Recently I had a little hiccup (read: big problem) with my (formerly) trusty Raspberry Pi 2 based Web server. Backups were lost, files corrupted, pretty much everything that could go wrong did go wrong. I had been meaning to transfer everything to my shiny new Raspberry Pi 3 for a while, but my hand was rather forced. Therefore I took the leap and dove head-first into the Raspberry Pi 3.
Because so much was lost (the Pi 2’s SD Card committed seppuku) I took the opportunity to setup the Pi 3 from scratch (read: Was forced to because so much was lost), which meant I could do things a little differently and improve on the parts I was unhappy with. I have documented the process below, in the form of a (hopefully) helpful guide. I’ll be posting it in sections, rather than all in one so it should be easier to digest than one big post.
Back when I first setup the Pi 2 the choices were somewhat limited if you wanted a ’lite’ server operating system for the Raspberry Pi, one without any of the unnecessary bloat things like a GUI add. There were only a handful of options at the time, each with their own pitfalls and caveats. After much deliberation I ended up choosing a paired down version Ubuntu, back then Ubuntu wasn’t even officially supported on the Raspberry Pi. So, despite being the best option for my needs, it was still less than ideal.
However, the situation is much better now. There is even an official cut down version of the current incarnation of Rasbian Jessie, called Raspbian Jessie Lite. The easy and sensible thing therefore is to just use that, because Raspbian is optimised for the Raspberry Pi. Raspbian Lite also makes a perfect starting point, providing a minimal, well supported, and stable OS.
Raspbian Jessie Lite is provided in image form directly from the Rasberry Pi Foundation, because of this installation is fairly simple and exactly the same as any other Raspberry Pi image:
- Download the image from https://www.raspberrypi.org/downloads/raspbian
- Follow the installation instructions from the Raspberry Pi Foundation https://www.raspberrypi.org/documentation/installation/installing-images/README.md
It makes sense to just direct you to the Rasberry Pi Foundation webpages for the installation instructions, rather than duplicating them here, as those pages are always kept up to date.
First things first, you will need to run most of the following with root privileges (or just use
sudo before each of the commands below):
Then, before we go any further, you are going to want to make sure Raspbian is up to date:
apt-get update apt-get dist-upgrade
There are also a few things we should set or tidy up before we start installing any packages. First we have to change the default user’s password, as the defaut password of “password” is incredibly insecure. You can either do this via a handy little tool called raspi-config (which also allows you to configure a multitude of other options):
or via the command line:
You can also use the
raspi-config tool to
Expand Filesystem, which makes sure you are using the full extent of your SD card’s capacity, and set things like the locale. It is well worth having a poke through the menu and familiarising yourself with the other options while you are in there.
Once you’ve done that you may also wish to delete the default user (‘pi’) and use your own for an extra bit of security through obscurity. First add a new user:
user is your desired username. Then just follow the prompts to set your new user’s password and details. You will also need to add your new user to the sudo group so it can elevate privileges and use the
adduser user sudo
Finally, once you’ve logged in as your new user to test it works correctly, you can delete the default ‘pi’ user and all it’s files:
deluser -remove-home pi
As this is going to be a web server we need to make sure our hostname and hosts file are set correctly, you can set the hostname in the
Advanced Options of
raspi-config, or you can do it via the command line:
hostnamectl set-hostname your.hostname.here
If you are not sure what to put in there then this guide should help: http://community.linuxmint.com/tutorial/view/159
Ultimately I want to run the Raspberry Pi headless, as it is going to be a Web Server. Therefore we are going to want to connect to it remotely. However, SSH is disabled by default on Raspbian, so it needs to be enabled. The easiest way to do this is either via the
Interfacing options of
raspi-config after first boot, or you can place a file named ‘ssh’ (without any extension) onto the boot partition of the SD card before first boot. You will initially still need to plug in a screen and keyboard with the first option, whereas using the latter method allows you to run the whole setup headless.
Next we want to setup key based access, as it is much more secure than using passwords. Begin by generating an ssh key on your client machine (if you are using Windows you’ll need something like PuTTY, and the process is slightly different):
ssh-keygen -t ed25519
ed25519 is the type of key and is the best currently on offer (don’t just take my word for it, hit the search engines). You’ll often see the -o switch used as well, which specifies the new and improved key format - but that is unnecessary here as it is the default for ed25519.
Next, copy your key to the Pi using
scp ~/.ssh/your_key.pub user@piaddress:~/.ssh/
If you haven’t got an .ssh directory on your PI then run:
install -d -m 700 ~/.ssh first. Next, add your new key to authorized_keys:
cat your_key.pub >> authorized_keys
Now you can try to login using your shiny new key:
ssh -i ~/.ssh/your_key user@piaddress
-i is the identity_file switch, which tells ssh to look for your private key in the directory specified.
Finally, after confirming your new key works, you may wish to make a few tweaks to
/etc/ssh/sshd_config to make things a little more secure, for example:
no- This prohibits root from logging in via ssh;
- Disable password login by changing
no- Which forces users to login with a keys rather than passwords;
no- We have no GUI installed so the ability to forward X11 is a bit superfluous;
AllowUsers userto only allow ssh access for your user(s). Where
useris one or more of the usernames on your system, separated by spaces - This makes sure only the user(s) you specify can login via SSH.
The above is a good start, but there is a lot more you can do if you wanted to. A quick Internet search will dig up a thousand and one different articles on hardening SSH access, using things like DenyHosts, Fail2ban, or iptables rules. I may go deeper into it in a later article, if I get the chance.
Once you’ve done all that then you should restart SSH to make sure all the new settings are applied:
systemctl restart ssh
You can also check ssh is running with:
systemctl status ssh
That’s it for now, we have covered the basics. You are now ready to start installing and configuring things, such as the web server itself and other things like blogging platforms and databases. In the next article I’ll cover installing and configuring nginx for static sites.
Next time: (Web) Serving Raspberry Pi: Part 2 - nginx