Make your home smarter: raspbian

Showing posts with label raspbian. Show all posts

Monday, September 25, 2023

Advanced installation of a Raspberry Pi with Raspbian Bullseye

When installing a Raspberry Pi, I have a checklist of steps I take each time to ensure my Raspberry Pi's are (mostly) configured in the same way. They have the same way to backup their data, use the same user configurations (ntp, syslog, sendmail...) and have the same security provisioning. We will also introduce logs into memory with Log2Ram, to avoid too much SD card writing/wearing, which will eventually break your RPi. Feel free to comment on any step that is documented here. Some steps might be optional or unnecessary in your case.

Do the physical installation, plugin the network and HDMI cables (except the power cable of course) and screw your RPi into a cover or box.
Prepare SD card on Mac with Raspberry Pi Imager
Plugin the SD card into your RPi and now also plugin the power cable. Boot your RPi for the first time now. Create a user with password for using later. (e.g. user:pi, password:raspberry)
When booted, you'll be provided with a prompt to login for the first time. Mind the QWERTY keyboard layout.
Run the setup tool
```
sudo raspi-config
```
Configure the setup tool

Set the hostname (1 System Options > S4 Hostname)
Expand Filesystem (6 Advanced Options > A1 Expand file system)
Change Timezone, set Keyboard Layout (if needed) and change Wifi Country (5 Localization Options > L2 Change Timezone, L3 Change Keyboard Layout, L4 Change Wi-fi Country)
Enable SSH (3 Interfacing Options > I2 SSH)
Press 'Finish' and Reboot

After reboot, login again via SSH and change your user password:
passwd
Generate a SSH key-gen pair, which is more robust than the default one.
```
ssh-keygen -o -a 100 -t ed25519
```
Change the root password
```
sudo passwd root
```

Set the ETH0 IP address to a fixed IP. I hardly ever use the Wifi module in a Raspberry Pi

sudo vi /etc/network/interfaces

Add at the end of the file the following:

# Added by user on 2023-XX-XX
auto eth0
iface eth0 inet static
        address 192.168.0.240/24
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        dns-nameservers 192.168.0.1 8.8.8.8
# End of Addition

sudo systemctl restart networking.service

And test with

ip add show

Reboot your RPi again (or do it later if you plan to reboot anyway)

Check for updates & upgrades for Bullseye, but first become root. Don't forget to reboot if kernel patches were installed.
```
sudo -i
apt-get update -y && apt-get upgrade -y
```

Fix a common issue with Syslog flooding your logs

sudo sed -i '/# The named pipe \/dev\/xconsole/,$d' /etc/rsyslog.conf
sudo service rsyslog restart

Alternatively, you could also install Syslog-NG
```
sudo apt-get install -y syslog-ng
```
Install Git
```
sudo apt-get install -y git dirmngr
```
Install Log2Ram as this will allow us to keep logs in memory and reduce the SD card writing significantly. From time to time, the logs are still made persistent to disk.
```
cd /home/pi
git clone https://github.com/azlux/log2ram.git
cd log2ram
chmod +x install.sh
sudo ./install.sh
Change the log size value to 128M
sudo vi /etc/log2ram.conf
```
Reboot

Install Sendmail and configure to work with a local mail relay server, or alternatively Gmail.

sudo apt-get install -y sendmail mailutils sendmail-bin
sudo mkdir -m 700 /etc/mail/authinfo/
sudo cd /etc/mail/authinfo/

Create a Sendmail authentication file:

sudo vi sendmail-auth

And paste the following info:

AuthInfo: "U:root" "I:YOUR LOGIN" "P:YOUR PASSWORD"

Save and exit vi. Next do the makemap:

sudo makemap hash sendmail-auth < sendmail-auth
sudo chmod 400 sendmail-auth

Change the Sendmail configuration now

sudo vi /etc/mail/sendmail.mc
Add the following below right above first "MAILER_DEFINITIONS" line:
# Added by yourname on 2018-XX-XX
define(`SMART_HOST',`[192.168.Y.XX]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo/sendmail-auth.db')dnl
# End of Addition

Apply the changes to the configuration and restart Sendmail:

sudo make -C /etc/mail
sudo /etc/init.d/sendmail reload

Test if you can send an email to yourself:

echo "Just testing my Sendmail email relay" | mail -s "Sendmail email relay" you@here.com

