This week in a -almost- desperate way of trying to solve an effect because no root cause is detected a machine reboot has been scheduled. When I was starting at Linux system administration I realized that there’s no need to reboot s Linux system in general, only in very specific scenarios.
Although production environments at job are now over a year of uptime I feel particularly proud that a humble -and quite old- RaspberryPi for testing purposes at home has reached 76 days of uptime. It’s needs to be told that I never take care of power supply and reboot that little one every time this is the shortest path to solve anything in there.
I’m subscribed to the Opensource.com newsletter and formerly I read an informative post about Set up a minimal server on a Raspberry Pi.
I’ve applied three tips from the post I my minimal Raspberry Pi with 512M RAM has earned more than a 100M.
The three tips I’ve applied has been: disable bluetooth, disable ipv6 and disable audio.
I run an RaspberryPi inside my home network with ssh access allowed. One of the first things I’d done was to install fail2ban package.
I know this is not enough by far. A really secure configuration requires more intel in it but I let it that way just to check how much penetration attemps I’ll see.
After a fast review in the
/var/log/fail2ban.log file I notice that almost everything were ssh tries to log in the system. Which is perfectly normal because the system only exposes a web server and the sshd daemon.
An easy and fast securization for your home systems with ssh is to edit the
/etc/hosts.allow and the
/etc/host deny files to concrete what IP’s are allow to log in via ssh and deny all the rest. You may do the same secure configuration via
/etc/ssh/sshd_config what it requieres more ssh knowledge and I prefer dedicate another post to it.
To allow you home network edit your
/etc/host.allow and add:
sshd: 192.168.0.0/24 # this allow your local lan
sshd: 127.0.0.1 # this allow your localhost
To deny any other IP edit your
/etc/hosts.deny and add:
I’m setting up an old Rasperri Py and I was stucked at WiFi configuration. So I may let the ethernet cable plugged (it gives network up & running with a plus of physical security) or just simply let it go.
Why to effort when there’s the “easy way”? Because you learn. And btw, as I use to say, I’m not the first one on facing this problem with “
Failed to connect to non-global ctrl_ifname: (null) error: No such file or directory“
In parallel I’m setting up a mini-server with raid-1 and found myself in the same choice. I choose, obviously, get into problems but know, I know how to sigg into the bios to set two hard-disk for build the raid-1.
Next steps with the rasperri py? Uhmmm… I don’t really know, probably I choose something simple but useful since it’s an old one with only 512 Mb memory.
I wrote about why I decide to play with a nicely gifted Raspberry Pi Model I.
So far, a short list of skills revisited or even improved during the setting up process:
- File system management: basic skill, you need to format an SD card, copy a raw image a get sure is ok
- Network management: including to fix an IP for the Raspberry instead of DHCP, ddns configuration and port redirect from router to the Raspberry, wireless command line command
- Troubleshooting in general: which is the less easy way of learning but quite effective, for instance, how do you enable ssh in a Raspberry headless installation? by creating an empty ssh file in the root directory of your installation image.
- Command line: I like command line, but never is enough, I’ve being forced to use apt command line instead of dnf or yum since Raspbian is a Debian based distro while I’m a Red Hat / CentOS / Fedora user.>
A few lines similar to a changelog with changes made in the Raspberry Pi 1:
- Custom terminal behaviour by using .vimrc, bashrc
- Custom MOTD by adding few ASCII art that notice clearly I’m going into the Raspberry
- Little security improvement: sudo commands ask for root password instead of user password. In that way, two differents password are necessary for privileges commands
- Install dnsutils package since in a minimal Raspbian default installation it is not there
Now a short list of To-Do‘s things:
- Planning to install fail2ban; I consider “a must” ’till I get up and running the next point of this list
- Install a OpenVpn in order to create an end point of VPN and add security in case of out-home connections
One more reason, at the end of last year Red Hat announced it’s going to support the ARM arquitechture. So, although most of RaspberryPi users install Raspbian, it’s worthy to remember there’s a Pidora, wich is closest to a Red Hat way, knowing it’s not the same distro for sure.