A few days ago we looked at basic headless Raspberry Pi setup. A headless setup will allow the pi to exist in your house with only a single micro usb power supply plugged into it. You will can use a bash terminal window to ssh into your pi and run commands on it from the command line. This may not seem super exciting, but it allows you to turn your pi into all sorts of things. You can:
Because we are using a Raspberry Pi, the cost is significantly cheaper than using a full desktop computer and the power consumption is minimal.
We completed some basic configuration including:
Today, we will look at some additional setup that we can do to improve our raspberry pi setup. These include:
Before we get started, I would like to talk briefly about home networks. Most networks use DHCP, which will assign an ip address to a computer when it joins the network. This is useful since it manages which address is assigned to which computer.
Our raspberry pi is built to be headless. This means that it will not have a keyboard, mouse, monitor, or even a GUI attached to it. We will be connecting to it from another computer on our network and using its monitor, keyboard and mouse to interact with it.
This means that we will need to know how to find the raspberry pi on our network. To do that, we will need to know the ip address. Normally, DHCP will assign an address to a computer when it joins the network. It will keep that address until it leaves the network. This will generally happen when it turns off.
Linux is a stable operating system. It is unlikely that you will be rebooting your raspberry pi frequently. It will happen. When it does, the ip address may change. This means that you will need to go find out what it changed to.
Most modern routers can help. Look in your router config and see if there is a way to assign an ip address to your raspberry pi. Routers are different, but you will usually find it under LAN Setup. It may be called something like "Address reservation"
What it does is identify your raspberry pi by its mac address which is like a fingerprint on the network for the raspberry pi. When your router sees the raspberry pi join the network it will always use the same ip address for it. This is what we want since we will always know where to find it.
TL;DR Make your Raspberry Pi's ip address static to make sure you can find it
If the computer that you will log into your raspberry pi from is Mac or Linux you can associate a name with its ip address. This makes it easier to remember how to connect to it.
Open a terminal window and type:
sudo nano /etc/hosts
At the bottom of the file add a line that is the ip address of your pi followed by a tab and the name.
For a pi with an ip address of 192.168.0.2 and a name jester, I would add the following line:
Save and exit nano with CTRL-O, Enter, and CTRL-X
Note: In Windows the file is: c:\Windows\System32\Drivers\etc\hosts
Now you should be able to reference your pi by name.
ping -c 4 jester
If your pi is connected to the network and you updated your hosts file correctly, you should see a response like:
PING jester (192.168.0.2): 56 data bytes 64 bytes from 192.168.0.2: icmp_seq=0 ttl=64 time=146.548 ms 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=9.840 ms 64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=8.492 ms 64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=8.513 ms --- jester ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.492/43.348/146.548/59.585 ms
The next thing that we are going to do is setup key based authentication to our raspberry pi. You will need keys crated on your computer to be able to proceed. You may already have these. Run the following command in bash:
ls -al ~/.ssh/*.pub
If you see a file returned, you already have keys generated. If you do not see files returned, you will need to generate ssh keys using the next section
If you don't already have keys, generating them is easy enough. You can do it with the following command (just use your own email address, or not).
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
Next we want to copy our public key to the raspberry pi so that we can use the keys to log into the server. Use the ssh-copy-id command followed by username@hostname
You should now be able to connect to your pi via ssh using the keys
You are now logged into your raspberry pi from your other computer
Key based authentication is generally more secure than password based authentication. Since we have setup key based authentication, we will now disable password based authentication. This will prevent someone from logging into your pi with a password.
In the terminal that is connected to your raspberry pi open the raspberry pi SSH configuration file.
sudo nano /etc/ssh/sshd_config
Inside the file look for a line with the PasswordAuthentication setting. You will want to set it to no
You may also want to set PermitRootLogin to no as well.
Save the file with CTRL-O, Enter, and CTRL-X. Put the changes into effect with:
sudo service ssh restart
Exit your ssh session by typing
This should bring you back to your local computer. Now connect to your pi again
If all is well, you are able to connect to your pi and password authentication has been disabled.
Note: You have only disabled password authentication using SSH. If you find yourself locked out you can still connect a keyboard and monitor and login with your username and password.
Your software is updated frequently to patch bugs and add features. Update your software to the latest versions.
sudo apt-get update && sudo apt-get upgrade -y
The first time you run this on your raspberry pi, it may take a while to complete.
Now let's add a firewall to our pi. This will help prevent our pi from responding to requests that we don't want it to. It's kind of like closing the windows on your house.
We will be using a tool called uncomplicated firewall (UFW). UFW is a nice tool that makes setting up a firewall easy. Let's install it.
sudo apt-get install ufw
Now let's restart our pi.
sudo shutdown -r now && exit
Give it a minute to restart and then log back in.
We are now logged back into our pi. Let's use UFW. Right now the only traffic that we want coming into our pi is ssh traffic. This is because we are connecting to the pi with ssh. UFW has configurations for different applications. Let's see the list
sudo ufw app list
This list should contain OpenSSH, which is what we want. Let's tell UFW to allow OpenSSH. We haven't told it anything else so it will block other traffic.
sudo ufw allow OpenSSH
Ok, we have configured our firewall. Now let's turn it on.
sudo ufw enable
If you are connected via ssh and you didn't allow OpenSSH above, it will disconnect you from your pi. It will tell you this. As long as you have been following along, you should be fine.
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
If you got disconnected, and ssh is blocked, you can connect a keyboard, mouse, monitor, etc and login.
These are a few things that you can do to improve the security of your pi. It is a good start, but not an exhaustive list. I highly recommend that you look around and make yourself familiar with security.
Congratulations! You now have a nice little linux server living on your network. What are you going to do with it? There are ideas and tutorials on Digital Ocean. Most of them are written for Ubuntu, but will generally work on Raspbian as well. Here are some ideas of what you can do