Basic Rasbian configuration

In our last post we have installed Rasbian OS on our Raspberry and enabled ssh server, so we can manage it without connecting a monitor, mouse or keyboard to this small computer. In most cases, Linux servers are managed just like that and never see a monitor attached.

Today we are going to configure things like:

• assign static IP
• hostname
• timezone
• create new user
• secure our SSH connection with private key

raspi-config

There is very nice and handy tool raspi-config which I discovered after initial configuration. You can run command:

sudo raspi-config

and you will get a tool like on the screenshot below, which you can use for some of mentioned changes but no all of them. We will focus on the old fashioned way, dealing with files.

Assigning static IP

Every server, especially the one which is managed remotely, should have assigned static IP. Of course we can make reservation in our DHCP server, so our machine would have same IP most of the time, but there is potential situation when DHCP will not work, and we will lost connection. In my opinion best idea is to make reservation and set static IP at the same time. Reservation will protect us from duplicate IP address wheres static IP make our server always ready to connect.

We need to edit /etc/dhcpcd.conf file

sudo nano /etc/dhcpcd.conf

and past text like below:

#ethernet
interface eth0
static ip_address=192.168.1.11/24
static routers=192.168.1.1
static domain_name_servers=9.9.9.9 8.8.4.4

#wifi
interface wlan0
static ip_address=192.168.1.10/24
static routers=192.168.1.1
static domain_name_servers=9.9.9.9 8.8.4.4

This code will assign static IP both for ethernet and WiFi connection. You can past lines from 1 to 5 in order to set static IP only for Ethernet or from 7-11 only for WiFi.

In line 3 and 9 replace IP with your desired IP. In line 4 and 10 provide address of your default gateway. Line 5 and 11 are dns servers. In my example there is DNS from Global Cyber Alliance (9.9.9.9) and from Google (8.8.4.4).

You can restart your Raspberry now to apply changes.

sudo reboot

Changing hostname

Unless you have more Raspberry Pi in your local network it’s not mandatory to set different hostname, but I prefer to have my machines been identified with short name which also include information what is the machine role. In my case it will be “pi-srv” as it will be my home server run on Raspberry Pi.

As in most Linux distributions, hostname can be set in file /etc/hostname so run the command:

sudo nano /etc/hostname

and change default hostname to whatever you like. Save the file by key combination ctrl+o, click enter to accept file name and exit by ctrl+x.

This method is also valid for many other Linux distributions, in contrast to raspi-config.

Now we need to edit /etc/hosts file

sudo nano /etc/hosts

In this file Linux stores mapping for dns names to IP addresses. To loopback address 127.0.0.1 we add our name after localhost. There should be one space between domain names.

In addition add your local IP addresses (both for WiFi and Ethernet) with your chosen name. As an example you can look at below screenshot.

127.0.0.1       localhost
127.0.0.1       pi-srv
192.168.1.10    pi-srv
192.168.1.11    pi-srv
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouter

Now you can reboot your Raspberry to load changes.

sudo reboot

Setting timezone

It’s very simple. Check available timezones with the command:

timedatectl list-timezones

In my case it is Europe/Warsaw, so my command to change timezone will be:

sudo timedatectl set-timezone Europe/Warsaw

Simple, isn’t it? 🙂

Add another sudo user

But why we should do it? Isn’t changing our password from default “raspberry” enough? Maybe it does, but I prefer to login with my chosen nickname, not with default “pi” and I also believe changing all defaults increase our security.

So, commands are as follows:

sudo adduser YourUserName

Provide password for a new user, and add your new user to sudo users with command:

sudo usermod -aG sudo YourUserName

Your new user is ready to log in, but I recommend you to follow next steps about key-based authentication.

SSH key-based authentication

For security reasons you should not allow users to work on SSH withour additional security layer which is key-based authentication. Stay logged in as user “pi” and follow next steps.

First we will create new pair of keys with command:

ssh-keygen -t ed25519

Accept default localisation for keys by pressing enter and provide passphrase two times. Passphrase is optional, but it makes key more secure. Your keys will be stored in /home/pi/.ssh. Now we will copy key to our new added user:

ssh-copy-id YourUserName@localhost

type “yes” without quotation marks and hit enter. Provide password you have chosen for new user (it’s not passphrase).

ssh-copy-id -i ~/.ssh/id_ed25519.pub YourUserName@localhost

provide passphrase which you set during key creation. From this point your new user will be able to log in using private key. Let’s download the key to our computer.

nano /home/pi/.ssh/id_ed25519

Mark all text with shift button and left mouse click, it will copy your key without ctrl+c. Open Notepad++ or another similar program and paste copied text. Save the file as private.key.

This private key is not using same format as putty, so we will need to convert it. Follow this steps:

• Open Puttygen (it’s installed along with Putty)
• File->Load private key -> Change file type to All files in order to find your key
• Provide passphrase
• You can change key comment with your new username but it’s optional
• Save private key with ppk extension i.e. private.ppk

Let’s check if you can connect to your Raspberry with the key. Open one more PuTTY window, provide IP address and browse for your key in Connection->SSH->Auth.

So is our server secure? Not yet, because someone can still connect using ssh without a key. Even more, standard port can be used! We need to change it.

First we will create backup of configuration file:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Now we can edit the file:

sudo nano /etc/ssh/sshd_config

Erase # in the line with Port 22 and change the port number like below in the line 6:

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Now find the line starting with PasswordAuthentication and change it from yes to no. Here is an example:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

Save the file (ctrl+o, enter, ctrl+x) and restart ssh:

sudo systemctl restart ssh

It won’t close your current connection but don’t close PuTTY window yet!

Open new PuTTY windows without closing previous one and check if you can connect. Remember to change default port to the one you set (in our example 2222). If it’s not working, go back to the first window and check all steps.

Working? Make a test and try to connect without a key. You should get this error:

Make one more test and leave default port: 22. You should get this result:

Is everything working as expected? So we can now, finally, delete our default account “pi”.

sudo deluser --remove-home pi

Congratulations! Your server is more secure now.

Install some useful applications:

It will be a good idea to install those utilities 🙂

• midnight commander – very useful and easy to use file manager
• links – sometimes there is a need to browse the internet from command line
• wget – downloader for files from http, https and ftp
• pydf – python script for showing disk space usage
• lsof – list open files
• dnsutils – this package contains nslookup, for troubleshooting domain name problems.

sudo apt install mc links wget pydf lsof dnsutils