Setup NTP sync

sudo apt-get install -y ntp ntpdate
sudo vi /etc/ntp.conf

And replace the XX with your country code

0.XX.pool.ntp.org
sudo /etc/init.d/ntp stop

And query to see NTP being in sync

sudo ntpd -gq
sudo /etc/init.d/ntp start
sudo ntpd -pn

Setup SNMP

sudo apt-get install snmp snmpd
sudo vi /etc/snmp/snmpd.conf

And put the following configuration lines

agentAddress udp:161
rocommunity public 192.168.X.0/24

Restart your SNMP daemon

sudo /etc/init.d/snmpd restart

And test on your local machine

snmpwalk -Os -c public -v 1 localhost

Setup NFS backup share, install a backup tool, rsnapshot and configure
Fix rpcbind issue (Make yourself root first)

su -
cat >/etc/systemd/system/nfs-common.service <<\EOF
[Unit]
Description=NFS Common daemons
Wants=remote-fs-pre.target
DefaultDependencies=no

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/init.d/nfs-common start
ExecStop=/etc/init.d/nfs-common stop

[Install]
WantedBy=sysinit.target
EOF

cat >/etc/systemd/system/rpcbind.service <<\EOF
[Unit]
Description=RPC bind portmap service
After=systemd-tmpfiles-setup.service
Wants=remote-fs-pre.target
Before=remote-fs-pre.target
DefaultDependencies=no

[Service]
ExecStart=/sbin/rpcbind -f -w
KillMode=process
Restart=on-failure

[Install]
WantedBy=sysinit.target
Alias=portmap
EOF

cat >/etc/tmpfiles.d/rpcbind.conf <<\EOF
#Type Path        Mode UID  GID  Age Argument
d     /run/rpcbind 0755 root root - -
f     /run/rpcbind/rpcbind.xdr 0600 root root - -
f     /run/rpcbind/portmap.xdr 0600 root root - -
EOF

systemctl enable rpcbind.service
systemctl enable nfs-common

Install raspiBackup (from this website)

sudo mkdir -p /backup

Avoid accidental file storage, when folder is not mounted
And put the following configuration lines

sudo chattr +i /backup
sudo vi /etc/fstab

And add

server.yourdomain.com:/volume1/backups/host.yourdomain.com/backup      nfs     rsize=8912,wsize=8912,timeo=14     0       0
sudo mount /backup

Now install the raspiBackup tool

curl -s https://raw.githubusercontent.com/framps/raspiBackup/master/installation/install.sh | sudo bash

Go through the configuration tool, later on you can go back to it via: raspiBackupInstallUI.sh
-Backup versions: smart strategy
-Backup to tar
-No compression
-Backup mode standard
-Email notification set
Uncomment the crontab (backup will run every Sunday at 5am):
sudo vi /etc/cron.d/raspiBackup 
And finally test
sudo raspiBackup

Generate an SSH keypair for easy login
ssh-keygen
ssh-copy-id -p 22 admin@server.yourdomain.com 
Log into your server, make yourself root and copy the public key into the raspberry

cat /root/.ssh/id_rsa.pub | ssh user@hhost.yourdomain.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Test if it's working by using:

ssh user@host.yourdomain.com

Setup unattended upgrade based on this tutorial
sudo apt update
sudo apt install unattended-upgrades 
Configure unattended upgrades and uncomment:

sudo vi /etc/apt/apt.conf.d/50unattended-upgrades

"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

And uncomment:

Unattended-Upgrade::Remove-Unused-Dependencies "false";

Now enable Automatic Updates (and press Yes)

sudo dpkg-reconfigure --priority=low unattended-upgrades

To view the unattended upgrades:sudo systemctl status unattended-upgrades.service-

Sunday, February 25, 2018

An example Iptables rules file for your Raspberry Pi (and have it applied after each reboot)

Having an Iptables firewall rule set applied onto Raspbian/Debian is fairly easy. I'm trying to build something that is easy to manage, has a certain degree of default security applied, yet will allow that I can easily apply it onto several Raspberry Pi devices.
When adding rules to your running Iptables, they become lost each time you'd reboot or restart your firewall. So, I'm trying to overcome that.

First, let's start with my basic rule set file, which is build around a number of services that I need on my Raspberry Pi:

SSH server
OpenVPN server
HTTP(S) server
DNS server
Samba server
Transmission server

Of course, you can add and customize as much as you want, but here's my example iptables.rules.v4 file:

