Some Raspberry Pi security and minimum SD card writing

Kred to Torkel and his tremendous work with WOSPi. Take a look at: http://meteo.annoyingdesigns.com

Download and install Raspbian LITE image.

Copy the “LITE” to SD card with Win32DiskImager

Add an empty file with name “ssh” without extension. That gives you ssh access (headless boot).

If you need to login to a wireless network upon boot add i file called wpa_supplicant.conf

and with the following content

country=NO

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

update_config=1

network={

ssid=”steinsland.net”

scan_ssid=1

psk=”xxyy”

key_mgmt=WPA-PSK

}

Find your Raspberry IP “Advanced IP Scanner” is a good tool, and Connect with “Putty” user:pi PW: raspberry

sudo raspi-config

Expand file

Internationalisation options

At least set your timezone.

Boot options

Do not start the desktop GUI (B1)

Require the user to log in. (B1)

Advanced options

Enable the SSH server.

Require the user to log in.

exit

sudo reboot

Replase user pi with your own:

You should end up with two accounts

root and let us call it hes

Set a new strong root pw:

sudo passwd root

Add the new user

groups

give you a list similar to this:

pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

Make a command and make use of your listing above:

First:

sudo adduser hes

Then:

sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi hes -s /bin/bash

Now, deleting the pi user account

Logout

Login as the new user

sudo deluser -remove-home pi

Poff to pi….

Time for update

sudo apt update

sudo apt upgrade

Some Enter’s and a “q”

Som software of your choice..

sudo apt install coreutils zip mc

Or the most of the software:

sudo apt install coreutils zip mc sudo apache2 php libapache2-mod-php mysql-server php-mysql python-configobj python-cheetah python-imaging python-serial python-usb mysql-client python-mysqldb ftp python-dev python-pip imagemagick perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python -y

sudo pip install pyephem

OK, time to minimize access to SD card

sudo dphys-swapfile swapoff

sudo nano /etc/fstab

Insert those tree lines on top of the file:

tmpfs /var/tmp tmpfs nodev,nosuid,noatime,size=50M 0 0

tmpfs /tmp tmpfs defaults,noatime,nosuid 0 0

tmpfs /var/log tmpfs defaults,noatime,nosuid 0 0

check that ext4 filesystem have “noatime” parameter.

sudo /etc/init.d/rsyslog stop

sudo rm -Rf /tmp/*

sudo rm -Rf /var/log/*

sudo rm /var/tmp/*

sudo mount -a

sudo /etc/init.d/rsyslog start

After reboot your Apache web server will not start. That is because there is no temp folders left in the RAM-disk. We need to make those temp folders and restart Apache.

sudo nano setup-tmp-for-apache.sh

Add those tree lines:

#!/bin/bash

sudo mkdir /var/log/apache2

sudo /etc/init.d/apache2 restart

Make the script executable:

sudo chmod +x setup-tmp-for-apache.sh

Make it run at boot time:

sudo crontab -e

At the end, add:

@reboot /home/hes/setup-tmp-for-apache.sh

That’s it!

LAMP:

sudo apt-get install apache2 -y

sudo apt-get install php libapache2-mod-php -y

sudo apt-get install mysql-server php-mysql -y

sudo service apache2 restart

Preperation for weewx weathersoftware:

# required packages:

sudo apt-get install python-configobj

sudo apt-get install python-cheetah

sudo apt-get install python-imaging

# required if hardware is serial or USB:

sudo apt-get install python-serial

sudo apt-get install python-usb

# required if using MySQL:

sudo apt-get install mysql-client

sudo apt-get install python-mysqldb

# required if using FTP on Raspbian systems:

sudo apt-get install ftp

# optional for extended almanac information:

sudo apt-get install python-dev

sudo apt-get install python-pip

sudo pip install pyephem

Some weewx tip:

Setting up WeeWX with a Raspberry PI

Imagemagic is magic!

sudo apt-get install imagemagick

For Webmin:

Install dependencies:

su

apt install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

Find latest version and note the number:

https://sourceforge.net/projects/webadmin/files/webmin/

Build the command, replace bold/italic number with latest version:

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.981_all.deb

dpkg -i webmin_1.981_all.deb

rm webmin_1.981_all.deb

Node Red:

One long command:

bash <(curl -sL https://raw.githubusercontent.com/node-red/raspbian-deb-package/master/resources/update-nodejs-and-nodered)

