Hey everyone! After having ran a Raspberry Pi 3B+ for a year from a micro sd-card of 32Gb it started to slowly wear out resulting in programs running slower and data getting corrupted. Despite that, my free memory space was also very limited and I was having RAM problems; almost all of it was in use.
This was the case with running Hass.io, LAMP (Apache2, Mysql and PHP), Flight Radar 24 Feeder and the Google Assistant library. The biggest problem was that Hass.io was running in Docker. That is a problem because Hass.io itself (which is running HASSOS) is also running Docker images. This is causing a lot of overhead.
I was wanting to upgrade this setup for a while but now that the Raspberry Pi 4 and Raspbian Buster (Debian 10) have been released I felt this was the perfect time. I wanted to do everything perfectly so that everyting is as secure and future-proof as possible.
Setup of Raspbian
First of all you’ll have to install Raspbian Buster and flash it using Win32DiskImager or Etcher. Once that is finished you’ll have to create a file called ‘ssh’ (without extension) and put that in the boot partition. If you don’t have a Ethernet connection anywhere near, you’ll also need to create a wpa-supplicant and place that in the boot partition.
When you start up the Raspberry Pi you should be able to type in the IP-address in an SSH-client (Putty is a much used option). By logging in as user ‘pi’ with password ‘raspberry’ and using the command ‘sudo raspi-config’ you’re able to enable VNC for some more configuration. Navigate to ‘Interfacing Options’ and select ‘Enable VNC’. Now you should use a VNC client (RealVNC comes pre-installed on Raspbian) to follow the instructions in the prompt. This prompt will make you select country, time-zone and location. It’ll also update some outdated packages and ask you to update the password for the user ‘pi’; don’t do that just yet. First reboot after the updates and login again. Type ‘passwd’ and use an online tool like Passwordgenerator to generate a password you think is enough for your use case. Some guides advice to delete the user ‘pi’ for security but actually a lot of programs require the user pi. I decided to give user pi a very long password and create a new user for myself by using ‘sudo adduser <USERNAME>’ and adding it to the sudo group by using ‘sudo usermod -aG sudo <USERNAME’ (-aG makes sure the user does not get deleted from groups it is alerady in). You can now switch to that user with command ‘su – <USERNAME>’ or by creating a new SSH session.
Installing a Webserver
Now we’re of to installing a webserver which is able to serve wordpress-files and processes PHP queries. Hence no new user is required. Installing all needed packages to serve PHP files is actually not that hard:
- sudo apt-get install apache2 -y
- sudo apt-get install php -y
To get MySQL working though, required packages may vary. If you’re running Raspbian Buster you’ll have to install ‘mariadb-server’ (because ‘mysql-server’ is not available in the repositories). Otherwise you’ll have to install ‘mysql-server’. They both work but MySQL is often preferred.
- sudo apt-get install mysql-server php-mysql -y
- sudo apt-get install mariadb-server php-mysql -y
Securing the webserver
Securing the Raspberry Pi can consist of several steps and not specifically all have to be needed. But these steps will make your Internet exposed Raspberry Pi more secure.
- Remove the user ‘pi’ or give it a strong password
- Add your own user
- Make the ‘sudo’ command require a password
- Update regulary
- Install a Firewall on your Raspberry
- Use Fail2ban to prevent ‘brute force’ attacks from guessing your password
Make sudo require password
Open the sudoers file with ‘sudo nano /etc/sudoers.d/010_pi-nopasswd’ and change ‘pi ALL=(ALL) NOPASSWD: ALL’ to ‘pi ALL=(ALL) PASSWD: ALL’
Install a Firewall
I’ll be using UFW since it’s very easy to use, lightweight, widely used and multiple packages support it natively. To set it up execute the following commands.
- sudo apt-get install ufw
- sudo ufw allow ssh
- sudo ufw allow vnc
- sudo ufw allow 443 (for HTTPS connections)
- (sudo ufw allow 80; only do this if you really want to use port 80)
Installing Fail2ban is effective and easy. It has some configuration options but the standard ones are pretty good.
- sudo apt-get install fail2ban
- sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local (to enable it)
We now have a pretty secure environment to start serving html, css, php and databases. In the next post I’ll describe how to install WordPress and really put the webserver to use!