# Generated by iptables-save v1.6.0 on Sun Feb 18 13:27:56 2018
*nat
:PREROUTING ACCEPT [485:82476]
:INPUT ACCEPT [24:2229]
:OUTPUT ACCEPT [192:15907]
:POSTROUTING ACCEPT [192:15907]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment "Allow OpenVPN routing from source 10.8.0.0 to eth0" -j MASQUERADE
COMMIT
# Completed on Sun Feb 18 13:27:56 2018
# Generated by iptables-save v1.6.0 on Sun Feb 18 13:27:56 2018
*filter
:INPUT DROP [67:11459]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [687:299583]
:f2b-openvpn - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "Block null packets" -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "Block a syn-flood attack" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "Block Xmas packets" -j DROP
# localhost
-A INPUT -i lo -m comment --comment "Allow localhost traffic" -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 4711:4720 -m comment --comment "TODO" -j ACCEPT
# Established connections
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow all established inbound connections" -j ACCEPT
# DNS server
-A INPUT -p udp -m udp --dport 53 -m comment --comment "Allow DNS to this host from anywhere" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m comment --comment "Allow DNS to this host from anywhere" -j ACCEPT
# OpenVPN server
-A INPUT -p tcp -m multiport --dports 1194 -m comment --comment "Allow OpenVPN to this host from anywhere" -j f2b-openvpn
# SSH server
-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "Allow SSH to this host from anywhere" -j f2b-sshd
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping to this host from anywhere" -j ACCEPT
# HTTP server
-A INPUT -p tcp -m tcp --dport 80 -m comment --comment "Allow HTTP to this host from anywhere" -j ACCEPT
# SSLH multiplexer
-A INPUT -p tcp -m tcp --dport 443 -m comment --comment "Allow HTTPS to this host from anywhere" -j ACCEPT
# SSH server
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH to this host from anywhere" -j ACCEPT
# Samba server
-A INPUT -p tcp -m multiport --dports 139,445 -m comment --comment "Allow Samba to this host from anywhere" -j ACCEPT
-A INPUT -p udp -m multiport --dports 137,138 -m comment --comment "Allow Samba to this host from anywhere" -j ACCEPT
# Transmission server
-A INPUT -p tcp -m tcp --dport 9091 -m comment --comment "Allow Transmission to this host from anywhere" -j ACCEPT
# Reject rules
-A INPUT -m comment --comment "Reject all other inboud traffic, unless specified" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m comment --comment "Reject all other inboud traffic, unless specified" -j REJECT --reject-with icmp-port-unreachable
-A f2b-openvpn -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Sun Feb 18 13:27:56 2018

Would you be wanting to be more specific on the rules (e.g. SSH access), you can easily add a source IP to the rule to further limit access.

# SSH server
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH to this host from anywhere" -j ACCEPT

We will now be saving this file, so that Iptables can use if after each reboot or restart.

Make youself root:
```
sudo -i
```
Go to the Iptables folder:
```
cd /etc/iptables/
```
Create a backup of the default rule set:
```
cp -rp rules.v4 rules.v4.ori
```
Edit the rules.v4 file with vi, remove all entries and paste the rule set listed above
```
vi rules.v4
```
List your current Iptables rules:
```
iptables -L
```
Import the new rule set:
```
iptables-restore < /etc/rules.v4
```
List your Iptables rules again and you should see the new rule set applied:
```
iptables -L
```
Make the rules survive a reboot by creating this pre-up file:
```
vi /etc/network/if-pre-up.d/iptables
```

Add this content to the file:
#!/bin/sh

/sbin/iptables-restore < /etc/iptables.up.rules

Make the file executable:

chmod +x /etc/network/if-pre-up.d/iptables

Reboot to test

If you later on want to add or change rules, you can change your rules.v4 file, or add them command line to your running configuration. Adding them to your rules.v4 file will make them persist. In the latter case, you'd have to dump the running configuration into your rules.v4 file by applying:

iptables-save > /etc/iptables/rules.v4

Monday, June 5, 2017

Trying to find what process is using a certain port

If you run into the situation where you quickly want to know which process is using a certain (TCP) port, use the following command:

pi@server:~ $ sudo ss -lptn 'sport = :443'
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
LISTEN     0      128                       *:443                      *:*      users:(("nginx",pid=29909,fd=8),("nginx",pid=29908,fd=8),("nginx",pid=29907,fd=8),("nginx",pid=29906,fd=8),("nginx",pid=29905,fd=8))
LISTEN     0      128                      :::443                     :::*      users:(("nginx",pid=29909,fd=9),("nginx",pid=29908,fd=9),("nginx",pid=29907,fd=9),("nginx",pid=29906,fd=9),("nginx",pid=29905,fd=9))

GPG error: http://ftp.debian.org jessie-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010

GPG error: http://ftp.debian.org jessie-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010

Running into this issue when trying to install certbot under Debian, the following can be done to fix it. Step 1 has probably been done already

echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee  /etc/apt/sources.list.d/backports.list
sudo -i
wget -O - https://ftp-master.debian.org/keys/archive-key-8.asc | apt-key add -
wget -O - https://ftp-master.debian.org/keys/archive-key-8-security.asc | apt-key add -
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
apt-get update

Tip from here.

