Doorgaan naar inhoud
Menu
Jochem's Projects
  • Privacy Policy
  • GitHub
  • LinkedIn
Jochem's Projects

Setting up Raspberry Pi webserver

Geplaatst op 1 maart 201928 december 2020

Hey everyone! After having ran a Raspberry Pi 3B+ for a year from a micro sd-card of 32Gb it started to slowly wear out resulting in programs running slower and data getting corrupted. Despite that, my free memory space was also very limited and I was having RAM problems; almost all of it was in use.

This was the case with running Hass.io, LAMP (Apache2, Mysql and PHP), Flight Radar 24 Feeder and the Google Assistant library. The biggest problem was that Hass.io was running in Docker. That is a problem because Hass.io itself (which is running HASSOS) is also running Docker images. This is causing a lot of overhead.

I was wanting to upgrade this setup for a while but now that the Raspberry Pi 4 and Raspbian Buster (Debian 10) have been released I felt this was the perfect time. I wanted to do everything perfectly so that everyting is as secure and future-proof as possible.

Setup of Raspbian

First of all you’ll have to install Raspbian Buster and flash it using Win32DiskImager or Etcher. Once that is finished you’ll have to create a file called ‘ssh’ (without extension) and put that in the boot partition. If you don’t have a Ethernet connection anywhere near, you’ll also need to create a wpa-supplicant and place that in the boot partition.

country=NL

ctrl_interface=DIR=/var/run/wpa_supplicant

GROUP=netdev update_config=1

network={

ssid=”your_real_wifi_ssid”

scan_ssid=1 psk=”your_real_password”

key_mgmt=WPA-PSK

}

wpa_supplicant.conf

When you start up the Raspberry Pi you should be able to type in the IP-address in an SSH-client (Putty is a much used option). By logging in as user ‘pi’ with password ‘raspberry’ and using the command ‘sudo raspi-config’ you’re able to enable VNC for some more configuration. Navigate to ‘Interfacing Options’ and select ‘Enable VNC’. Now you should use a VNC client (RealVNC comes pre-installed on Raspbian) to follow the instructions in the prompt. This prompt will make you select country, time-zone and location. It’ll also update some outdated packages and ask you to update the password for the user ‘pi’; don’t do that just yet. First reboot after the updates and login again. Type ‘passwd’ and use an online tool like Passwordgenerator to generate a password you think is enough for your use case. Some guides advice to delete the user ‘pi’ for security but actually a lot of programs require the user pi. I decided to give user pi a very long password and create a new user for myself by using ‘sudo adduser <USERNAME>’ and adding it to the sudo group by using ‘sudo usermod -aG sudo <USERNAME’ (-aG makes sure the user does not get deleted from groups it is alerady in). You can now switch to that user with command ‘su – <USERNAME>’ or by creating a new SSH session.

Installing a Webserver

Now we’re of to installing a webserver which is able to serve wordpress-files and processes PHP queries. Hence no new user is required. Installing all needed packages to serve PHP files is actually not that hard:

  • sudo apt-get install apache2 -y
  • sudo apt-get install php -y

To get MySQL working though, required packages may vary. If you’re running Raspbian Buster you’ll have to install ‘mariadb-server’ (because ‘mysql-server’ is not available in the repositories). Otherwise you’ll have to install ‘mysql-server’. They both work but MySQL is often preferred.

  • sudo apt-get install mysql-server php-mysql -y
  • sudo apt-get install mariadb-server php-mysql -y

Securing the webserver

Securing the Raspberry Pi can consist of several steps and not specifically all have to be needed. But these steps will make your Internet exposed Raspberry Pi more secure.

  • Remove the user ‘pi’ or give it a strong password
  • Add your own user
  • Make the ‘sudo’ command require a password
  • Update regulary
  • Install a Firewall on your Raspberry
  • Use Fail2ban to prevent ‘brute force’ attacks from guessing your password

Make sudo require password

Open the sudoers file with ‘sudo nano /etc/sudoers.d/010_pi-nopasswd’ and change ‘pi ALL=(ALL) NOPASSWD: ALL’ to ‘pi ALL=(ALL) PASSWD: ALL’

Install a Firewall

I’ll be using UFW since it’s very easy to use, lightweight, widely used and multiple packages support it natively. To set it up execute the following commands.

  • sudo apt-get install ufw
  • sudo ufw allow ssh
  • sudo ufw allow vnc
  • sudo ufw allow 443 (for HTTPS connections)
  • (sudo ufw allow 80; only do this if you really want to use port 80)

Install Fail2ban

Installing Fail2ban is effective and easy. It has some configuration options but the standard ones are pretty good.

  • sudo apt-get install fail2ban
  • sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local (to enable it)

Conclusion

We now have a pretty secure environment to start serving html, css, php and databases. In the next post I’ll describe how to install WordPress and really put the webserver to use!

1 gedachte over “Setting up Raspberry Pi webserver”

  1. Jochem schreef:
    12 augustus 2019 om 10:45

    I hope this article helped you. If it didn’t or if you encountered any problems, please let me know!

    Beantwoorden

Geef een reactie Antwoord annuleren

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

Meest recente berichten

  • Gardomate
  • Wireless-Multisensor
  • Ball Balancing
  • Taguino
  • Convector Radiator

Recente reacties

  • Debor Johannes Vallie op Gardomate
  • Jochem op Portable Radio
  • Jochem op Setting up Raspberry Pi webserver
©2023 Jochem's Projects