How to setup Raspberry Pi with Raspbian 9.4 Stretch

Post Reply
User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

How to setup Raspberry Pi with Raspbian 9.4 Stretch

Post: # 678Post LHammonds
Thu Aug 02, 2018 5:33 am

Greetings and salutations,

I hope this thread will be helpful to those who follow in my foot steps as well as getting any advice based on what I have done / documented.

High-level overview

Raspberry Pi can be used for many things and has very low power requirements which makes it perfect for always-on kinds of servers around the house or remote locations.

This tutorial will cover how to setup a general-purpose server that will be the basis for more specialized versions in later tutorials (e.g. Domain controller, Database server, etc.)

These steps will be performed on a Raspberry Pi and Windows 10 PC. If you do not have a Pi, you could still run the OS and same steps inside a virtual machine by mounting the Raspbian ISO image on the VM and installing that way.

Tools utilized in this process
Helpful links

The list below are sources of information that was helpful in the creation of this document.
Assumptions

This documentation will need to make use of some very-specific information that will most-likely be different for each person / location. And as such, this information will be noted in this section. They will be highlighted in red throughout the document as a reminder that you should plug-in your own value rather than actually using these "place-holder" values.

Under no circumstance should you use the actual values listed below. They are place-holders for the real thing. This is just a checklist template you need to have answered before you start the install process.

Wherever you see RED in this document, you need to substitute it for you will use in your environment.
  • Server name: srv-pi
  • Server IP address: 192.168.107.2
  • Admin ID: administrator
  • Admin Password: myadminpass
It is also assumed the reader knows how to use the VI editor. If not, you will need to beef up your skill set or use a different editor in place of it.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Hardware Initialization

Post: # 679Post LHammonds
Thu Aug 02, 2018 6:07 am

We will need to format the SD card and place an operating system on it so the Raspberry Pi can start.
  1. Take the 8GB+ SD card and plug it into your computer. Use a USB 3.0 connection for fastest performance. I used an Insignia USB 3.0 card reader but any kind should work.
  2. Make note of which drive letter it is using. You might want to remove any other USB-connected drives to avoid confusion / mistakes.
  3. Run SD Card Formatter as admin, select the USB drive letter, do a quick format (should end up as FAT32)
  4. Download and extract the Raspbian archive to get the operating system image (e.g. 2018-04-18-raspbian-stretch-lite.img)
  5. Run Etcher, select the .img file, make sure the correct USB drive is selected, click Flash!
  6. When finished, if Windows re-detects the USB drive and asks to format it, do not let it do so!
  7. Eject the SD Card and insert into Raspberry Pi
  8. Hookup Raspberry Pi to TV (HDMI) + LAN (Ethernet) + Keyboard/Mouse (USB) and power up the Pi.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Operating System Setup

Post: # 680Post LHammonds
Thu Aug 02, 2018 7:02 am

Secure the Admin Account

Login with the well-known default admin account of "pi" and password of "raspberry"

Add a new administrator account

Code: Select all

sudo adduser administrator
sudo usermod -aG sudo administrator
Logout of the pi account and login with the new administrator account and verify that you can issue sudo commands.

Then lock the well-known pi account with the following command so it cannot be used to hack your device:

Code: Select all

passwd -l pi
Enable Remote PuTTY access

To enable the SSH service, type the following commands:

Code: Select all

systemctl enable ssh
systemctl start ssh
Configure the TimeZone

Check the current timezone setting:

Code: Select all

# timedatectl
      Local time: Thu 2018-08-02 12:16:54 UTC
  Universal time: Thu 2018-08-02 12:16:54 UTC
        RTC time: n/a
       Time zone: Etc/UTC (UTC, +0000)
 Network time on: yes
NTP synchronized: yes
 RTC in local TZ: no
The above shows a default configuration. The timezone is default and is configured to stay synchronized.

If you need to adjust the timezone such as setting to US/Chicago, run the following command:

Code: Select all

dpkg-reconfigure tzdata
Configure Server Name

It helps having a descriptive name for your servers, especially if you have multiple servers. It helps differentiate what server you are on when connected via a PuTTY session. You can change the name from the default of "raspberrypi" to something else following these steps:
  1. Edit the local hosts file:

    Code: Select all

    vi /etc/hosts
    Find the following line:

    Code: Select all

    127.0.1.1  raspberrypi
    change to:

    Code: Select all

    127.0.1.1  srv-pi
  2. Edit the hostname file:

    Code: Select all

    vi /etc/hostname
    Find the following line:

    Code: Select all

    raspberrypi
    change to:

    Code: Select all

    srv-pi
  3. Reboot the server:

    Code: Select all

    reboot
Configure IP Address

Code: Select all

vi /etc/dhcpcd.conf

interface eth0
static ip_address=192.168.107.2/24
static routers=192.168.107.1
static domain_name_servers=192.168.107.1 1.1.1.1 8.8.8.8
If you need to add another IP for a different network, you will not be able to modify dhcpcd.conf to make it work right. Instead, use a back door into /etc/network/interface by creating the following file:

Code: Select all

vi /etc/network/interfaces.d/eth0-mystatic
Add the following lines (using your own IP / gateway):

Code: Select all

auto eth0:1
allow-hotplug eth0:1
iface eth0:1 inet static
    address 192.168.108.19
    netmask 255.255.255.0
    gateway 192.168.108.1
Reboot and type the following command to see if the IP addresses are active:

