Setting up your Raspberry Pi (headless)

Raspberry Pi Hardware List


Initial Software Setup

If you’ve already set up your pi and you need to get to this menu again, the command is.


sudo raspi-config

Couple of assumptions I’m making here, your running Raspbian, you have a passing familiarity with Linux (you don’t have to be an expert) and the other, is that your Pi is already built and connected to your home network.

I’m going to be running DNS, DHCP and IPv6 Tunnel services on this Raspberry Pi, so I’m going to be running it headless (no keyboard, mouse or monitor). If this isn’t what you want to use your Pi for, then this howto probably isn’t for you. :-)

Select expanding the root filesystem and press Return, this will expand the filesystem from 2Gig to the full size of your SD card.

expand_rootfs

I’m going to run this pi headless and secure shell into it over my home network, at the moment, memory is shared equally with the graphics card which is a bit of a waste. So I’m going to select memory split and release more memory from the graphic card to the operating system.

memory_split

Select 16M, if you decide at a later date you want to run a GUI then you can go back and change it back.

memory_split_amount

Select Ok above, then select Finish.

finish

Configuring the Pi with a static IP address

At this point, I’m going to have to make the assumption that you already have your Rasperry Pi connected to your home network, and it already has an IP address allocated by your routers? You can of course check this by running the following command at the prompt.

ifconfig

You output should be similar to this.

....
eth0      Link encap:Ethernet  HWaddr b8:27:eb:5a:54:42
          inet addr:192.168.1.20  Bcast:192.168.1.255  Mask:255.255.255.0
....

The above is saying that ethernet port 0 has an IP address of 192.168.1.20

You will also need the address of your home router, use the following command.


route

You should get the following information back (or similar) take a note of the “default Gateway”, that should be the IP address of your router, as you can see, mine is “102.168.1.254″.


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

To change to a static IP address do the following.

sudo nano /etc/network/interfaces

Replace the line “iface eth0 inet dhcp” with the following. Remember, the gateway will be the address you took down earlier!


iface etho inet static
address 192.168.1.200
netmask 255.255.255.0
gateway 192.168.1.254

The above shows that the router’s IP address (Gateway) is 192.168.1.254, most commercial routers will use that IP address or 192.168.1.1. Take a note of the address, you will need it later.

You will also need to have a look at the resolv.conf file, this should have either the IP address of your router (Gateway) or the IP address of your ISP’s DNS servers.

sudo nano /etc/resolv.conf

You should see something similar to what’s below, if that’s the case then all’s well. Personally I prefer to use Googles DNS servers, but that entirely up to you.

nameserver 192.168.1.254

Info about Googles public recursive DNS can be found here
What I have in my resolv.conf file.


nameserver 8.8.8.8
nameserver 8.8.4.4

If however you see something like this in your resolv.conf file.


# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Your system is using a program called resolvconf, so instead of adding your nameserver to the resolve.conf file, you will have to add them to the following file instead /etc/network/interfaces.

Append the following to the bottom of the file.


# You will of course add your own details and not mine.
# unless they are the same of course.
dns-nameservers 8.8.8.8, 8.8.4.4

Time to test it and see if all’s well, at this stage, I would suggest a reboot.

sudo reboot

After the reboot, log in as normal and test. Ping the router (gateway) to make sure it’s getting a network address.

ping -c 5  192.168.1.254

You should get a result similar to this.


PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_req=1 ttl=64 time=2.22 ms
64 bytes from 192.168.1.254: icmp_req=2 ttl=64 time=0.867 ms
64 bytes from 192.168.1.254: icmp_req=3 ttl=64 time=0.831 ms
64 bytes from 192.168.1.254: icmp_req=4 ttl=64 time=0.874 ms
64 bytes from 192.168.1.254: icmp_req=5 ttl=64 time=0.861 ms

--- 192.168.1.254 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.831/1.132/2.227/0.547 ms

Next test to see if you’ve put in the correct DNS settings.


ping -c 5 www.google.com

You should get results similar to the ones below. If you do then all’s well and everything is as it should be. Job Done.


PING www.google.com (173.194.78.106) 56(84) bytes of data.
64 bytes from wg-in-f106.1e100.net (173.194.78.106): icmp_req=1 ttl=50 time=34.0 ms
64 bytes from wg-in-f106.1e100.net (173.194.78.106): icmp_req=2 ttl=50 time=32.3 ms
64 bytes from wg-in-f106.1e100.net (173.194.78.106): icmp_req=3 ttl=50 time=32.5 ms
64 bytes from wg-in-f106.1e100.net (173.194.78.106): icmp_req=4 ttl=50 time=33.1 ms
64 bytes from wg-in-f106.1e100.net (173.194.78.106): icmp_req=5 ttl=50 time=32.9 ms

--- www.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 32.328/33.006/34.045/0.605 ms

Job Done!