Saturday, May 20, 2017

Raspbian Jessie NFS mounts fail because of rpcbind service not running

You happen to have NFS mounts on your Raspbian and you want them to come up after a reboot or you configure them but get the error that rpc.statd or rpcbind is not running?

pi@raspi1:~ $ sudo mount /mnt/nfsserver/backups
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
pi@raspi1:~ $ sudo /etc/init.d/rpcbind start
[ ok ] Starting rpcbind (via systemctl): rpcbind.service.
pi@raspi1:~ $ sudo mount /mnt/nfsserver/backups

Now you have manually fixed this once, but on the next reboot, your fix will be gone again. You need to fix that with the below steps, taken from this great help.

0. Assumptions
You have a working NFS mount on your Raspbian which is or can be mounted and configured e.g. into /etc/fstab

1. Make yourself root

su -

2. Create /etc/systemd/system/nfs-common.service

cat >/etc/systemd/system/nfs-common.service <<\EOF
[Unit]
Description=NFS Common daemons
Wants=remote-fs-pre.target
DefaultDependencies=no

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/init.d/nfs-common start
ExecStop=/etc/init.d/nfs-common stop

[Install]
WantedBy=sysinit.target
EOF

Copy paste the above and hit ENTER

3. Create /etc/systemd/system/rpcbind.service

cat >/etc/systemd/system/rpcbind.service <<\EOF
[Unit]
Description=RPC bind portmap service
After=systemd-tmpfiles-setup.service
Wants=remote-fs-pre.target
Before=remote-fs-pre.target
DefaultDependencies=no

[Service]
ExecStart=/sbin/rpcbind -f -w
KillMode=process
Restart=on-failure

[Install]
WantedBy=sysinit.target
Alias=portmap
EOF

Copy paste the above and hit ENTER

4. Create /etc/tmpfiles.d/rpcbind.conf

cat >/etc/tmpfiles.d/rpcbind.conf <<\EOF
#Type Path        Mode UID  GID  Age Argument
d     /run/rpcbind 0755 root root - -
f     /run/rpcbind/rpcbind.xdr 0600 root root - -
f     /run/rpcbind/portmap.xdr 0600 root root - -
EOF

Copy paste the above and hit ENTER

5. Configure the services to run at startup

systemctl enable rpcbind.service
systemctl enable nfs-common

Copy paste the above and hit ENTER

6. Reboot and check if your NFS mount is there now

pi@raspi1:~ $ mount
nfsserver:/volume1/backups/raspi on /mnt/nfsserver/backups type nfs

Sunday, November 27, 2016

Completely remove the z-way-server from your Raspberry Pi

0. Be root

1. Kill the z-way-server processes

kill -s 9 ... (PID of the process)

2. Remove all dirs with z-way-server files

rm -rf /etc/zbw* && rm -rf /etc/*/zbw* && \
rm -rf /etc/*/z-way* && rm -rf /opt/z-way-server/* && rm -rf /etc/z-way* && \
rm -rf /etc/rc*.d/*z-way-server && rm -rf /opt/z-way-server && \
rm -rf /run/z-way-server.pid && rm -rf /run/systemd/*/z-way-server.service && \
rm -rf /var/webif/lib/*_z-way* && rm -rf /var/log/z-way-server.log && \
rm -rf /var/webif/lib/._set_z-way* && rm -rf /var/webif/lib/._get_z-way*

3. Reboot

Sunday, November 20, 2016

Enable HTTPS for EmonCMS on Raspbian

Our EmonCMS installation at home currently runs only over HTTP, which is not secure at all. Enabling HTTPS is a must do. However, there's a small tweak needed for it to work at the AllowOverride option.
Tip: If you run into the issue where you have HTTPS enabled, but the logging in returns always the login screen with message 'undefined', follow the fix explained below.

Check if HTTPS is already enabled for your Apache installation:

root@raspi1:~# netstat -an | grep LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN

As you can see, there is nothing running on port 443 (HTTPS) yet, so we'll need to enable the HTTPS configuration for Apache.

Enable the default HTTPS (SSL) configuration for Apache:

1. Check if the SSL module is already enabled for Apache.

root@raspi1:~# ls -l /etc/apache2/mods-enabled/*ssl*
root@raspi1:~#

If nothing is returned, the module is not enabled yet and needs to be linked from /etc/apache2/mods-available/

2. Make a symbolic link for the SSL module.

root@raspi1:~# cd /etc/apache2/mods-enabled/
root@raspi1:~# ln -s ../mods-available/ssl.conf ssl.conf
root@raspi1:~# ln -s ../mods-available/ssl.load ssl.load

3. Make a symbolic link for the SSL config file.

root@raspi1:~# cd /etc/apache2/sites-enabled/
root@raspi1:~# ln -s ../sites-available/default-ssl 000-default-ssl

4. Change two lines in the config file.

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                #Changed None to All on 18/11/2016
                AllowOverride All
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                #Changed None to All on 18/11/2016
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

5. Restart your Apache now.

root@raspi1:~# /etc/init.d/apache2 restart

This tip came from here.