Code: Select all

ip address show
If you are not using IPv6 and want to disable it completely to free up resources, do the following:

Code: Select all

vi /etc/modprobe.d/ipv6.conf

Code: Select all

# Don't load ipv6 by default
alias net-pf-10 off
alias ipv6 off
options ipv6 disable_ipv6=1
blacklist ipv6
Add the following lines to the top of the sysctl file, save and reboot:

Code: Select all

vi /etc/sysctl.conf

Code: Select all

## The following lines disable IPv6.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
Default Shell

The default shell is DASH and can be seen by doing a simple list command:

Code: Select all

# ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Aug  2 07:23 /bin/sh -> dash
The /bin/sh is a pointer to dash.

You can change the default shell to BASH by running the following command and selecting No:

Code: Select all

dpkg-reconfigure dash

Code: Select all

# ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Aug  2 07:23 /bin/sh -> bash
You could keep the default as DASH and just specify BASH in your scripts if needed.

Example:

Code: Select all

#!/bin/bash
echo "Hello world!"

User avatar
LHammonds
Site Admin
Site Admin
Posts: 679
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Scripts and Firewall

Post: # 681Post LHammonds
Thu Aug 02, 2018 10:16 am

Script Location

Lets make a location for our scripts and script data.

Code: Select all

mkdir --parents /var/scripts/prod
mkdir --parents /var/scripts/test
mkdir --parents /var/scripts/data
mkdir --parents /var/scripts/common
chown --recursive root:root /var/scripts
Install Uncomplicated Firewall

Code: Select all

apt-get install ufw
Setup Firewall Rules

Create the rule script and set appropriate ownership and file permissions:

Code: Select all

touch /var/scripts/prod/en-firewall.sh
chmod 750 /var/scripts/prod/en-firewall.sh
chown root:root /var/scripts/prod/en-firewall.sh
Edit the script and paste the following default lines in it. Then tailor it for your own needs such as selecting the correct IP / subnets and uncommenting sections you need like the web server or database lines if you have those services installed.

The script if run as is will block all inbound traffic to the server except SSH traffic but only if coming from an IP on the 192.168.107.xxx subnet.

Code: Select all

vi /var/scripts/prod/en-firewall.sh

Code: Select all

#!/bin/bash
#############################################
## Name          : enable-firewall.sh
## Version       : 1.0
## Date          : 2018-08-02
## Author        : LHammonds
## Compatibility : Raspbian Stretch 9.4
## Requirements  : Run as root
## Purpose       : Restore and enable firewall.
## Run Frequency : As needed
## Exit Codes    : None
################ CHANGE LOG #################
## DATE       WHO  WHAT WAS CHANGED
## ---------- ---- ----------------------------
## 2018-08-02 LTH  Created script.
#############################################
newline=$'\n'

## Requirement Check: Script must run as root user.
if [ "$(id -u)" != "0" ]; then
  ## FATAL ERROR DETECTED: Document problem and terminate script.
  printf '%b' "ERROR: Root user required to run this script.${newline}"
  printf '%b' "Type 'sudo su' to temporarily become root user.${newline}"
  exit
fi

clear
printf '%b' "Resetting Firewall to factory default${newline}"
printf y | ufw reset 1>/dev/null 2>&1
ufw default deny incoming 1>/dev/null 2>&1
ufw default allow outgoing 1>/dev/null 2>&1
printf '%b' "Allowing SSH from only LAN connections${newline}"
ufw allow from 192.168.107.0/24 to any port 22 comment 'SSH via LAN' 1>/dev/null 2>&1
#printf '%b' "Allowing Samba file sharing connections${newline}"
#ufw allow proto tcp to any port 135,139,445 comment 'Samba Share' 1>/dev/null 2>&1
#ufw allow proto udp to any port 137,138 comment 'Samba Share' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 464,389,53,88,636 comment 'Samba AD' 1>/dev/null 2>&1
#ufw allow proto udp to any port 464,389,53,88 comment 'Samba AD' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 3268,3269,49152:65535 comment 'Samba AD' 1>/dev/null 2>&1
#printf '%b' "Allowing Nagios connections${newline}"
#ufw allow from 192.168.107.21 to any port 12489 comment 'Nagios' 1>/dev/null 2>&1
#ufw allow from 192.168.107.21 proto tcp to any port 5666 comment 'Nagios' 1>/dev/null 2>&1
printf '%b' "Adding Application-specific rules${newline}"
#printf '%b' "Adding MySQL/MariaDB rules${newline}"
#ufw allow from 192.168.107.0/24 proto tcp to any port 3306 comment 'MariaDB via LAN' 1>/dev/null 2>&1
#printf '%b' "Adding FTP/FTPS rules${newline}"
#ufw allow proto tcp to any port 990 comment 'FTPS' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 21 comment 'FTP' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 2000:2020 comment 'FTP Passive' 1>/dev/null 2>&1
#printf '%b' "Adding Web Server rules${newline}"
#ufw allow proto tcp to any port 80 comment 'Web Service' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 8080 comment 'Web Service' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 443 comment 'Web Service' 1>/dev/null 2>&1
printf '%b' "Enabling firewall${newline}"
printf y | ufw enable 1>/dev/null 2>&1
printf '%b' "Firewall enabled and all rules have been configured.${newline}"

Post Reply