Don’t Read This If You Hate Linux

We need to set up the little Raspberry Pi clients.  These were courtesy of the folks at MCM Electronics who loved the project and generously donated five RPis.

IMG_1946

Server: FOMOphobia Clients (RPi)

OS: Debian 7.1 (Raspian/Wheezy via NOOBS)

Setting up a fresh install of Debian. I wanna make sure I take good notes so this is replicable. I have to make a bunch of these.

Did nothing so far except go through the NOOBS install menu whose default brought up Debian 7.1/Raspian.

Things I know I need to do:

  1. Change the hostname and MOTD
  2. Create my own personal login and add to sudo
  3. Disable pi account
  4. Enable firewall? (does Debian have iptables)
  5. Update OS
  6. Redirect root mail
  7. Install denyhosts
  8. Block most ssh logins
  9. Install apps and stuff
  10. Configure wireless adaptor

Okay, first su to root:

pi@raspberrypi ~ $ sudo su -

Change the hostname and motd

This is a minor detail, but I can’t tell you how many times I’ve logged into a server and not been able to tell exactly which server I was on. I won’t shame myself and tell you how many times I’ve done a destructive command on the wrong server.

root@raspberrypi:~# hostname fomo1.modes.io
root@raspberrypi:~# vi /etc/motd
Welcome to fomo1.modes.io (Linux fomo1.modes.io 3.6.11+ #474 PREEMPT Thu Jun 13 17:14:42 BST 2013 armv6l GNU/Linux)

 

Create my own personal login and add to sudo

Sudo is a program that allows ordinary users to quickly run privileged commands as root. This means you don’t have to have people (including me) log in as root, which has its own security risks.

Add my user account:

root@raspberrypi:~# adduser wmodes
Adding user `wmodes' ...
Adding new group `wmodes' (1002) ...
Adding new user `wmodes' (1001) with group `wmodes' ...
Creating home directory `/home/wmodes' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for wmodes
Enter the new value, or press ENTER for the default
 Full Name []: Wes Modes
 Room Number []:
 Work Phone []:
 Home Phone []:
 Other []:
Is the information correct? [Y/n]
root@raspberrypi:~# vi /root/.bashrc
export EDITOR=/usr/bin/vi
root@raspberrypi:~# . ~/.bashrc
root@raspberrypi:~# echo $EDITOR
/usr/bin/vi
root@raspberrypi:~# visudo
%sysadmin ALL=(ALL) ALL
modes@fomo1 ~ $ sudo su -
sudo: unable to resolve host fomo1.modes.io
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
 #2) Think before you type.
 #3) With great power comes great responsibility.
[sudo] password for wmodes: 
root@fomo1:~#
Disable pi account
oot@fomo1:~# which nologin
/usr/sbin/nologin
root@fomo1:~# usermod -s /usr/sbin/nologin pi
root@fomo1:~# grep pi /etc/passwd
pi:x:1000:1000:,,,:/home/pi:/usr/sbin/nologin

Update OS

root@fomo1:~# sudo apt-get update
root@fomo1:~# sudo apt-get upgrade

This generates pages and pages and pages of info, usually too fast to read.

Okay, done.

Get the Certificate Authority certificates

root@fomo1:~# apt-get install ca-certificates

IMG_1949

Update Firmware and Kernel

Install the git core using sudo apt-get install git-core
Get rpi-update from github using wget https://github.com/Hexxeh/rpi-update/raw/master/rpi-update
sudo cp rpi-update /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update
Update the GPU firmware and kernel using sudo rpi-update

Here we go:

root@raspberrypi:~# apt-get install git-core
Reading package lists... Done
Building dependency tree 
Reading state information... Done
git-core is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@raspberrypi:~# wget https://github.com/Hexxeh/rpi-update/raw/master/rpi-update^C
root@raspberrypi:~# cd
root@raspberrypi:~# wget https://github.com/Hexxeh/rpi-update/raw/master/rpi-update
--2013-11-23 07:38:29-- https://github.com/Hexxeh/rpi-update/raw/master/rpi-update
Resolving github.com (github.com)... 192.30.252.128
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Hexxeh/rpi-update/master/rpi-update [following]
--2013-11-23 07:38:36-- https://raw.github.com/Hexxeh/rpi-update/master/rpi-update
Resolving raw.github.com (raw.github.com)... 199.27.77.133
Connecting to raw.github.com (raw.github.com)|199.27.77.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7174 (7.0K) [text/plain]
Saving to: `rpi-update'
100%[==============================================================================================>] 7,174 --.-K/s in 0.002s
2013-11-23 07:38:42 (3.58 MB/s) - `rpi-update' saved [7174/7174]
root@raspberrypi:~# cp rpi-update /usr/bin/rpi-update && sudo chmod +x 
chmod: missing operand after `+x'
Try `chmod --help' for more information.
root@raspberrypi:~# cp rpi-update /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update
root@raspberrypi:~# rpi-update
 *** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS
 *** Performing self-update

Reboot and check everything still works!

