Somehow I end up breaking my Raspberry Pi all of the time. Today it was the sudoers file that I corrupted editing with
nano instead of
visudo and voila - I cannot be root anymore. Another time I simply forgot my user’s password and made it impossible to login via ssh anymore (I don’t have spare physical screen and keyboard). So somehow it happens all of the time and I find myself reimaging SD card and setting up everything from scratch every now and then. That’s the main reason I’m writing this note - to future myself. Here I can find a step-by-step guide to streamline future setups.
Small disclaimer: the one I’m going to setup today is for Pi-Hole, however 90% of steps are very common for pretty much any setup.
First thing to do is to visit official website and download latest Raspbian image.
Then, verify hashsum using
shasum -a 256 2019-07-10-raspbian-buster-lite.zip (under macOS) and unzip to the same directory.
For that you need to know SD card disk number.
diskutil list diskutil unmountDisk /dev/disk2 sudo dd bs=1m if=~/Downloads/Installs/2019-07-10-raspbian-buster-lite.img of=/dev/rdisk2 conv=sync
Then, when it will be automounted, create empty file with name “ssh” in
/boot (that will be the only mounted device). If Raspbian will find such file,
sshd will be automatically started so you can loging with user
pi over ssh.
Now you can insert SD card to Raspberry Pi and turn it ON. For networking I use network cable so I don’t need to care about WiFi setup. It’s much easier and probably also faster in my case. In order to find the IP of Raspberry Pi I check my router’s “Network Map” tab, almost every router has it, but ymmv. As the last resort you can use
ssh email@example.com sudo raspi-config
raspi-cofnig go to “Advanced” and select “Expand filesystem” - this is a first thing to do before downloading updates. Let’s use all 32GB of the SD card instead of 2.2GB of the image we flushed.
Then I install log2ram and modify the limits using
sudo vi /etc/log2ram.conf to have at least 200MB of log space available. This handy tool mounts
/var/log in RAM instead of the hard drive (SD card). This is done to preserve the SD card from frequent writes.
Now it’s a good idea to reboot to make use of log2ram.
I use some of the tricks described in security section of the official documentation. Things that make sense to me are changing the default user, using complex autogenerated password, restricting ssh access and things alike.
sudo adduser pihole sudo adduser pihole sudo
Now it should be possible to reconnect on SSH with
pihole user. That’s what I usually do before next steps.
sudo deluser -remove-home pi sudo vi /etc/sudoers.d/010_pi-nopasswd
Editing sudoers is required to disallow passwordless
sudo for all users: just change
PASSWD for your new user and save the file. Be aware that in
nano you can corrupt this file so either skip this step or use
vim. If you will corrupt the file you will need to start over.
What I also usually do to secure ssh is I configure
fail2ban in order to restrict ssh attempts with wrong password.
sudo apt install fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo vi /etc/fail2ban/jail.local
As for the last command - modifying the config - it’s just enough to find
[ssh] section and set
enabled = true and
maxretry = 6. Now when somebody will try to guess the password by DDoS’ing port 22,
fail2ban will ban them for a couple of minutes.
It will be a good idea also to install all possible updates:
sudo apt-get update sudo apt-get dist-upgrade sudo apt-get clean
Now when the base system is ready, we can install Pi-Hole using commands that you can find in the official GitHub repository.
curl -sSL https://install.pi-hole.net | bash
After going through configuration steps (make sure to turn on Web UI), everything what is left to do is to setup static DNS in your router that will point to Raspberry Pi.
I’d like to state that Pi-Hole by itself is not enough for your privacy and security, but it’s a good start.