Tony Edwards
Pre-heating the Pi - Part 2

Pre-heating the Pi - Part 2

- 3 mins
Adventures in FOSS Self Hosted

As is inevitable with any project involving a Raspberry Pi, at some point you need to restart again from fresh. The reason in this case was because I had the wrong OS variant installed. . . but this didn’t become apparent until the fancy features of the photo library were switched on. Unfortunately, this was the VERY LAST THING for the project. Or so I thought.

During the second setup I added some extra steps into the process. The original post has been updated with the changes below.

Use the 64bit OS

If you haven’t already, go back and install the 64-bit OS variant onto your SD card rather than the 32-bit option. As soon as you need anything machine learning related (i.e. tagging faces in photos), you’ll wish you did.

Change the default username and password

Default usernames and passwords are never, ever a good idea. Here’s how to change your default user credentials if it still exists.

Update UFW rules

We’ll set up our firewall to have sensible, secure defaults before layering application-specific rules on top.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh
sudo ufw allow HTTP
sudo ufw allow https
sudo ufw logging on

Install Fail2ban

Fail2ban complements UFW almost as an extension of its limit rules. Fail2Ban “scans log files and bans IPs showing potentially malicious behaviour, e.g. too many password failures, seeking exploits and similar”. It comes with sensible defaults, although I opted to decrease the number of failed attempts before a ban and increase the length of the ban.

You’ll find the instructions here.

IP4 filtering

Buried in the Raspberry Pi system config are settings that enhance security at a relatively low level. Switching this filtering on improves the robustness of the Pi to attack and is one of the simplest ways to enhance the network security of the device.

To enable this functionality, open up the sysctl conf file:

sudo nano /etc/sysctl.conf

and uncomment the following lines in the file:

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

Reduce writes to the SD card

SD cards are not designed for the intensity of usage generated by a Raspberry Pi setup. With this configuration intended to run day in and day out, anything above a year’s use from a decent SD card is gifted time. Longer term, the plan is to boot from a small-capacity SSD. In the meantime, we can reduce the number of writes to the card by logging to RAM rather than directly to the SD card, writing out a few times a day rather than every few seconds.

The instructions are straight forward and available here.

European time server

As a European, I like to get my time from somewhere in Europe. By default, it’s only a tiny transatlantic request, but it does not need to be made. Plus, we get dates right on this side of the pond.

Open up the relevant config file:

sudo nano /etc/systemd/timesyncd.conf

Change (or add) the lines below:

[Time]
NTP=0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org
#FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

Related Posts

rss twitter github youtube instagram linkedin stackoverflow mastodon