Basic Rasbian configuration
In our last post we have installed Rasbian OS on our Raspberry and enabled ssh server, so we can manage it without connecting a monitor, mouse or keyboard to this small computer. In most cases, Linux servers are managed just like that and never see a monitor attached.
Today we are going to configure things like:
- assign static IP
- create new user
- secure our SSH connection with private key
There is very nice and handy tool raspi-config which I discovered after initial configuration. You can run command:
and you will get a tool like on the screenshot below, which you can use for some of mentioned changes but no all of them. We will focus on the old fashioned way, dealing with files.
Assigning static IP
Every server, especially the one which is managed remotely, should have assigned static IP. Of course we can make reservation in our DHCP server, so our machine would have same IP most of the time, but there is potential situation when DHCP will not work, and we will lost connection. In my opinion best idea is to make reservation and set static IP at the same time. Reservation will protect us from duplicate IP address wheres static IP make our server always ready to connect.
We need to edit /etc/dhcpcd.conf file
sudo nano /etc/dhcpcd.conf
and past text like below:
#ethernet interface eth0 static ip_address=192.168.1.11/24 static routers=192.168.1.1 static domain_name_servers=18.104.22.168 22.214.171.124 #wifi interface wlan0 static ip_address=192.168.1.10/24 static routers=192.168.1.1 static domain_name_servers=126.96.36.199 188.8.131.52
This code will assign static IP both for ethernet and WiFi connection. You can past lines from 1 to 5 in order to set static IP only for Ethernet or from 7-11 only for WiFi.
In line 3 and 9 replace IP with your desired IP. In line 4 and 10 provide address of your default gateway. Line 5 and 11 are dns servers. In my example there is DNS from Global Cyber Alliance (184.108.40.206) and from Google (220.127.116.11).
You can restart your Raspberry now to apply changes.
Unless you have more Raspberry Pi in your local network it’s not mandatory to set different hostname, but I prefer to have my machines been identified with short name which also include information what is the machine role. In my case it will be “pi-srv” as it will be my home server run on Raspberry Pi.
As in most Linux distributions, hostname can be set in file /etc/hostname so run the command:
sudo nano /etc/hostname
and change default hostname to whatever you like. Save the file by key combination ctrl+o, click enter to accept file name and exit by ctrl+x.
This method is also valid for many other Linux distributions, in contrast to raspi-config.
Now we need to edit /etc/hosts file
sudo nano /etc/hosts
In this file Linux stores mapping for dns names to IP addresses. To loopback address 127.0.0.1 we add our name after localhost. There should be one space between domain names.
In addition add your local IP addresses (both for WiFi and Ethernet) with your chosen name. As an example you can look at below screenshot.
127.0.0.1 localhost 127.0.0.1 pi-srv 192.168.1.10 pi-srv 192.168.1.11 pi-srv ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouter
Now you can reboot your Raspberry to load changes.
It’s very simple. Check available timezones with the command:
In my case it is Europe/Warsaw, so my command to change timezone will be:
sudo timedatectl set-timezone Europe/Warsaw
Simple, isn’t it? 🙂
Add another sudo user
But why we should do it? Isn’t changing our password from default “raspberry” enough? Maybe it does, but I prefer to login with my chosen nickname, not with default “pi” and I also believe changing all defaults increase our security.
So, commands are as follows:
sudo adduser YourUserName
Provide password for a new user, and add your new user to sudo users with command:
sudo usermod -aG sudo YourUserName
Your new user is ready to log in, but I recommend you to follow next steps about key-based authentication.
SSH key-based authentication
For security reasons you should not allow users to work on SSH withour additional security layer which is key-based authentication. Stay logged in as user “pi” and follow next steps.
First we will create new pair of keys with command:
ssh-keygen -t ed25519
Accept default localisation for keys by pressing enter and provide passphrase two times. Passphrase is optional, but it makes key more secure. Your keys will be stored in /home/pi/.ssh. Now we will copy key to our new added user:
type “yes” without quotation marks and hit enter. Provide password you have chosen for new user (it’s not passphrase).
ssh-copy-id -i ~/.ssh/id_ed25519.pub YourUserName@localhost
provide passphrase which you set during key creation. From this point your new user will be able to log in using private key. Let’s download the key to our computer.
Mark all text with shift button and left mouse click, it will copy your key without ctrl+c. Open Notepad++ or another similar program and paste copied text. Save the file as private.key.
This private key is not using same format as putty, so we will need to convert it. Follow this steps:
- Open Puttygen (it’s installed along with Putty)
- File->Load private key -> Change file type to All files in order to find your key
- Provide passphrase
- You can change key comment with your new username but it’s optional
- Save private key with ppk extension i.e. private.ppk
Let’s check if you can connect to your Raspberry with the key. Open one more PuTTY window, provide IP address and browse for your key in Connection->SSH->Auth.
So is our server secure? Not yet, because someone can still connect using ssh without a key. Even more, standard port can be used! We need to change it.
First we will create backup of configuration file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Now we can edit the file:
sudo nano /etc/ssh/sshd_config
Erase # in the line with Port 22 and change the port number like below in the line 6:
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Port 2222 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
Now find the line starting with PasswordAuthentication and change it from yes to no. Here is an example:
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no
Save the file (ctrl+o, enter, ctrl+x) and restart ssh:
sudo systemctl restart ssh
It won’t close your current connection but don’t close PuTTY window yet!
Open new PuTTY windows without closing previous one and check if you can connect. Remember to change default port to the one you set (in our example 2222). If it’s not working, go back to the first window and check all steps.
Working? Make a test and try to connect without a key. You should get this error:
Make one more test and leave default port: 22. You should get this result:
Is everything working as expected? So we can now, finally, delete our default account “pi”.
sudo deluser --remove-home pi
Congratulations! Your server is more secure now.
Install some useful applications:
It will be a good idea to install those utilities 🙂
- midnight commander – very useful and easy to use file manager
- links – sometimes there is a need to browse the internet from command line
- wget – downloader for files from http, https and ftp
- pydf – python script for showing disk space usage
- lsof – list open files
- dnsutils – this package contains nslookup, for troubleshooting domain name problems.
sudo apt install mc links wget pydf lsof dnsutils