Securing your Raspberry Pi

Your asking yourself “Why not just change the pi password?” Sure you can do that, but if someone knows the login, then given time, they can brute force the password, why make it easy? :-)

  1. We need to create a new user account.
  2. Add the new user account to the groups that the default pi account is a member of.
  3. Delete the pi user account.

Default login for the Raspberry Pi is pi and the password is raspberry.
Log in to the terminal and create your own username and login. I’m going to create a user called Jimbob.

sudo adduser jimbob

Raspian will create the user and prompt you to set a password, as well as other personal information. Fill in the applicable fields and type y to confirm the information is correct.

The result will look similar to this


Adding user `jimbob' ...
Adding new group `jimbob' (1001) ...
Adding new user `jimbob' (1001) with group `jimbob' ...
Creating home directory `/home/jimbob' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jimbob
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y

We need to add the new user to the same groups that the pi user is a member off. To list the groups that the pi user is a member off type:

pi@raspberrypi ~ $ groups pi

You’ll get a list like this.

pi : pi adm dialout cdrom sudo audio video plugdev games users netdev input

At this stage, it’s probably a good idea to add your new user, to the groups that pi is already a members of. It also means that your new user account should have the same access right to the machine as the pi account.


sudo usermod -a -G sudo,adm,dialout,cdrom,audio,video,plugdev,games,users,netdev,input jimbob

Another look at the groups will show that the new user account jimbob is also a member of all the groups that the pi is a member off.


groups jimbob

See below.


jimbob : jimbob adm dialout cdrom sudo audio video plugdev games users netdev input

As you can see from the output above, your user login is in the sudo group so all should be well. Saying that, it’s always best to test, so I would suggest that you reboot pi and test your login and update your installation. To reboot type the following.


sudo shutdown -r now

When it reboots, log in with your new user and try to update the operating system. If the pi lets you update ok, then everthing is working as expected. Type the following to update you installation.


sudo apt-get update && sudo apt-get upgrade

If all goes well, then your new account has root access and it should be safe to delete the pi user account. (if not then check the stages above to ensure that nothing’s been left out) If you intend to use this linux machine to connect to the internet and allow the internet to connect to you, then you really need to delete the pi account, as the login and default password are common knowledge.

To delete the pi user account, type the following at the prompt.


deluser --remove-home pi

Enabling SSH on Reboot.

On some of the supplied images, Secure Shell or SSH for short is already set to start at reboot. If you’ve been following these instructions, then you’ve already rebooted. So all we need to do is see if SSH is running, and if it is, then there’s nothing more to do. If it’s not then we need to enable it.

Check to see if ssh is currently running after your reboot.


netstat -ta

If you see the following message then SSH is running.


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ssh                   *:*                     LISTEN

If you don’t see the message above, to enable SSH to start on reboot, do the following. At the prompt type.


sudo raspi-config
Enabling SSH for the Raspberry Pi

Enabling SSH for the Raspberry Pi

Select Enable or disable ssh server, press Enter.
Then select finish, press Enter. All Done.

Disabling root ssh login

I’m only going to log into my raspberry from my own network, But at some point I might want to enable logins from the internet. So it’s always good practice to disable ssh root login, to do that you need to edit the sshd_config file.

sudo nano /etc/ssh/sshd_config

Look for a line that say PermitRootLogin and change it to no.

If you do intend to log into your raspberry pi from the internet, then I would be inclined to either one of the following.

  1. Install failtoban and map ssh to a higher port on your router.
  2. Login via certificates only.

Regenerate you SSH host key

Before you start connecting to your pi via ssh, you might want to re-generate your host keys. This part is optional so you don’t really have to do this. I’ve included it for completeness.

Delete the old host keys.


sudo rm /etc/ssh/ssh_host_*

Generate a new host key.


sudo dpkg-reconfigure openssh-server

Expected output from the above command.


Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

References:

Embedded Linux Wiki
Raspberry Pi Webpage
Farnell Raspberry Pi accessories
Raspbian – Debian based OS for the Raspberry Pi
Penguin Tutor – Guide to the Raspberry Pi
Raspberry Pi Spy

Leave a Reply