Enable firewall?

A firewall blocks incoming connections on ports you are not using. It also can restrict access to local networks, certain computers, certain individuals, and so on.  The classic internal unix firewall is iptables.

iptables is not installed on the RPi by default. But it seems important that an internet-connected installation be protected from attack

Install it:

root@raspberrypi:~# apt-get install iptables-persistent
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following NEW packages will be installed:
 iptables-persistent
0 upgraded, 1 newly installed, 0 to remove and 65 not upgraded.
Need to get 10.3 kB of archives.
After this operation, 61.4 kB of additional disk space will be used.
Get:1 http://mirrordirector.raspbian.org/raspbian/ wheezy/main iptables-persistent all 0.5.7 [10.3 kB]
Fetched 10.3 kB in 0s (14.4 kB/s) 
Preconfiguring packages ...
Selecting previously unselected package iptables-persistent.
(Reading database ... 62275 files and directories currently installed.)
Unpacking iptables-persistent (from .../iptables-persistent_0.5.7_all.deb) ...
update-rc.d: using dependency based boot sequencing
Setting up iptables-persistent (0.5.7) ...
ip6tables v1.4.14: can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
IPv6: Unable to save (table filter isn't available or module not loadable)
[ ok ] Loading iptables rules... IPv4... skipping IPv6 (no rules to load)...done.
root@raspberrypi:~# vi /etc/iptables/rules.v4
# Generated by iptables-save v1.4.14 on Sat Nov 23 06:55:32 2013
# Generated by iptables-save v1.4.14 on Sat Nov 23 08:00:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [65:6492]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 161 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I do a reboot to see if iptables is on when we reboot. Let’s see…

root@raspberrypi:~# iptables-save 
# Generated by iptables-save v1.4.14 on Sat Nov 23 08:02:25 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100:10612]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 161 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 23 08:02:25 2013

Sweet.

Redirect root mail

The root account gets a lot of the internal reports from the system. By default root just has a mailbox on the system. Not very useful if it is a remote system that you seldom login to. So we can forward root mail to another more accessible account.

Okay, postfix isn’t even installed and I’m not sure I want it to be right now. So we’ll hold off on this.

IMG_1950

Install denyhosts

denyhosts is an amazing program that monitors attempts to access the system. If someone tries and fails to access the system more than some number of times, the system locks that IP address out on all ports.

root@raspberrypi:~# apt-get install denyhosts
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following NEW packages will be installed:
 denyhosts
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 74.2 kB of archives.
After this operation, 377 kB of additional disk space will be used.
Get:1 http://mirrordirector.raspbian.org/raspbian/ wheezy/main denyhosts all 2.6-10 [74.2 kB]
Fetched 74.2 kB in 0s (92.3 kB/s)
Selecting previously unselected package denyhosts.
(Reading database ... 62267 files and directories currently installed.)
Unpacking denyhosts (from .../denyhosts_2.6-10_all.deb) ...
Processing triggers for man-db ...
Setting up denyhosts (2.6-10) ...
[ ok ] Starting DenyHosts: denyhosts.

And I’m installing this replacement for CentOs/Redhat chkconfig:

root@raspberrypi:~# sudo apt-get install sysv-rc-conf

Block most ssh logins

ssh stands for secure shell. It is very secure if used right. However, users and passwords are the biggest weakness.  So we turn off everything but my personal sysadmin account. We even forbid logging in as root from a remote system.

root@raspberrypi:~# vi /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers wmodes

Install apps and stuff

Nt sure yet what apps I’ll install. We’ll hold off on this.

 

Configure wireless adaptor

So with the RPi, you have to do some magic to make the wireless network adapter work.

 

We’ll set up UCSC’s eduroam for now, though ultimately FOMOphobia will use a private wireless network in the form of a wireles router plugged into a network jack.

Here’s a good reference, how to config Debian WiFi from the command line
https://wiki.debian.org/WiFi/HowToUse#Command_Line

root@raspberrypi:~# iwlist scan
lo Interface doesn't support scanning.
eth0 Interface doesn't support scanning.
wlan0 Scan completed :
 Cell 02 - Address: 00:27:0D:71:5C:72
 ESSID:"eduroam"
 Protocol:IEEE 802.11g
 Mode:Master
 Frequency:2.412 GHz (Channel 1)
 Encryption key:on
 Bit Rates:54 Mb/s
 Extra:rsn_ie=30140100000fac040100000fac040100000fac012800
 IE: IEEE 802.11i/WPA2 Version 1
 Group Cipher : CCMP
 Pairwise Ciphers (1) : CCMP
 Authentication Suites (1) : 802.1x
 Quality=47/100 Signal level=64/100 
 Cell 04 - Address: 00:27:0D:71:5B:32
 ESSID:"eduroam"
 Protocol:IEEE 802.11g
 Mode:Master
 Frequency:2.437 GHz (Channel 6)
 Encryption key:on
 Bit Rates:54 Mb/s
 Extra:rsn_ie=30140100000fac040100000fac040100000fac012800
 IE: IEEE 802.11i/WPA2 Version 1
 Group Cipher : CCMP
 Pairwise Ciphers (1) : CCMP
 Authentication Suites (1) : 802.1x
 Quality=100/100 Signal level=96/100

