-
Notifications
You must be signed in to change notification settings - Fork 10
Raspbian Setup, Security and Remote Access
NOOBS is the easiest way to setup a Raspbian. You can download it here
The guide basically tells you to do two things:
- Use the SDFormatter to format the MicroSD.
- Use the Unzip the NOOBS zip downloaded, and copy and paste all files inside the unzipped folder into the formatted Micro SD.
That's it. You put the microsd back into the Rasberry pi, select the Raspbian, change the language in the bottom to US and wait a few minutes and you are all set.
On the Rasberry pi 3 B+, the microsd that came pre-loaded wouldn't boot the system. Apparently, this particular Rasberry PI needed a version past march or this would happen. Doing the NOOBS process above made it work.
If you are planning to open this unit to the internet, then this section is very important to avoid security breaches.
The Rasberry Pi website security page does a good job covering most of the necessary steps, however it misses important steps, so read this page first BEFORE doing it.
Specifically, before deleting PI, you must add the other accounts to all the groups pi belong. At the time of the writing, these were the groups:
pi adm dialout cdrom **sudo** audio video plugdev games users netdev input spi i2c gpio
This code can handle the process:
for GROUP in adm dialout cdrom **sudo** audio video plugdev games users netdev input spi i2c gpio; do sudo adduser <username> $GROUP; done
Of course, only add the necessary users to sudo.
If you did not delete the pi user, check the list of groups it belongs to be certain it matches the one above. See this link for further details on this.
Remember you must do this for every user. Should you fail to do so, the most noticiable and annoying part is the wifi option showing as disabled in the GUI.
In essence, there are 4 things you want to make sure you did by the end of the tutorial above:
- Wipe the pi user out of the unit. It gets loads of attack attempts. No need to clutter auth.log and gamble. If you take it off properly, it won't affect the GUI (see troubleshooting for what I mean).
- Change the ssh port to something else. It keeps the auth.log clean from scriptkids.
- Make sudo require a password. This one is critical. You don't want anyone to freely roam as sudo even on the pi.
- public key only -- disable those username/password authentications!. Trust me, you will get hacked.
-
Wipe the pi user out of the unit: When following the guide, you will likely get a message saying a process is running, so, therefore, you can't delete pi user completely. If you try to log out and then try your alternative user, a pesky tty1 process will always be there, and instantly come back if you kill it.
- To solve this, you need to guarantee after restart you are prompted to select a user, instead of insta login with one of them. Use
sudo raspi-configand select the option which lets you choose how to boot. Then choose to let the person chooses who to login. Reboot, and then login for the first time in any user other thanpi. The pesky tty1 will not be there, and you can delete it.
- To solve this, you need to guarantee after restart you are prompted to select a user, instead of insta login with one of them. Use
- Make sudo require a password. There is just a minor nuisance here. This file permissions are read only even for the root user. You will need to grant at least the root a write permission via chmod 600, edit it, and then make it ready only again with chmod 440. For a refresher on the codes, see this link.
See how to setup ssh. Make sure you went through the security section above first, and disabled username and password authentication!
We use port forwarding in the lab. Check with Ryan or Carlos on how to do this. Other alternatives are listed in the official page:
https://www.raspberrypi.org/documentation/remote-access/access-over-Internet/