Mosquitto MQTT Broker:

sudo wget http://repo.mosquitto.org/debian/mosquitto-repo.gpg.key

sudo apt–key add mosquitto–repo.gpg.key cd /etc/apt/sources.list.d/

sudo wget http://repo.mosquitto.org/debian/mosquitto-wheezy.list

sudo apt–get install mosquitto mosquitto–clients python–mosquitto

To start and stop:

sudo /etc/init.d/mosquitto stop

sudo /etc/init.d/mosquitto start

Now you need to enable mosquitto broker running in background. This is very important step as if you don’t do this, your broker will not be initiated.

sudo mosquitto -d

Now your mqtt broker is up and running

Test your MQTT Server

Testing your MQTT server is easy! If you had installed mosquitto client, this step would not be a problem for you

First open 2 new Putty sessions on your windows PC. Let’s call them Putty1 and Putty2 respectively. We will create and subscribe to a specific topic on Putty1 and we will subscribe and publish the message on Putty2. This should let us see this message on Putty1.

To create and subscribe the topic on Putty1 type and enter the following command

mosquitto_sub -t santronix_mqtt/topic

In this case santronix_mqtt/topic is the topic we have created but in your case you can use any. The same topic will be used to publish the message to broker.

If everything goes fine then there wouldn’t be any error message. Now go to Putty2 and try publishing the message to the same topic

mosquitto_pub -t santronix_mqtt/topic -m “Hello World!”

What it does is, it publishes the message “Hello World!” to topic santronix_mqtt/topic on our Pi’s broker. As soon as you type and press enter, you would see the same message appearing in Putty1.

Make it run at boot time:

sudo nano run_mosqitto_at_startup.sh

Add those tree lines:

#!/bin/bash

sudo /etc/init.d/mosquitto start

sudo mosquitto -d

Make the script executable:

sudo chmod +x mosqitto_at_startup.sh

Make it run at boot time:

sudo crontab -e

At the end, add:

@reboot /home/hes/mosqitto_at_startup.sh

That’s it!

Teamviewer

wget https://download.teamviewer.com/download/linux/teamviewer-host_armhf.deb

sudo dpkg -i teamviewer-host_armhf.deb

sudo apt-get update

sudo apt-get -f install

sudo reboot now

sudo teamviewer setup

teamviewer info (For ID-etc.)

Type “teamviewer help” for more details

If you Have a Display/Monitor and GUI Access

1. You can simply open the TeamViewer from the menu -> Internet -> TeamViewer or if it’s already running then you can see the little TeamViewer logo in the top taskbar.

2. Note down the ID and Password. Now you can connect to your Raspberry Pi from anywhere.

3. From the settings menu, you can also set up unattended access and set a permanent password to access it.

For Headless Access

1. Connect to your Raspberry Pi via SSH.

2. To find out the id, you can type “teamviewer info” or to setup headless access you can type “sudo teamviewer setup”.

Hardware Clock

sudo nano /boot/config.txt

Add to the end:

dtoverlay=i2c-rtc,ds3231

Save it and run sudo reboot to start again. Log in and run

sudo i2cdetect -y 1

to see the UU show up where 0x68 should be

Disable the “fake hwclock” which interferes with the ‘real’ hwclock

• sudo apt-get -y remove fake-hwclock

• sudo update-rc.d -f fake-hwclock remove

• sudo systemctl disable fake-hwclock

Now with the fake-hw clock off, you can start the original ‘hardware clock’ script.

Run sudo nano /lib/udev/hwclock-set and comment out these three lines:

#if [ -e /run/systemd/system ] ; then

# exit 0

#fi

You can see, the date at first is invalid! You can set the correct time easily. First run date to verify the time is correct. Plug in Ethernet or WiFi to let the Pi sync the right time from the Internet. Once that’s done, run sudo hwclock -w to write the time, and another sudo hwclock -r to read the time

Once the time is set, make sure the coin cell battery is inserted so that the time is saved. You only have to set the time once

That’s it! Next time you boot the time will automatically be synced from the RTC module

OpenVPN

sudo apt install openvpn

1. generer fil fra router

2. kopier til /etc/openvpn (og kall den client.conf)

3. rediger client.conf – bak auth-user-pass skriv auth.txt

4. lag fil /etc/openvpn/auth.txt – skal inneholde brukernavn på første linje, passord på andre

Debian 10 preperation

Install debian

Make sudo function the normal way:

su

apt-get update

apt-get install sudo

exit

su –

visudo

Under sudo section add:

%user ALL=(ALL:ALL) ALL (where “user” is the user you would add ex. hes)