This post is essentially a list of changes to the Pi’s default configuration that I would recommend you make before you start using the Pi as a server. These apply regardless of whether you want to use it as a mail server, an Owncloud machine, or a web server running something like WordPress. I’ll run you through the steps, starting with burning Raspbian to an SD card.
Download & Burn Raspbian to an SD card
This step assumes you’re using a Linux computer when burning. The Raspberry Pi foundation website explains how to burn the image if you’re using Windows or MacOS. Visit the raspberry pi downloads page and download the latest raspbian.zip file. Now open a terminal, and type this command to produce a sha1sum of the file you just downloaded (edit the name of the file as necessary for new downloads):
Compare it to the sha1sum on the download page. If it matches, you’re good to go! Unzip the file:
This will produce an image file called 2014-01-07-wheezy-raspbian.img. Insert the blank SD card into your laptop/desktop, but don’t mount it. Check that
/dev/sdb is the name of the SD card using your distribution’s partition manager (GParted for Ubuntu, KDE Partition Manager for KDE). Now use this command to burn the image to the SD card. It will take a while, and you won’t get a progress indicator…just be patient. Make a cup of tea and come back and it should be done! Remember to edit the command so that the file name is correct.
sudo dd bs=4M if=~/Downloads/2014-01-07-wheezy-raspbian.img of=/dev/sdb
When this finishes, your SD card will have the latest version of Raspbian installed.
First Boot & Updates
Next, we connect with Secure Shell (SSH). On Windows, you can use the free app PuTTY for this; Linux and MacOS have the utility built in. Open a terminal and type:
…where 192.168.1.103 is the IP address of the Pi. If you don’t know the IP address you can find out on your router’s admin page (usually http://192.168.1.1 or http://192.168.0.1). This will open a connection so that you can log in as the default user (“pi”). It will prompt you for a password, which is “raspberry”. You should now be logged in, and see a command prompt for pi@raspberrypi. Let’s make sure we’re up to date:
sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade
This could take a while depending on how recently the latest raspbian.img file was put together: the Pi will connect to the Raspbian repository and download the latest versions of all the installed software.
If you’re going to use the Pi as a server, you may want to connect to it via SSH from outside your own Local Area Network (LAN). The problem is, if you allow this for yourself you allow it for everyone else too, and there are loads of scripts that look for SSH login pages and try to brute force their way in. So, what can we do about it?
Adding a new user/password
For starters, let’s change the default username and password – “pi” and “raspberry” is too easy to guess. This command will add a new user called “admin” just as an example, but you can choose another name if you like.
sudo adduser admin
You will be prompted to fill in some information. You can leave most of it blank if you like, the key thing is choosing a decent password. Once this user has been created, you should add them to some useful groups: sudo so that they have superuser access and adm so that they can read log files without using sudo:
sudo usermod -a -G sudo admin sudo usermod -a -G adm admin
So we’ve now added a new user, with a decent password, who can act as administrator once we’ve removed the default user “pi”. We can do better than this, though: there’s still a chance that someone could guess the password – after all, “admin” is an obvious username. If you want to stick with the current username pi and just change the password, just type this command when logged in as pi:
You'll be asked for the current password, and then you can choose and confirm a new password.
PublicKey authentication can be used in addition to, or instead of, password authentication for SSH. It works by creating a pair of keys, one public and one private. The public key is not secret and can be kept on the server (or servers) you would like to log in to; the private key is secret, stays on your laptop/desktop and may be password protected (encrypted). Only someone with a private key that matches the publickey held on the server is allowed to log in. Since the key pairs are so much more complex than normal passwords, the chance of someone guessing the key during a brute force attack is vanishingly small. Therefore, publickey authentication provides a much greater level of protection than normal password logins. The only real drawback is that if you don’t have your private key, or you lose it, then you won’t be able to access the server! We are going to create a SSH private key on the client machine (the laptop/desktop you are logging in from), and then copy the publickey part to the server, so that the server knows to grant entry to anyone who has the matching private key. Let’s get started. Configuration for the secure shell client is stored in a hidden folder in your home directory on the machine you are logging in from. If the directory doesn't exist (use the
-a argument to
ls to show hidden files and folders, e.g.
ls -a ~), you can create it now:
Now, this command (again, run from your laptop/desktop) will generate a key pair for you.
ssh-keygen -t rsa -b 4096
-t option specifies that we want a key of type RSA. The
-b specifies the number of bits in the key. Higher numbers of bits generate a more complicated key that is more difficult to crack, but larger keys are also slightly slower to use. The default value is 2048. You’ll be prompted to set a password for the key. I’d recommend doing this, or anyone who gets hold of it can log in to the server. The
ssh-keygen command creates two new files in the
~/.ssh/id_rsa.pub. The first is the private part of the key, and the second is the public part, which is not a secret. Now we need to copy the publickey you just created from your laptop/desktop to your Raspberry Pi server using this command: If you used the default file location when creating the publickey, you can use:
remote-username is the username you want to log in as on your raspberry pi server (
admin if you just created that user to be the new administrator on the pi), and
192.168.1.103 is the IP address of your server (you can also use the hostname instead of the IP address if it is resolvable from the client). If you saved the key somewhere else (e.g. if you were generating a second key from the client machine), you can use the
-i parameter to tell the command where the publickey is, e.g:
ssh-copy-id -i ~/.ssh/second_RSA_key.pub email@example.com
This will copy the contents of your publickey into a new line in the
~/.ssh/authorized_keys file on the server (in the home directory of the username you specified). Final changes: log in to the Pi again via SSH, this time to the admin account. If publickey authentication is already enabled, you may be prompted for the password needed to unlock your private key (this is not the password for the account on the server). If publickey authentication is not enabled, you will be asked for your username and password as usual:
Now within SSH, edit the configuration file for the SSH daemon:
sudo nano /etc/ssh/sshd_config
find these two lines and uncomment them:
PubkeyAuthentication yes RSAAuthentication yes
Now issue this command, which will restart the SSH server (you’ll be disconnected):
sudo service ssh restart
Connect again. This time, you should be asked for the password to your encrypted publickey. When you’ve logged in again successfully, make one further change to the SSH configuration so that it only allows PublicKey authentication for all users. In
/etc/ssh/sshd_config, update these two settings to disable password authentication: !! Warning !! don’t do this unless you have successfully logged in with your publickey, or you’ll be locked out!
PasswordAuthentication no ChallengeResponseAuthentication no
Now restart SSH again:
sudo service ssh restart
If you try and log in as pi now, you should get the error “Permission denied (publickey).”, because no SSH public keys have been added to pi’s list. You should still be able to log in as admin using the publickey we created earlier. You can now log in to the server as admin and remove the default user “pi” and its home directory:
sudo userdel pi sudo rm -r /home/pi
SSH is now much more secure than it was originally. Ideas from this SSH section were taken from the Ubuntu community documentation page.
Speed things up by booting to a USB Flash Drive
The pi is not a high powered machine, so every little bit of speed you can squeeze out of it is time well speed. High quality SD cards have high write speeds but fairly slow read speeds (think about what they’re usually used for: writing photo data as quickly as possible). In comparison, most USB flash drives have a higher read speed, which can help speed things up. Using a USB flash drive for your root filesystem can also give you more storage space for content. Take a look at this tutorial to learn how to boot your Pi to a USB flash drive.
Run the Raspberry Pi’s configuration utility:
- Expand the filesystem
- Internationalisation options: change the locale and timezone
- Set overclock to modest
- Use the advanced options to set the hostname to something sensible, and then set the memory allocation for the GPU to 0, since the Pi will be running “headless” (no monitor)
- Finish & reboot