raspberry-colocation v2

Posted on by

little cookbook for pi colocation installation


– upgrade OS and firmware
apt-get update && apt-get dist-upgrade
rpi-update

– extend root partition / overclock lightly
raspi-config > expand filesystem

– change root password (if root exists)

– setup your own user > add to sudo group
adduser xxx
usermod -a -G sudo xxx

– disable pi user
userdel pi

– disable root login
edit /etc/ssh/sshd_config
change: PermitRootLogin yes >> no
to force ssh-pki add: RequiredAuthentications2 publickey,password

change locale: use utf-8 (en-US)
dpkg-reconfigure locales
select en-US UTF-8 and choose this as default, too
check using: locales
/etc/default/locale should contain:
LANG=en_US.UTF-8

if it still doesn’t work add this to .bashrc
export LANG="en_US.UTF-8"
export LANGUAGE="en_US:en"
export LC_ALL="en_US.UTF-8"

– often raspberries have UK/GB keyboard
edit /etc/default/keyboard
change: XKBLAYOUT=”gb” > XKBLAYOUT=”us”

– change timezone:
dpkg-reconfigure tzdata

– setup ssh-pki for your user
only when normal login works!

– 2-factor authentication (duosecurity.com)
set up admin account, create unix profile, follow instructions to integrate into sshd_config > consider PAM integration

set up ufw or iptables
apt-get install ufw
ufw allow ssh
ufw allow mosh
ufw status

set up smarthost/relay
apt-get install postfix mailutils
choose: internet site using smarthost
add IP of provider
test using mail -s subject me@server.tld
enter some text
Ctrl-D

install mosh and allow on iptables/firewall
apt-get install mosh

set up fail2ban

edit /etc/fail2ban/jail.local
[ssh]
enabled = true
banaction = ufw-ssh
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

and create /etc/fail2ban/action.d/ufw-ssh.conf

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from to any app OpenSSH
actionunban = ufw delete deny from to any app OpenSSH

now restart the daemon and check /var/log/auth.log and fail2ban.log
consider adding email status/warnings
test!

set up logwatch
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps
set up openvpn
https://n0where.net/openvpn-raspberry-pi/