(Web) Serving Raspberry Pi: Part 1 - The Basics

Recently I had a little hiccup (read: big problem) with my (formerly) trusty Raspberry Pi 2 based Web server. Backups were lost, files corrupted, pretty much everything that could go wrong did go wrong. I had been meaning to transfer everything to my shiny new Raspberry Pi 3 for a while, but my hand was rather forced. Therefore I took the leap and dove head-first into the Raspberry Pi 3.

Because so much was lost (the Pi 2's SD Card committed seppuku) I took the opportunity to setup the Pi 3 from scratch (read: Was forced to because so much was lost), which meant I could do things a little differently and improve on the parts I was unhappy with. I have documented the process below, in the form of a (hopefully) helpful guide. I'll be posting it in sections, rather than all in one so it should be easier to digest than one big post.

Operating System

Back when I first setup the Pi 2 the choices were somewhat limited if you wanted a 'lite' server operating system for the Raspberry Pi, one without any of the unnecessary bloat things like a GUI add. There were only a handful of options at the time, each with their own pitfalls and caveats. After much deliberation I ended up choosing a paired down version Ubuntu, back then Ubuntu wasn't even officially supported on the Raspberry Pi. So, despite being the best option for my needs, it was still less than ideal.

However, the situation is much better now. There is even an official cut down version of the current incarnation of Rasbian Jessie, called Raspbian Jessie Lite. The easy and sensible thing therefore is to just use that, because Raspbian is optimised for the Raspberry Pi. Raspbian Lite also makes a perfect starting point, providing a minimal, well supported, and stable OS.

Installing Raspbian

Raspbian Jessie Lite is provided in image form directly from the Rasberry Pi Foundation, because of this installation is fairly simple and exactly the same as any other Raspberry Pi image:

It makes sense to just direct you to the Rasberry Pi Foundation webpages for the installation instructions, rather than duplicating them here, as those pages are always kept up to date.

Initial setup

First things first, you will need to run most of the following with root privileges (or just use sudo before each of the commands below):

$ sudo -s

Then, before we go any further, you are going to want to make sure Raspbian is up to date:

$ apt-get update
$ apt-get dist-upgrade

There are also a few things we should set or tidy up before we start installing any packages. First we have to change the default user's password, as the defaut password of "password" is incredibly insecure. You can either do this via a handy little tool called raspi-config (which also allows you to configure a multitude of other options):

$ raspi-config

or via the command line:

$ passwd

You can also use the raspi-config tool to Expand Filesystem, which makes sure you are using the full extent of your SD card's capacity, and set things like the locale. It is well worth having a poke through the menu and familiarising yourself with the other options while you are in there.

Once you've done that you may also wish to delete the default user ('pi') and use your own for an extra bit of security through obscurity. First add a new user:

$ adduser user

Where user is your desired username. Then just follow the prompts to set your new user's password and details. You will also need to add your new user to the sudo group so it can elevate privileges and use the sudo command:

$ adduser user sudo

Finally, once you've logged in as your new user to test it works correctly, you can delete the default 'pi' user and all it's files:

$ deluser -remove-home pi

As this is going to be a web server we need to make sure our hostname and hosts file are set correctly, you can set the hostname in the Advanced Options of raspi-config, or you can do it via the command line:

$ hostnamectl set-hostname your.hostname.here

If you are not sure what to put in there then this guide should help: http://community.linuxmint.com/tutorial/view/159

Configure SSH

Ultimately I want to run the Raspberry Pi headless, as it is going to be a Web Server. Therefore we are going to want to connect to it remotely. However, SSH is disabled by default on Raspbian, so it needs to be enabled. The easiest way to do this is either via the Interfacing options of raspi-config after first boot, or you can place a file named 'ssh' (without any extension) onto the boot partition of the SD card before first boot. You will initially still need to plug in a screen and keyboard with the first option, whereas using the latter method allows you to run the whole setup headless.

Next we want to setup key based access, as it is much more secure than using passwords. Begin by generating an ssh key on your client machine (if you are using Windows you'll need something like PuTTY, and the process is slightly different):

$ ssh-keygen -t ed26619

ed26616 is the type of key and is the best currently on offer (don't just take my word for it, hit the search engines). You'll often see the -o switch used as well, which specifies the new and improved key format - but that is unnecessary here as it is the default for ed26616.

Next, copy your key to the Pi using scp:

$ scp ~/.ssh/your_key.pub user@piaddress:~/.ssh/

If you haven't got an .ssh directory on your PI then run: install -d -m 700 ~/.ssh first. Next, add your new key to authorized_keys:

$ cat your_key.pub >> authorized_keys

Now you can try to login using your shiny new key:

$ ssh -i ~/.ssh/your_key user@piaddress

The -i is the identity_file switch, which tells ssh to look for your private key in the directory specified.

Finally, after confirming your new key works, you may wish to make a few tweaks to /etc/ssh/sshd_config to make things a little more secure, for example:

  • Change PermitRootLogin from without-password to no - This prohibits root from logging in via ssh;
  • Disable password login by changing PasswordAuthentication to no - Which forces users to login with a keys rather than passwords;
  • Change X11Forwarding to no - We have no GUI installed so the ability to forward X11 is a bit superfluous;
  • Add AllowUsers user to only allow ssh access for your user(s). Where user is one or more of the usernames on your system, separated by spaces - This makes sure only the user(s) you specify can login via SSH.

The above is a good start, but there is a lot more you can do if you wanted to. A quick Internet search will dig up a thousand and one different articles on hardening SSH access, using things like DenyHosts, Fail2ban, or iptables rules. I may go deeper into it in a later article, if I get the chance.

Once you've done all that then you should restart SSH to make sure all the new settings are applied:

$ systemctl restart ssh

You can also check ssh is running with:

$ systemctl status ssh

That's it for now, we have covered the basics. You are now ready to start installing and configuring things, such as the web server itself and other things like blogging platforms and databases. In the next article I'll cover installing and configuring nginx for static sites.

Next time: (Web) Serving Raspberry Pi: Part 2 - nginx