Code Jamming Everyday IT problems, solutions and discussions

How do I setup Raspberry Pi

Somehow I end up breaking my Raspberry Pi all of the time. Today it was the sudoers file that I corrupted editing with nano instead of visudo and voila - I cannot be root anymore. Another time I simply forgot my user’s password and made it impossible to login via ssh anymore (I don’t have spare physical screen and keyboard). So somehow it happens all of the time and I find myself reimaging SD card and setting up everything from scratch every now and then. That’s the main reason I’m writing this note - to future myself. Here I can find a step-by-step guide to streamline future setups.

Small disclaimer: the one I’m going to setup today is for Pi-Hole, however 90% of steps are very common for pretty much any setup.

Prepare SD card

Download raspbian image

First thing to do is to visit official website and download latest Raspbian image.

Then, verify hashsum using shasum -a 256 2019-07-10-raspbian-buster-lite.zip (under macOS) and unzip to the same directory.

Flush image to SD card

For that you need to know SD card disk number.

diskutil list
diskutil unmountDisk /dev/disk2
sudo dd bs=1m if=~/Downloads/Installs/2019-07-10-raspbian-buster-lite.img of=/dev/rdisk2 conv=sync

Then, when it will be automounted, create empty file with name “ssh” in /boot (that will be the only mounted device). If Raspbian will find such file, sshd will be automatically started so you can loging with user pi over ssh.

System setup

Initial

Now you can insert SD card to Raspberry Pi and turn it ON. For networking I use network cable so I don’t need to care about WiFi setup. It’s much easier and probably also faster in my case. In order to find the IP of Raspberry Pi I check my router’s “Network Map” tab, almost every router has it, but ymmv. As the last resort you can use nmap.

ssh pi@192.168.1.170
sudo raspi-config

After starting raspi-cofnig go to “Advanced” and select “Expand filesystem” - this is a first thing to do before downloading updates. Let’s use all 32GB of the SD card instead of 2.2GB of the image we flushed.

Then I install log2ram and modify the limits using sudo vi /etc/log2ram.conf to have at least 200MB of log space available. This handy tool mounts /var/log in RAM instead of the hard drive (SD card). This is done to preserve the SD card from frequent writes.

Now it’s a good idea to reboot to make use of log2ram.

Security

I use some of the tricks described in security section of the official documentation. Things that make sense to me are changing the default user, using complex autogenerated password, restricting ssh access and things alike.

sudo adduser pihole
sudo adduser pihole sudo

Now it should be possible to reconnect on SSH with pihole user. That’s what I usually do before next steps.

sudo deluser -remove-home pi
sudo vi /etc/sudoers.d/010_pi-nopasswd

Editing sudoers is required to disallow passwordless sudo for all users: just change NOPASSWD to PASSWD for your new user and save the file. Be aware that in nano you can corrupt this file so either skip this step or use vim. If you will corrupt the file you will need to start over.

What I also usually do to secure ssh is I configure fail2ban in order to restrict ssh attempts with wrong password.

sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local

As for the last command - modifying the config - it’s just enough to find [ssh] section and set enabled = true and maxretry = 6. Now when somebody will try to guess the password by DDoS’ing port 22, fail2ban will ban them for a couple of minutes.

Update

It will be a good idea also to install all possible updates:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get clean

Pi-Hole

Now when the base system is ready, we can install Pi-Hole using commands that you can find in the official GitHub repository.

curl -sSL https://install.pi-hole.net | bash

After going through configuration steps (make sure to turn on Web UI), everything what is left to do is to setup static DNS in your router that will point to Raspberry Pi.

I’d like to state that Pi-Hole by itself is not enough for your privacy and security, but it’s a good start.

Buy me a coffeeBuy me a coffee
comments powered by Disqus