FeGM IT Wiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: install
projects:raspberrypi:install

Inhaltsverzeichnis

/op

Howto configure a basic debian server on a Raspberry Pi

Requirements

  • Raspberry Pi & power supply
  • LAN connection with DHCP & Internet access
  • SD-card with newest Raspbian

Installation steps

  1. boot up the Raspberry Pi
  2. login through ssh console (user: pi / password: raspberry) 
    ssh pi@10.{x}.{x}.{x}
  3. use raspi-config for some basic configurations
    1. Expand Filesystem
    2. Internationalisation Options
      1. Change locale to „en_GB.UTF-8 UTF-8“
      2. Change Timezone to „Europe/Berlin“
    3. Advanced Options
      1. Hostname - set to „{xyz}.b9h.de“
      2. Memory Split - set to „16“
      3. Update
  4. update firmware 
    apt-get install rpi-update && rpi-update
  5. reboot the Raspberry Pi 
    reboot
  6. login through ssh console 
    ssh pi@10.{x}.{x}.{x}
  7. get root console 
    sudo su -
  8. remove unnecessary packages 
    apt-get purge squeak-vm wolfram-engine
  9. remove desktop environment 
    apt-get purge consolekit desktop-base* desktop-file-utils* gnome-icon-theme* gnome-themes-standard* hicolor-icon-theme* leafpad* lxde* lxde-core* midori* xserver-common* xserver-xorg* xserver-xorg-core* xserver-xorg-input-all* xserver-xorg-input-evdev* xserver-xorg-input-synaptics* xserver-xorg-video-fbdev* openbox obconf menu omxplayer
  10. clean up package dependencies 
    apt-get autoremove
  11. update package repositories 
    apt-get update
  12. upgrade all packages to newest version 
    apt-get dist-upgrade
  13. enable watchdog kernel module (history: bcm2708_wdog) 
    echo "bcm2835_wdt" | sudo tee -a /etc/modules && modprobe bcm2835_wdt
  14. install additional packets 
     apt-get install vim-nox dnsmasq htop iftop nmap exim4-daemon-light uptimed dnsutils wget curl ntpdate mc fail2ban logwatch apticron watchdog git locate figlet lsb-release
  15. add new user 
    adduser benh
  16. change console to new user 
    su - benh
  17. create ssh config directory 
    mkdir .ssh
  18. add public ssh key to authorized_keys 
    vi .ssh/authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5r9mj5lsBX55o2Cdv/57v5cH4GOJoZyIwC21tAvPEhzHM8AjD4M6HzlVazGS1pPcC/zm1uXUH6OUTmnphuyTDYmW1YS11PAeB5FmntSwgBQjgorJeEcGsK1Bw9qHCN9kddu2PS6By90+ihydCBMetCC4uAXCxtyClSGGjKT2QRpg+iXpYWSPIeAyEVEvtQPxfrgQz0+ZyXPJD1rcmT1Gs++Xume9w7hw3Aon07ZExJDVH/VF3Ro6P/91+WdvlIxBFgIBSVzr3OTLfM4OzKdnl2XpbKhZsjiRahpat3eNaB99tqfPxyH9Ai/W7lv1crBLBeY4ftu14n0ep6qLiVs//Q== benh@tux
  19. restrict access rights of authorized_keys 
    chmod go-r .ssh/authorized_keys
  20. set system default editor to vim-nox 
    update-alternatives --config editor
  21. add new user to system group 'sudo' 
    usermod -a -G sudo benh
  22. remove default user 'pi' from 'sudo' group 
    deluser pi sudo
  23. disable sudo rights of pi 
    visudo
    #pi ALL=(ALL) NOPASSWD: ALL
  24. enable history search with „page up“/„page down“ 
    vi /etc/inputrc
    # alternate mappings for "page up" and "page down" to search the history
    "\e[5~": history-search-backward
    "\e[6~": history-search-forward
  25. replace bashrc „/etc/ssh/bashrc
    vi .bashrc
  26. configure hosts file 
    vi /etc/hosts
    1. comment the hostname→localhost line 
      #127.0.1.1       xyz.b9h.de
    2. add a line with hostname→ip 
      10.{x}.0.200    xyz.b9h.de xyz.localnet xyz
  27. add ssh login notification script „/etc/ssh/sshrc
    vi /etc/ssh/sshrc
  28. redirect root mails to operator 
    echo -e "root: operator\noperator: [email protected]" >> /etc/aliases && newaliases
  29. configure exim4 
    dpkg-reconfigure exim4-config
vi /etc/exim4/passwd.client
  30. send cron notifications by mail 
    vi /etc/crontab
    MAILTO=operator
  31. add cronjob to scan for unwanted .sshrc files in home directories 
    vi /etc/crontab
    #scan for unwanted sshrc-files and delete them
*/5 *   * * *   root    find /home -type f -name ".sshrc" -maxdepth 1 -print -exec rm {} \;
 
  32. send notification after system start 
    vi /etc/rc.local
    #send mail notification
echo -e "`hostname --fqdn`\n`date`\nsystem is running" | mail -s"`hostname --fqdn` - system is running" operator
  33. set correct mailname 
    vi /etc/mailname
    b9h.de #remove the hostname
  34. set correct recipient for logwatch mails 
    vi /etc/cron.daily/00logwatch
  35. hardening proc filesystem (hide foreign processes from normal users)
    vi /etc/fstab
    proc                    /proc                   proc    defaults,hidepid=2        0 0
  36. configure motd „00-header 10-sysinfo
    mkdir /etc/update-motd.d
rm /etc/motd
ln -s /var/run/motd /etc/motd
vi /etc/update-motd.d/00-header
vi /etc/update-motd.d/10-sysinfo
echo -ne '#!/bin/sh\nuname -snrvm' > /etc/update-motd.d/10uname
rm /etc/motd.tail && echo > /etc/motd.tail
echo -ne '#!/bin/sh\n[ ! -f /etc/motd.tail ] && exit 0\ncat /etc/motd.tail' > /etc/update-motd.d/20tail
chmod a+x /etc/update-motd.d/*
projects/raspberrypi/install.txt · Zuletzt geändert: von benh