I received my hifiberry last week which is now running volumio and making music, I don’t really want to hang that device to the internet as it is not upgradeable without breakage (dependencies.. duh)
anyway, I still have the old raspi so let’s make it like the old one but add an adblocker for my tablet/phone to it :)
this is based on the previous installs:
http://blueeyedcreature.net/blog/?p=811
http://blueeyedcreature.net/blog/?p=901
http://blueeyedcreature.net/blog/?p=932
and I managed to break it trying to use the resolvconf program, yesterday at 2 a.m. – minibian does not have a gui so breakage is forever :)
First off we use a small debian – called minibian – SF.net link
now add sudo, nano/pico, add iptables or some other form of firewall and fail2ban (fail2ban server caused the CPU to overload… because it couldn’t handle the BLOCKs anymore ???)
let’s try again
setup basic, add user and ssh keys, change password of root user!
– use fdisk to resize the root partition (delete partition 2, create new type 2) – use defaults (will expand to max)
fdisk /dev/mmcblk0
d 2
n p 2
w
– reboot and extend the filesystem
e2fsck -f /dev/mmcblk0p2
schedule e2fsck for the new partion
(reboot -rF now) ???
touch /forcefsck + reboot ???
– disable root login (edit /etc/ssh/sshd_config > PermitRootLogin yes >> no )
– delete pi user (userdel) – if present
– passwd root
– add ssh keys for PKI (ssh-add-keys)
– change locale (locale -a / dpkg-reconfigure locales) and use UTF-8 Euro / US as default
– add to .bash_profile
export LS_OPTS=’–color=auto’
export GREP_OPTIONS=’–color=auto’
export TERM=xterm-color
#export GREP_OPTIONS=’–color=auto’ GREP_COLOR=’1;32′
export CLICOLOR=1
– add to /etc/default/locale
export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
– verify using locale -a
– use locale-gen en_US.UTF-8 if you didn’t do it with raspi-config
or: dpkg-reconfigure locales
– timezone wrong?
dpkg-reconfigure tzdata
also, rapberry is british so:
nano /etc/default/keyboard
Change
XKBLAYOUT=”gb”
to
XKBLAYOUT=”us”
– install mosh (via apt-get / open up couple of UDP ports (60000-60020?))
now install some essentials:
and install more tools we will need:
apt-get install ufw fail2ban dnsmasq raspi-config curl
set up the basic firewall:
ufw allow ssh mosh dns
ufw enable
(just do not enable DNS access from the internet on the router! just forward SSH)
copy the default jail.conf to a new one and edit (we need only ssh for now)
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
inside jail.local
add your own IP to the permitted IP list (space separated)
and change/add ufw to the ssh jail under banaction
Also raise the bantime from 600 to 3600 (which is one hour)
[ssh]
enabled = true
banaction = ufw-ssh
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
and create /etc/fail2ban/action.d/ufw-ssh.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from
actionunban = ufw delete deny from
now restart the daemon and check /var/log/auth.log and fail2ban.log
2015-05-30 23:10:01,022 fail2ban.actions: WARNING [ssh] Ban 43.229.52.169
yeah.. you.. eat this you fuck, I have seen you for WEEKS on my access log!
it doesn’t work for IPv6 so may just add PKI as an extra requirement:
/etc/ssh/sshd.conf
add this: RequiredAuthentications2 publickey,password
discuss:
I want dynamic IP adresses but only for IPv6 – IPv4 needs not use DHCP as I will use DHCP to server the raspberry’s IP – let’s try with inet6 auto instead of inet6 dhcp in /etc/network/interfaces and if the fritzbox will still forward IPv6 requests using the interface ID.
Now.. a blackhole for ads for a raspberry Pi becomes: a Pie-hole. (I did not come up with this!)
see here: they even wrote an installer script that pulls it all in.
(I assume here you have checked the script before running it as root!!!!111)
https://github.com/jacobsalmela/pi-hole
curl -s "https://raw.githubusercontent.com/jacobsalmela/pi-hole/master/automated%20install/basic-install.sh" | bash
this will set up a lighttpd server to server the ads and a DNS server
this tutorial has all the files and a step by step config that makes the install clearer
last step is to configure your home router to hand this address to the clients instead of the router (inside DHCP I guess…)
I am not ready to deploy a DHCPv6 subnet or make the FritzBox delegate a prefix but if this thing is not resolving and caching AAAA records it will not live long
found out: DNSMASQ does not assign adresses via DHCP which is good! :)
also: /etc/network/interfaces can be configured to do inet static and inet6 auto which allows for custom dns resolvers!
also:
andreas@filzhut:~$ dig @home home.rudel.nl aaaa
; < <>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 < <>> @home home.rudel.nl aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 3987
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;home.rudel.nl. IN AAAA
;; ANSWER SECTION:
home.rudel.nl. 3599 IN AAAA 2001:980:3289:1:ba27:ebff:fe58:67ff
;; Query time: 1350 msec
;; SERVER: 2001:980:3289:1:ba27:ebff:fe58:67ff#53(2001:980:3289:1:ba27:ebff:fe58:67ff)
;; WHEN: Tue May 26 22:03:17 CEST 2015
;; MSG SIZE rcvd: 70
NO WAY!
ok, so first let’s have the raspberry use XS4ALLs servers instead of my FritzBox
/etc/network/interfaces