Apparently to use WPA-EAP I need to install wpa_supplicant

root@raspberrypi:~# aptitude update
root@raspberrypi:~# aptitude install wpasupplicant
root@raspberrypi:~# vi /etc/network/interfaces
auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
 wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
root@raspberrypi:~# vi /etc/wpa_supplicant/wpa_supplicant.conf
# WPA2-EAP/CCMP using EAP-TLS
ctrl_interface=/var/run/wpa_supplicant
network={
 ssid="eduroam"
 key_mgmt=WPA-EAP
 eap=PEAP
 phase2="MSCHAPV2"
 anonymous_identity="anonymous@ucsc.edu"
 identity="wmodes@ucsc.edu"
 password="xxxxxxxxxxxxxxx"
}
root@raspberrypi:~# ifup wlan0
ioctl[SIOCSIWAP]: Operation not permitted
ioctl[SIOCSIWENCODEEXT]: Invalid argument
ioctl[SIOCSIWENCODEEXT]: Invalid argument
Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/wlan0/80:1f:02:be:dd:be
Sending on LPF/wlan0/80:1f:02:be:dd:be
Sending on Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 7
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPOFFER from 1.1.1.1
DHCPACK from 1.1.1.1
bound to 169.233.224.75 -- renewal in 6579 seconds.
root@raspberrypi:~# ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:3b:00:fd 
 inet addr:128.114.74.253 Bcast:128.114.75.255 Mask:255.255.254.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:25841 errors:0 dropped:0 overruns:0 frame:0
 TX packets:3971 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:3601275 (3.4 MiB) TX bytes:720553 (703.6 KiB)
lo Link encap:Local Loopback 
 inet addr:127.0.0.1 Mask:255.0.0.0
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:8 errors:0 dropped:0 overruns:0 frame:0
 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0 
 RX bytes:1104 (1.0 KiB) TX bytes:1104 (1.0 KiB)
wlan0 Link encap:Ethernet HWaddr 80:1f:02:be:dd:be 
 inet addr:169.233.224.75 Bcast:169.233.255.255 Mask:255.255.224.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:75 errors:0 dropped:841 overruns:0 frame:0
 TX packets:45 errors:0 dropped:2 overruns:0 carrier:0
 collisions:0 txqueuelen:1000 
 RX bytes:101814 (99.4 KiB) TX bytes:33028 (32.2 KiB)

IMG_1945

Configure Serial Port

The RPi has the ability to connect an old-skool serial console to its GPIO pins.  However this gets in the way of using the serial port to talk to other serial peripherals.

So we install a simple script to easily enable & disable the Raspberry Pi’s serial console. Disabling the serial console is required if you want to use the Raspberry Pi’s serial port (UART) to talk to other devices e.g. microcontrollers (see http://elinux.org/RPi_Serial_Connection for more information).

root@raspberrypi:~# wget https://raw.github.com/lurch/rpi-serial-console/master/rpi-serial-console -O /usr/bin/rpi-serial-console && sudo chmod +x /usr/bin/rpi-serial-console
--2013-11-23 08:31:23-- https://raw.github.com/lurch/rpi-serial-console/master/rpi-serial-console
Resolving raw.github.com (raw.github.com)... 199.27.77.133
Connecting to raw.github.com (raw.github.com)|199.27.77.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2829 (2.8K) [text/plain]
Saving to: `/usr/bin/rpi-serial-console'
100%[==============================================================================================>] 2,829 --.-K/s in 0.001s
2013-11-23 08:31:29 (2.18 MB/s) - `/usr/bin/rpi-serial-console' saved [2829/2829]
root@raspberrypi:~# logout
wmodes@raspberrypi ~ $ sudo su -
[sudo] password for wmodes: 
root@raspberrypi:~# rpi-serial-console status
Serial console on /dev/ttyAMA0 is enabled
root@raspberrypi:~# rpi-serial-console disable
Serial console has been disabled, a reboot is required to make this take effect
root@raspberrypi:~# reboot
Broadcast message from root@raspberrypi (pts/0) (Sat Nov 23 08:32:35 2013):
The system is going down for reboot NOW!

Then after reboot

root@raspberrypi:~# rpi-serial-console status
Serial console on /dev/ttyAMA0 is disabled

Leave a Reply