bash>dpkg-reconfigure exim4-config
vi /etc/exim4/passwd.client</code>
  - send cron notifications by mail <code bash>vi /etc/crontab</code> <code>MAILTO=operator</code>
  - add cronjob to scan for unwanted .sshrc files in home directories <code bash>vi /etc/crontab</code> <code bash>#scan for unwanted sshrc-files and delete them
*/5 *   * * *   root    find /home -type f -name ".sshrc" -maxdepth 1 -print -exec rm {} \;
    </code> 
  - send notification after system start <code bash>vi /etc/rc.local</code><code bash>#send mail notification
echo -e "`hostname --fqdn`\n`date`\nsystem is running" | mail -s"`hostname --fqdn` - system is running" operator</code>
  - set correct mailname <code bash>vi /etc/mailname</code><code>b9h.de #remove the hostname</code>
  - set correct recipient for logwatch mails <code bash>vi /etc/cron.daily/00logwatch</code>
  - hardening proc filesystem (hide foreign processes from normal users)<code bash>vi /etc/fstab</code><code>proc                    /proc                   proc    defaults,hidepid=2        0 0</code>
  - configure motd "[[projects:raspberrypi:00-header|00-header]] [[projects:raspberrypi:10-sysinfo|10-sysinfo]]" <code bash>mkdir /etc/update-motd.d
rm /etc/motd
ln -s /var/run/motd /etc/motd
vi /etc/update-motd.d/00-header
vi /etc/update-motd.d/10-sysinfo
echo -ne '#!/bin/sh\nuname -snrvm' > /etc/update-motd.d/10uname
rm /etc/motd.tail && echo > /etc/motd.tail
echo -ne '#!/bin/sh\n[ ! -f /etc/motd.tail ] && exit 0\ncat /etc/motd.tail' > /etc/update-motd.d/20tail
chmod a+x /etc/update-motd.d/*</code>